Question 1

A financial application should be prompted for step-up authentication on a URL that allows money
transfers. A previous administrator configured rules to be applied on the required application URL.
Users are not prompted for step-up authentication when accessing the /sranafemmeney URL
endpoint.
Which two actions should the administrator take? (Choose 2 answers.)

Accepted Answer

B, C

Explanation: In PingAccess, enforcing step-up authentication for a specific resource is achieved using an Authentication Requirements Rule. This rule type is designed to inspect the user's session context, which is typically provided by PingFederate in a web session token. The rule verifies if the session meets a pre-defined minimum authentication level or context. If users are not being prompted for step-up, the issue lies either with the application of the rule or its configuration. The administrator must first verify that an Authentication Requirements Rule is correctly applied to the financial application's URL (B). Second, they must ensure the rule itself is configured with the appropriate minimum authentication level required for the sensitive money transfer operation (C).

Question 2

An auto parts company wants to protect the path /parts/suspension/struts/manufacturer. Resources
appear under an application Context Root of /parts with default ordering.
Which resource will the policy engine select?

Accepted Answer

C

Explanation: In PingAccess, once the application context-root (/parts) is stripped, the remaining request path is /suspension/struts/manufacturer. With default ordering, the policy engine chooses the “most specific” resource—i.e., the pattern with the greatest number of explicit path segments and the fewest wildcards. Among the candidates: • /suspension/struts/manufacturer contains four fixed segments and no wildcards. • //struts/manufacturer and //manufacturer both contain multi-segment wildcards (//). • ///manufacturer contains two wildcards. Because /suspension/struts/manufacturer is the longest exact match and has zero wildcards, it outranks the others, so the policy engine selects it.

Question 3

All style sheets should be accessible to all users without authentication across all applications. Which configuration option should the administrator use?

Accepted Answer

C

Explanation: The "Global Unprotected Resources" feature in PingAccess is specifically designed to define URL patterns that should be accessible without requiring any authentication. This configuration is applied globally, meaning it affects all applications managed by PingAccess. This directly meets the requirement to make resources like style sheets, which are often common across multiple applications, publicly available to all users without an authentication challenge.

Question 4

An administrator needs to prevent PingAccess from automatically starting on a Windows Server. Which command would accomplish this task?

Accepted Answer

B

Explanation: To prevent PingAccess from starting automatically on a Windows Server, the associated Windows Service must be removed. PingAccess provides a specific batch script for this purpose. The uninstall-service.bat command, located in the /bin directory, unregisters the PingAccess service from the Windows Service Control Manager. Once the service is removed, it can no longer be started automatically by the operating system during boot-up.

Question 5

Which two browsers are supported for the PingAccess Admin console? (Choose 2 answers.)

Accepted Answer

C, D

Explanation: According to Ping Identity’s official “PingAccess Release Notes – Supported browsers” table, only the latest versions of Google Chrome and Microsoft Edge (Chromium-based) are formally tested and supported for the PingAccess administrative console. Safari, Opera, and Brave are not included in the support matrix, so they are outside the vendor’s guaranteed compatibility scope.

Question 6

Anycompany has several applications that need to load images and fonts from
www.anycompany.com. Users are currently getting CORS errors. How should the Cross-Origin
Request rule be set to allow secure access?

Accepted Answer

B

Explanation: In PingAccess you grant CORS access by listing the domains that are allowed to make the browser request. Setting Allowed Origins to “.anycompany.com” matches every application that sits on a sub-domain of anycompany.com, so every needed app can obtain the images and fonts from www.anycompany.com. Because the resources are static, cookies are not required; therefore Allow Credentials should be left disabled. This combination satisfies security guidelines (no credentials are exposed) while meeting the CORS specification that “” may be used only when Allow Credentials = false.

Question 7

An administrator is integrating a new PingAccess Proxied Application. The application will
temporarily need a self-signed certificate during the POC/demo phase. PingAccess is terminating SSL
and is responsible for loading the SSL certificate for the application.
What initial action must the administrator take in PingAccess in this situation?

Accepted Answer

B

Explanation: PingAccess, as a Java-based application, includes a default trust store (the Java Trust Store) which contains the root certificates of most major public Certificate Authorities (CAs). PingAccess exposes this as a pre-configured "Java Trust Store Certificate Group". When a backend target site uses a certificate issued by a publicly trusted CA, no manual certificate import is necessary. The administrator simply needs to configure the Site in PingAccess to use this built-in trust group, which allows PingAccess to validate the target's certificate chain against the already-trusted public CAs.

Question 8

An administrator is integrating a new PingAccess Proxied Application. The application will use an SSL
certificate issued by a publicly trusted Certificate Authority. PingAccess is terminating SSL and is
responsible for loading the SSL certificate for that application. What initial action must the
administrator take in PingAccess in this situation?

