Pass the Ping Identity PingAccess PAP-001 Questions and answers with ValidTests

Step-up authentication in PingAccess is enforced throughAuthentication Requirement Rules. If users are not prompted, the likely issues are:

The rule is missing from the application/resource.

The rule’s minimum authentication context does not include MFA.

Exact Extract:

“Authentication requirement rules determine whether PingAccess will challenge a user with additional authentication (such as MFA). Ensure that the rule is applied to the resource and that the authentication context is set correctly.”

Option Ais incorrect — rejection handlers define error handling, not MFA enforcement.

Option Bis correct — verify the authentication requirement rule is applied.

Option Cis correct — ensure the rule contains the right MFA requirements.

Option Dis incorrect — identity mappings do not enforce step-up authentication.

Option Eis incorrect — token validation rules check validity, not MFA levels.

From the “Promoting the replica administrative node” documentation:

Exact Extract:

“Open the/conf/run.propertiesfile in a text editor. Locate thepa.operational.modeline and change the value fromCLUSTERED_CONSOLE_REPLICAtoCLUSTERED_CONSOLE. These properties are case-sensitive. Do not restart the replica node during the promotion process.”Ping Identity Documentation

Also from the documentation under “Next steps” / manual promotion / “Using the admin API …”When promoting the replica, there is also mention of setting the new host-port in the primary admin configuration so that engine nodes and configuration references now point to the promoted replica. One of the API properties iseditRunPropertyFile(to flip the mode), another iseditPrimaryHostPort, which causes the primary-admin host setting to be updated.Ping Identity Documentation

Using those facts:

Why C is correct:

Option C says:Changepa.operational.modetoCLUSTERED_CONSOLEon the replica admin node.This directly matches the documented manual promotion step: switchpa.operational.modefromCLUSTERED_CONSOLE_REPLICA→CLUSTERED_CONSOLE.Ping Identity Documentation+1

This is essential for promoting the replica to primary console.

Why E is correct:

Option E:Modifybootstrap.propertiesand set theengine.admin.configuration.hostvalue to point at the replica admin node.While the documentation doesn’t always name the exact propertyengine.admin.configuration.host, the “promote via admin API” includes updating the “primary host:port” in the configuration so that engine nodes’ configuration queries (or whatever is used by engines) point to the new primary. This maps to ensuring that engine nodes know that the promoted replica is now the administrative node. This requiring modifying the bootstrap or configuration that engine nodes use to find the administrative host is essential.Ping Identity Documentation

Why the other options are incorrect:

A.Changepa.operational.modetoCLUSTERED_CONSOLE_REPLICAon one of the engine nodes.No. Engine nodes should havepa.operational.mode = CLUSTERED_ENGINE, not console modes.CLUSTERED_CONSOLE_REPLICAis an admin/replica console mode, not applicable for engines.docs.ping.directory+2Ping Identity Documentation+2

B.Restart all nodes in the cluster.The documentation explicitly saysdo not restartthe replica node during the promotion process because restart can cause file corruption or failure to properly promote. Only certain restarts are neededafterconfiguration updates. So restarting all nodes is not a correct required action.Ping Identity Documentation

D.Restart the replica admin node.As above, for manual promotion, a restart of the replica admin node isnotrequired (and is even discouraged during the promotion process). The change inrun.propertiesis detected without restarting.Ping Identity Documentation

PingAccess must trust the back-end site’s certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.

Exact Extract:

“When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site.”

Option Ais incorrect — the Java trust store does not contain the internal CA by default.

Option Bis incorrect — Key Pairs store private keys for SSL termination, not trusted CA certs.

Option Cis incorrect — engine listeners use key pairs for inbound SSL, not site trust.

Option Dis correct — the certificate must be imported into Trusted Certificate Groups.

The Rule Set GroupC(ALL) requiresboth Rule Set A and Rule Set Bto evaluate to true.

Rule Set A (ALL)requirescan_read=yes.

