매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certified Professional - PingAM Exam 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 Ping Identity PT-AM-CPE 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 PT-AM-CPE 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 100개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Push authentication in PingAM 8.0.2 utilizes the ForgeRock/Ping Authenticator app to provide a seamless, out-of-band multi-factor authentication (MFA) experience.3 To understand the correct statements, we must look at the technical requirements and the authentication lifecycle defined in the "MFA: Push Authentication" documentation.
Statement A is correct: For the initial setup, a device with a camera is required because the registration process involves scanning a QR code generated by PingAM. Additionally, the user must install the specific Authenticator app (available for iOS and Android) to handle the cryptographic exchange and receive push notifications.4
Statement D is correct: This accurately describes the runtime flow of a push journey. When a user reaches a Push Sender node, PingAM communicates with the Push Notification Service (Apple APNs or Google FCM).5 The user's device receives the notification, and PingAM enters a "waiting" state (via the Push Result Verifier node) until the user either approves or denies the request within the app.6
Why other statements are incorrect:
Statement B is incorrect because registration and authentication are typically handled by separate trees. Best practice dictates a "Device Registration" tree for the initial onboarding and a "Login/MFA" tree for day-to-day access. Forcing them into the same tree would be inefficient and create a poor user experience.
Statement C is a common point of confusion; while the user scans a code, the documentation refers to it as a QR code, not a standard barcode. In technical certification contexts, this distinction is often strictly enforced.
Therefore, only statements A and D represent the verified facts of the Push implementation in version 8.0.2, making Option C the correct answer.
정답:
Explanation:
Securing a PingAM 8.0.2 environment involves hardening multiple layers of the architecture, particularly when using external data stores and stateful sessions. According to the "General Security Considerations" and "Hardening PingAM" documentation, several key "Best Practices" must be applied.
Changing the SSO Cookie Name: By default, AM uses iPlanetDirectoryPro. Attackers often scan for this specific cookie name to identify ForgeRock/PingAM installations. Changing it provides "security through obscurity" and prevents some automated attacks.
Using Your Own Keys: PingAM ships with default test keys in the keystore. For production, you must generate your own cryptographic keys for signing and encrypting tokens (SSO, OIDC, SAML) to ensure the integrity of the environment.
Specific Bind Accounts: When connecting to an external PingDS or Active Directory, PingAM should never use a highly privileged account (like cn=Directory Manager). Instead, a dedicated account with limited, specific permissions (ACLs) should be created for AM's use.
Top-Level Administrator Management: The amAdmin account is the "root" of the AM system. In a production environment, it is considered a significant security risk to use this account for daily operations.
Why Option C is the correct answer: The documentation specifically recommends creating a new top-level administrator and then securing or disabling the default amAdmin. This is more effective than simply "renaming" it (Option A) or "reducing privileges" (Options B and D). In PingAM, amAdmin has hardcoded superuser capabilities in many areas; therefore, the best practice is to create a new administrative user with the necessary roles and then protect the amAdmin credentials in a vault.
Option B is also incorrect because server-side sessions already store data on the server; the cookie only contains the session ID (the reference), so "encrypting the cookie contents" is redundant for server-side sessions compared to client-side sessions where the entire state is in the cookie.
정답:
Explanation:
In SAML 2.0 Federation, there is a standard XML schema (defined by OASIS) that all vendors use to describe an Identity Provider (IdP) or Service Provider (SP). This is known as "Standard Metadata." However, standard metadata does not include every configuration option required to run a sophisticated Access Management server.
PingAM 8.0.2 uses Extended Metadata to store implementation-specific settings that fall outside the OASIS SAML 2.0 specification. According to the "SAML 2.0 Guide," extended metadata is stored as a separate configuration file (or JSON entry in newer versions) and includes parameters such as: Identity Store Mapping: Which attribute in the local datastore matches the SAML NameID.
Session Information: How AM should handle the session lifecycle after a successful SAML assertion.
Attribute Mapping: Detailed instructions on how to transform local LDAP attributes into SAML attributes (and vice versa).
Authentication Trees: Which specific tree should be triggered when a request arrives at the IdP.
Option D is the correct description.