Accepted Answer

D

Explanation: For PingAccess to terminate SSL/TLS for a proxied application, it must possess the server's private key and its corresponding public certificate chain. In PingAccess, this combination of a private key and a certificate is managed as a "Key Pair". The standard and most common method for importing a private key along with its full certificate chain is by using a PKCS#12 (or PFX) file. This file format securely bundles all necessary components, which are then imported into the "Key Pairs" section of the PingAccess administrative console to be used by an HTTPS listener.

Question 9

Which two protocols does PingAccess use for authentication and authorization? (Choose 2 answers.)

Accepted Answer

D, E

Explanation: PingAccess is a modern access security solution designed to protect web applications and APIs. Its core functionality is built upon the OAuth 2.0 and OpenID Connect (OIDC) standards. It acts as an OAuth 2.0 Resource Server, validating access tokens to enforce authorization policies and protect resources. For user authentication and session management, PingAccess functions as an OIDC Relying Party, leveraging an identity provider (like PingFederate) to authenticate users and establish secure sessions based on the identity information contained within an ID Token. These two protocols work together to provide a comprehensive authentication and authorization framework.

Question 10

An administrator is preparing to rebuild an unrecoverable primary console and must promote the replica admin node. Which two actions must the administrator take? (Choose 2 answers.)

Accepted Answer

C, D

Explanation: To promote a replica administrative node to become the primary console in a PingAccess cluster, the administrator must first change its designated role. This is accomplished by editing the run.properties file on the replica node and changing the pa.operational.mode from CLUSTEREDCONSOLEREPLICA to CLUSTEREDCONSOLE. For this configuration change to be applied and for the node to assume its new role as the primary console, the PingAccess service on that specific node must be restarted. These two actions are the core requirements for the promotion process.

Question 11

A protected web application requires that additional attributes be provided once the user is authenticated. Which two steps must the administrator perform to meet this requirement? (Choose 2 answers.)

Accepted Answer

A, B

Explanation: PingAccess can inject user attributes into requests only if those attributes are present in the OIDC/JWT presented by the IdP. 1) The IdP (token provider) therefore must be configured to add the required claims to the ID token (A). 2) After the claims exist, the PingAccess administrator must modify the Identity Mapping to pull the new claims from the ID token and place them into HTTP headers, cookies, or query parameters forwarded to the protected web application (B). No changes to the Site Authenticator, Web Session, or access token are needed for attribute-injection in a browser-based OIDC-protected application.

Question 12

An administrator must protect an application on multiple domains or hosts. What should the administrator configure to complete this action?

Accepted Answer

B

Explanation: In PingAccess, a Virtual Host is the component that defines the combination of a hostname and port that PingAccess listens on for incoming requests. To protect an application that is accessible via multiple domains or hosts (e.g., app.company.com and app.company.net), the administrator must configure Virtual Hosts for each of these hostnames. These Virtual Hosts then direct traffic to the appropriate back-end application, allowing a single application to be served and protected across multiple domains.

Question 13

An administrator is integrating a new PingAccess Proxied Application. The application will
temporarily need a self-signed certificate during the POC/demo phase. PingAccess is terminating SSL
and is responsible for loading the SSL certificate for the application.
What initial action must the administrator take in PingAccess in this situation?

Accepted Answer

D

Explanation: In PingAccess, the Key Pairs section is used to manage the server's own private keys and their corresponding public certificates, which are essential for SSL/TLS termination. The scenario requires a new, self-signed certificate for a temporary Proof of Concept (POC). The most direct and initial action within the PingAccess administrative console to fulfill this requirement is to navigate to the Key Pairs section and use the built-in functionality to generate a new key pair along with a self-signed certificate. This action creates the necessary cryptographic materials directly within PingAccess without involving any external Certificate Authority (CA).

Question 14

During a business review of an application, the administrator needs to change the Resource
Authentication to anonymous. What are the two effects of making this change to the resource?
(Choose 2 answers.)

Accepted Answer

B, C

Explanation: In PingAccess, setting a resource's authentication method to "Anonymous" instructs PingAccess not to require a web session or an OAuth access token for the request. This bypasses the authentication check step. However, the request processing does not stop there. The request continues through the defined policy flow, which includes executing any configured Identity Mappings to add attributes and then evaluating the Processing (or Access Control) Rules to make a final authorization decision (allow or deny). Therefore, while authentication is not required, authorization rules and identity attribute processing are still applied to the request.

Question 15

An internal audit reveals that an agent has been compromised. What action must be taken to re- secure the agent?

Accepted Answer

D

Explanation: The agent.properties file contains the bootstrap configuration for a PingAccess agent, including a unique agent ID and a one-time shared secret. This secret is used to establish initial trust with the PingAccess engine. If an agent is compromised, its identity and security credentials are no longer considered secure. The standard remediation procedure is to create a new agent configuration in the PingAccess administrative console. This action generates a new identity and a new agent.properties file with a new shared secret. Applying this new file to the agent host and restarting the agent re-establishes a new, secure trust relationship with the engine.

Free Ping Identity PAP-001 Actual Exam Questions