Rule Set B (ANY)requireseitherOpt-in=yesORgroup=customerService.

Together in Rule Set Group C (ALL), both conditions must hold:

can_read=yesmust be present in the request.

User must have eitheropt-in=yesor be in thecustomerServicegroup.

This matchesOption Dexactly.

Option Ais incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).

Option Bis incorrect; the “unless” wording is misleading — the parameter is always required because Rule Set A uses ALL.

Option Cis incorrect; same reasoning as above, B is ANY not AND.

Option Dis correct —can_read=yesAND(opt-in=yesORgroup=customerService).

For SSL termination, PingAccess requires aKey Pair(certificate + private key). During a POC/demo, when aself-signed certificateis used, the administrator can create it directly in theKey Pairssection of the console.

Exact Extract:

“Use the Key Pairs section to create self-signed certificates for testing or proof-of-concept deployments. For production, import a PKCS#12 file containing a certificate chain and private key.”

Option Ais incorrect — Certificates store trust anchors (CAs), not SSL termination certs.

Option Bis incorrect — an internal CA-signed cert requires PKCS#12 import, not self-signed creation.

Option Cis incorrect — a publicly trusted CA is not used for a demo phase.

Option Dis correct — creating a new certificate in Key Pairs generates a self-signed cert suitable for demos.

PingAccess enforces step-up or multi-factor authentication usingAuthentication Requirements, which can be applied to specific resources within an application.

Exact Extract:

“Authentication requirements allow administrators to configure additional authentication (for example, MFA) when accessing sensitive application resources.”

Option A (UI Authentication)applies to access to theadmin console, not application resources.

Option B (Auth Token Management)relates to OAuth token lifetimes and refresh, not MFA enforcement.

Option C (Authentication Requirements)is correct — these rules enforce MFA or step-up auth for specific URLs/resources.

Option D (Authentication Challenge Policy)governs how failed auth challenges are presented but does not enforce MFA.

For multiple subdomains to share the same PingAccess session, theCookie Domainmust be configured so that the session cookie is valid across all listed applications.

Exact Extract:

“Set the Cookie Domain in the web session configuration to a parent domain (for example, .company.com) to enable applications in different subdomains to share the same session.”

Option A (Set Audience option)applies to OAuth token validation, not cookie sharing.

Option B (Set Cookie Domain option)is correct — e.g., setting.company.comallows session cookies to be shared.

Option C (Rewrite Cookie Domain rule)modifies upstream cookies for back-end applications, not PingAccess session cookies.

Option D (Rewrite Cookie Path rule)is unrelated; it modifies paths for cookies, not domains.

The pattern/images/sitel/*matches all subpaths and files under the/images/sitel/directory, including nested paths.

Exact Extract:

“The asterisk (*) matches zero or more characters within the path. For example,/images/sitel/*matches all resources under thesitelfolder.”

Option Ais incorrect — it references/aitel/instead of/sitel/.

Option Bis incorrect —/site*matches strings beginning with “site”, but may also match “siteX” incorrectly.

Option Cis incorrect — it only matches resources under/english/, missing other folders.

Option Dis correct —/images/sitel/*covers all given examples.

When applications require additional attributes:

TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option Bis correct — Identity Mappings must be updated to pass attributes to the app.

Option Cis incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option Eis correct — Web Session must be updated to retrieve additional attributes.

Thepa.operational.modeproperty inrun.propertiesdefines therole of the nodein a PingAccess deployment (e.g.,STANDALONE,CLUSTERED_CONSOLE,CLUSTERED_CONSOLE_REPLICA,ENGINE).

Exact Extract:

“Thepa.operational.modeproperty determines the role of the server in the cluster, such as standalone, console, console replica, or engine.”

Option Ais incorrect — replication is implicit in certain roles, not controlled directly.

Option Bis correct — the setting specifies whether the node is admin console, replica, or engine.

Option Cis incorrect — development vs production is not a function of this setting.

Option Dis incorrect — it does not enable/disable nodes.