Option C is incorrect because extended metadata is not a standard way to communicate features; in fact, other SAML products (like ADFS or Okta) cannot read or process PingAM's extended metadata.
Option A is incorrect because basic certificates/keys are usually part of the standard metadata (KeyDescriptor), and Option B is incorrect because SAML federation usually triggers authentication journeys or attribute mapping rather than a standard authorization "policy."
정답:
Explanation:
When a client requests an OpenID Connect (OIDC) scope (like profile), PingAM 8.0.2 may present a Consent Screen to the user, asking permission to share specific claims. To make this screen user-friendly, PingAM allows administrators to map technical claim names to human-readable labels and specify localizations.
According to the PingAM documentation on "Supported Claims" in the OAuth2/OIDC Provider settings:
The format for the Supported Claims property entry is:
ClaimName|Locale|DisplayName
In this syntax:
ClaimName: The technical OIDC claim (e.g., name, email, given_name).
Locale: The ISO language code (e.g., en, fr).
DisplayName: The text that will actually appear on the UI (the "Full name" label).
Therefore, the string name|en|Full name (Option A) is the correct configuration.
Option B is incorrect because it reverses the technical name and the display name.
Option C is incorrect as it lacks the required locale component and uses full_name (which is not the standard OIDC claim name; the standard is name).
Option D attempts to perform a logic operation (+) within a configuration field where only static mapping strings are allowed. Claim composition (concatenating first and last names) is handled by
the OIDC Claims Script, not by the Supported Claims UI property.
정답:
Explanation:
The Tree Designer in PingAM 8.0.2 is a visual, drag-and-drop tool used to build sophisticated login journeys. While it is highly flexible, it follows specific structural rules to ensure the authentication engine can execute the logic predictably.
Analysis of the statements:
Statement A is true: Trees must terminate in an outcome. Success and Failure nodes are standard. Additionally, the Inner Tree Evaluator node allows one tree to hand off processing to another "child" tree.
Statement C is true: The designer is extensible. Administrators can develop their own Java or Scripted nodes, and the Ping Identity Marketplace provides a wide range of third-party nodes (e.g., for biometric providers or specialized risk engines) that appear in the designer palette once installed. Statement D is true: "Inner trees" are a supported concept, allowing for modularity where common logic (like MFA) can be built once and called from multiple parent trees.
Statement B is the "not true" statement. While the designer allows for complex logic and loops (e.g., looping back to a username prompt if a password is wrong), it does not support nesting nodes within a tree. In PingAM architecture, nodes are atomic components placed on a flat canvas. You cannot "nest" a node inside another node's configuration in the visual designer. Complexity is achieved through the branching and linking of these atomic nodes. If logic needs to be "nested" or grouped, it is done by creating a separate tree and calling it as an Inner Tree. Understanding this structural limitation is key for architects designing modular authentication frameworks.
정답:
Explanation:
In PingAM 8.0.2, the Intelligent Access engine (Authentication Trees) uses a specific data-passing mechanism to move information between individual nodes within a single journey. When a journey involves collecting context―such as device metadata (OS, version, screen resolution), location data (IP, geofencing), or risk signals―this information must be stored temporarily while the tree evaluates the next steps.
According to the "Authentication Node Development" and "Nodes and Trees" documentation,
PingAM uses two primary transient storage objects during the authentication flow:
Shared State: This is the primary map used to share data between nodes in the same tree. Contextual data collected by nodes like the Device Profile Collector or Browser Capabilities nodes is stored here. It exists only for the duration of the authentication journey.
Transient State: Similar to shared state, but often used for sensitive data that should not be visible to certain types of nodes or scripts.
The documentation identifies Shared Node State (Option B) as the best practice for persisting collected context during the tree process.
Session State (Option A) is only available after the authentication is successful and a session has been created. It is not suitable for data needed by nodes within the tree to make a decision (like a risk engine node).
User Profile (Option C) is for long-term persistence (LDAP/PingDS). Storing transient device context there would cause unnecessary database write overhead and privacy concerns.
Browser Cookies (Option D) are limited in size and pose security risks if used to store raw device data that could be tampered with by the client.
Therefore, for real-time risk analysis within a journey, nodes write data to the shared state, where subsequent nodes (like a Scripted Decision Node or Adaptive Risk Node) can retrieve and analyze it.
정답:
Explanation:
This question explores the fundamental architecture of Session Management in PingAM 8.0.2. PingAM is designed to be highly flexible, supporting both traditional browser-based Single Sign-On (SSO) and modern API-driven interactions.
Analysis of the statements based on PingAM documentation:
Statement A is correct: For browser-based flows, PingAM uses HTTP cookies to maintain session state. Upon successful authentication, AM sends a Set-Cookie header to the browser containing the session token (the session reference).
Statement B is correct: For "headless" or REST-based authentication (such as a mobile app or a back-end service calling /json/realms/root/authenticate), there is no browser to handle cookies automatically. In this case, PingAM returns the tokenId directly in the JSON response body, allowing the client to manage the token manually in subsequent API calls.
Statement D is correct: For historical reasons, the default value for the SSO Cookie Name in PingAM is iPlanetDirectoryPro. While administrators are encouraged to change this for security (obfuscation), it remains the default "out-of-the-box" configuration.
Statement C is incorrect: This is the "distractor" in the question. PingAM 8.0.2 supports multiple session storage models. While the Core Token Service (CTS) is the standard for server-side stateful sessions, AM also supports Client-side sessions (where the state is stored in a signed/encrypted JWT in the cookie itself) and In-memory sessions (primarily used for short-lived authentication journeys). Since AM is not restricted only to the CTS, Statement C is false.
Therefore, the combination of A, B, and D accurately reflects the session capabilities of PingAM 8.0.2, making Option A the correct answer.
정답:
Explanation:
PingAM 8.0.2 adheres to the OpenID Connect Core 1.0 specification regarding standard scopes and claims. When a client requests the profile scope, the OpenID Provider (PingAM) is expected to return a specific set of claims that describe the user's basic profile.
According to the PingAM documentation on "Understanding OpenID Connect Scopes and Claims"
and the default OIDC Claims Script (which maps internal LDAP attributes to OIDC claims):
The standard claims associated with the profile scope are strictly defined with lowercase, snake_case naming conventions. The default set includes:
name: The user's full name.
given_name: The user's first name.
family_name: The user's surname or last name.
middle_name: (Optional)
nickname: (Optional)
preferred_username: (Optional)
profile: URL to the profile page.
picture: URL to an image.
website: URL.
gender: (Optional)
birthdate: (Optional)
zoneinfo: Timezone.
locale: The user's preferred language/locale.
updated_at: Timestamp.
Option C is the only choice that correctly identifies the snake_case format (given_name,
family_name, locale) required by the specification. Options A and B use camelCase or inconsistent naming that does not match the OIDC standard or PingAM's default mapping script.
Option D includes preferred_locale, which is incorrect; the standard claim name for a user's language preference in OIDC is simply locale.
정답:
Explanation:
To facilitate federation between a SAML2 Identity Provider (IdP) and a Service Provider (SP), metadata must be exchanged. PingAM 8.0.2 provides a built-in utility page, exportmetadata.jsp, specifically for this purpose.
When an IdP is configured within a subrealm (rather than the Top Level Realm), the metadata export URL must be qualified with specific query parameters to ensure the correct entity configuration is retrieved. According to the "SAML 2.0 Reference" and "Exporting SAML 2.0 Metadata" documentation:
entityid: This parameter is mandatory when there are multiple entities configured. It specifies the unique URI of the IdP (e.g., http://myserver.domain.com:8080/openam). This tells the JSP which specific provider's metadata to generate.
realm: This parameter is crucial for subrealm deployments. By default, the JSP looks in the root realm (/). If the IdP resides in a subrealm named /idprealm, the URL must explicitly include &realm=/idprealm.
Option D is the correct technical string.
Option B is incorrect as it lacks parameters and would only attempt to export default root-level metadata.
Option C is incorrect because the parameter name is entityid, not idp. While Amster (Option A) can indeed be used to export configuration, the exportmetadata.jsp remains the standard and most common method for generating the XML-formatted metadata required by external partners.
정답:
Explanation:
In PingAM 8.0.2, requesting policy decisions via the REST API involves sending a POST request to the policies endpoint with the _action=evaluate parameter. To receive an accurate decision, the request body must provide the context of the access attempt.
According to the "Request policy decisions over REST" documentation, the JSON body typically includes the following core fields:
resources: (Required) An array of strings representing the URIs the user is attempting to access.
application: (Required) This field specifies the name of the Policy Set (formerly known as the application) that contains the relevant policies for the evaluation.
subject: (Optional, but usually required for user-specific policies) This object identifies the user or entity requesting access. It can include the user's ssoToken or a set of claims if using JWT-based subjects.
Why other options are incorrect: Advices (Options A and C) are not inputs for a policy evaluation request. Instead, advices are returned by PingAM in the response if a policy condition fails (e.g., an Auth Level Condition Advice requesting the user to provide MFA). A request cannot "evaluate" an advice; it triggers one.
Option D is incorrect because the resources field is a mandatory requirement for any evaluation; without a target resource, the engine has nothing to compare against the defined policy rules. Therefore, the combination of resources, subject, and application represents the standard, valid structure for a policy decision request in PingAM 8.0.2.
정답:
Explanation:
According to the PingAM 8.0.2 Upgrade Guide and the "Plan the upgrade" documentation, a successful upgrade and potential rollback strategy rely on capturing the complete state of the application across three distinct locations on the filesystem. When PingAM is deployed in a container like Apache Tomcat, the configuration is not stored within the WAR file itself but is distributed to maintain persistence across redeployments.
The three critical areas that must be backed up are:
The Web Application Directory (/path/to/tomcat/webapps/openam/): This contains the expanded binaries, JSPs, and web-level configurations. While the upgrade involves replacing the openam.war file, backing up this folder preserves any manual customizations made to the UI, CSS, or specific library additions (JARs) in the WEB-INF/lib folder.
The Configuration Directory (<home directory>/openam/ or similar): This is the most vital component. By default, PingAM stores its instance-specific configuration, cryptographic keys (keystores), and internal metadata here. For file-based configurations (FBC), this directory holds the entire system state. Even with an external PingDS configuration store, this directory contains the bootstrap file and security secrets required to connect to that store.
The Bootstrap Configuration File (<home directory>/.openamcfg/): This hidden directory contains a file (usually named after the deployment path, e.g., am or openam) that tells the PingAM binaries where the actual configuration directory is located. Without this pointer, a restored PingAM instance will behave like a fresh installation and prompt for a new setup.
The documentation explicitly warns: "Always back up your deployment before you upgrade... For AM servers, you can roll back by restoring from a file system backup of the deployed servers and their configuration directories." Relying only on the webapps folder (Option A) or assuming automatic backups (Option B) will lead to data loss or an unrecoverable state.
정답:
Explanation:
Auto-federation is a feature in PingAM 8.0.2 designed to simplify the user experience by automatically linking an IdP identity to an SP identity without manual intervention or a specialized "linking" page.12 According to the PingAM documentation on "Link Identities Automatically with Auto-Federation": Linking Mechanism (Statement B): Auto-federation does not rely on the SAML NameID. Instead, it uses a common attribute value found in both the SAML assertion and the SP's local identity store. For example, if both systems share an "Email" attribute, the SP can be configured to use the mail attribute from the incoming assertion to search its own datastore. If a match is found, the accounts are linked. This is significantly more flexible than relying on NameID formats (disproving Statement A).
User Experience (Statement C): One of the primary benefits of auto-federation is that it supports a "Just-in-Time" experience. The user only needs to log in to the Identity Provider (IdP). When they are redirected to the SP, the SP performs the attribute-based lookup and creates the session immediately. The user is never prompted to log in at the SP side just to "prove" who they are for the linking process (disproving Statement D).
Because auto-federation relies on matching attributes and only requires a single login at the IdP, the correct statements are B and C. This makes Option B the correct choice. This feature is particularly useful in Large-Scale B2B or B2C scenarios where pre-mapping thousands of users manually would be impossible.
정답:
Explanation:
The forgeops command-line tool is used to manage the lifecycle of the Ping Identity Platform in Kubernetes environments.9 When using the Cloud Developer Kit (CDK) for version 8.0.2, the delete subcommand is used to tear down the environment.
According to the "ForgeOps CLI Reference" and "CDK Shutdown and Removal" documentation:
The forgeops delete command (without additional flags like --force or specific component names) is designed to remove the Ping Identity Platform pods. This includes the core applications like PingAM, PingIDM, and PingDS, as well as the specialized UI pods (login-ui, etc.). It also removes the standard CDK artifacts and configuration manifests associated with that specific namespace.
However, the command follows a "safe delete" philosophy regarding infrastructure-level components:
Ingress Controllers, Certificate Managers (cert-manager), and the DS Operator are considered part of the "Base" or "Infrastructure" layer. These are typically installed once per cluster or namespace and are shared across multiple deployments. The forgeops delete command does not remove these by default, as doing so could disrupt other services.
PVCs (Persistent Volume Claims) and Secrets are also preserved unless the --force or -f flag is explicitly added to the command.
Thus, the answer is
D. The command focuses strictly on the platform pods and their immediate deployment artifacts. If a developer wishes to perform a "deep clean" that removes the ingress and operators, they would need to use more specific commands like forgeops delete base or kubectl commands.10 This distinction is vital for developers to avoid accidentally deleting shared cluster infrastructure when they only intended to restart the Ping platform.
정답:
Explanation:
Amster is the lightweight command-line interface used for managing PingAM 8.0.2 configurations. Tointeract with specific components, Amster uses "Entities." According to the "Amster Entity
Reference" for version 8, the entity responsible for authentication trees is named AuthTree.8
When a user wants to retrieve or "query" information about an entity, the syntax follows the pattern:
query <EntityName> --realm <RealmPath> --filter <FilterCondition>.
Entity Name: The documentation specifies AuthTree as the correct entity name. Using the full descriptive name AuthenticationTree (Options A and B) will result in a "Command not found" or "Unknown entity" error in the Amster shell.
Filter: Amster requires a filter to narrow down results. To query all items within a realm, the standard practice is to use a filter that always evaluates to true, which is --filter true.
Therefore, the correct command is query AuthTree --realm /alpha --filter true (Option C). This command tells Amster to look into the /alpha realm and list every authentication tree configuration found there.
Option D is incorrect because --query all is not a valid parameter for the Amster query command; the filtering logic is strictly handled by the --filter flag. Mastering this syntax is essential for DevOps engineers who need to export or audit configurations across different environments (Dev, Test, Prod).
정답:
Explanation:
Upgrading PingAM 8.0.2 in an environment with multiple PingDS (Directory Server) instances requires a careful strategy to ensure data integrity and to allow for an immediate Rollback if the upgrade fails or introduces instability.6
According to the PingAM "Plan for Rollback" and "Upgrade in a Replicated Environment" documentation, the recommended safety measure involves isolating one of the data store nodes to act as a "time-capsule" of the pre-upgrade state. The process is as follows:
Stop Replication: Before starting the upgrade, administrators should disable or stop replication between the PingDS nodes. This prevents any schema changes or
moving to version 8.0.2), only the active node's data is modified. data modifications performed during the AM upgrade from being propagated to the backup node.
Isolate a Node: One PingDS instance is shut down or taken out of the load balancer rotation. This instance remains in its original, healthy state.
Perform the Upgrade: The PingAM upgrade is performed against the remaining active PingDS instance. If the upgrade involves schema updates (which is common when Rollback Path: If the upgrade fails, the administrator can simply shut down the "corrupted" upgraded environment and restart the isolated PingDS instance along with the original PingAM WAR file. Because replication was stopped, the isolated node still contains the original configuration and user data.
Option D is the only answer that correctly identifies this "safety-net" architecture.
Option A is risky because a failed upgrade would corrupt both instances.
Option C is incomplete because simply "starting up" the shutdown instance after an upgrade doesn't account for how you handle the discrepancy between the upgraded and non-upgraded nodes. The goal is to keep the shutdown instance as a valid, un-touched recovery point.