PAP-001 Questions and Answers

PingAccess allows administrators to configurecustom error pages or messagesat theRoot Resource levelof an application. This ensures that when rule violations (e.g., authorization failures) occur, the application can display tailored error responses.

Exact Extract:

“Custom error handling for rule violations is configured within the Root Resource of an application.”

Option Ais incorrect — assigning a rule to a resource does not allow defining custom errors.

Option Bis correct — the Root Resource is where administrators define custom error handling for the entire application.

Option Cis incorrect — Rule Sets only combine rules; they do not handle error responses.

Option Dis incorrect — individual rule definitions do not contain custom error configurations.

Mutual TLS (mTLS) is used to establishtwo-way authenticationwhere both the client and the server present certificates to prove their identity. In the case of PingAccess, aMutual TLS Site Authenticatoris configured when PingAccess acts as a reverse proxy making requests to a backend (target) server.

Exact Extract from PingAccess documentation:

“Mutual TLS site authenticators provide client certificate authentication when PingAccess connects to a backend site. This allows PingAccess to present its certificate to the target server during the TLS handshake.”

This means the purpose is forPingAccess (client) to authenticate itself to the backend server (target resource)when establishing a secure connection.

Why other options are wrong:

A. Allows the backend server to authenticate to PingAccess

Incorrect. That’s normal server-side TLS authentication (the server presents a cert to the client), not mutual TLS initiated by PingAccess.

B. Allows the user to authenticate to the backend server

Incorrect. End users do not directly use this setting; this is between PingAccess and the backend application server.

C. Allows PingAccess to authenticate to the backend server

Correct. This is exactly the definition of a Mutual TLS Site Authenticator in PingAccess.

D. Allows PingAccess to authenticate to the token provider

Incorrect. That would involve OIDC/OAuth token exchange and possibly TLS trust, but it’s not the role of the Site Authenticator.

Thus, the correct answer isC. Allows PingAccess to authenticate to the backend server.

The Rule Set GroupC(ALL) requiresboth Rule Set A and Rule Set Bto evaluate to true.

Rule Set A (ALL)requirescan_read=yes.

Rule Set B (ANY)requireseitherOpt-in=yesORgroup=customerService.

Together in Rule Set Group C (ALL), both conditions must hold:

can_read=yesmust be present in the request.

User must have eitheropt-in=yesor be in thecustomerServicegroup.

This matchesOption Dexactly.

Option Ais incorrect; it requires both attributes in Rule Set B, but B is ANY (either is sufficient).

Option Bis incorrect; the “unless” wording is misleading — the parameter is always required because Rule Set A uses ALL.

Option Cis incorrect; same reasoning as above, B is ANY not AND.

Option Dis correct —can_read=yesAND(opt-in=yesORgroup=customerService).

PingAccess officially supportsGoogle ChromeandMicrosoft Edgefor the administrative console. Other browsers (Safari, Opera, Brave) may work but are not officially supported.

Exact Extract:

“The PingAccess administrative console is supported on current versions of Google Chrome and Microsoft Edge.”

Option A (Safari)is not officially supported.

Option B (Opera)is not supported.

Option C (Google Chrome)is correct.

Option D (Microsoft Edge)is correct.

Option E (Brave)is not officially supported.

PingAccess usesEngine Listenersfor SSL termination of proxied applications. To minimize the number of certificates, administrators can:

Use awildcard certificate(e.g.,*.customer.com) on the engine listener.

Use aSubject Alternative Name (SAN) certificatethat covers multiple FQDNs under thecustomer.comdomain.

Exact Extract:

“PingAccess engine listeners can use certificates containing either wildcard entries or Subject Alternative Names to secure multiple applications under a single domain.”

Option Ais incorrect — assigning unique key pairs increases, not decreases, certificate management overhead.

Option Bis correct — a wildcard certificate covers all subdomains (e.g.,app1.customer.com,app2.customer.com).

Option Cis correct — a SAN certificate lists multiple FQDNs explicitly.

Option Dis incorrect — agent listeners don’t handle SSL termination for proxied apps.

Option Eis incorrect for the same reason — agent listeners aren’t used for SSL.

Modern browsers enforce stricter cookie handling rules. If cookies are not configured correctly with theSameSiteattribute, behavior can differ across browsers, leading to inconsistent authentication and access denials. Security exceptions may appear when session cookies are blocked.

Exact Extract:

“The SameSite cookie setting defines how browsers send cookies in cross-site requests. Misconfigured SameSite values can lead to inconsistent application behavior across browsers.”

Option A (Enable PKCE)is related to OAuth flow security, not browser cookie behavior.

Option B (SameSite Cookie)is correct — this directly explains the inconsistent browser issues.

Option C (Request Preservation)ensures query parameters are kept, not related to cross-browser session handling.

Option D (Validate Session)checks session state but does not address browser inconsistencies.

PingAccess rules are categorized intoAccess Control RulesandProcessing Rules.

Processing Rulesmodify or add to HTTP requests and responses.

Cross-Origin Request (CORS)is specifically listed as aProcessing Rule, because it modifies response headers to support cross-origin requests.

Exact Extract:

“Processing rules apply to HTTP traffic, such as Cross-Origin Resource Sharing (CORS), header injection, or response modification.”

Option A (Web Session Attribute)is an access control rule.

Option B (Cross-Origin Request)is correct — this is a processing rule.

Option C (HTTP Request Parameter)is an access control rule.

Option D (HTTP Request Header)is an access control rule.

To enforcestep-up authenticationfor selected resources, PingAccess usesAuthentication Challenge Policies. These policies allow different challenge methods to be applied depending on the resource.

Exact Extract:

“Authentication challenge policies define how PingAccess challenges users for authentication and are often applied when step-up authentication is required for specific resources.”

Option A (Authentication Challenge Policy)is correct — it ensures only certain resources trigger step-up MFA.

Option Bis incorrect; the reserved resource base path is unrelated to authentication.

Option Cis incorrect; changing the context root just changes the URL path prefix.

Option Dis incorrect; manual ordering of resources is unrelated to enforcing MFA.

When a backend application requires its own authentication (e.g., Basic Auth or mutual TLS), PingAccess uses aSite Authenticatorto inject the necessary credentials.

Exact Extract:

“Site Authenticators provide the credentials PingAccess uses when authenticating to target applications that require their own authentication mechanisms.”

Option A (Token Provider)is incorrect — this is used for OIDC/OAuth tokens, not site-level authentication.

Option B (Web Session)manages end-user sessions, not backend site authentication.

Option C (Site Authenticator)is correct — it handles authentication between PingAccess and the backend.

Option D (Access Control Rule)enforces authorization, not backend authentication.

When applications require additional attributes:

TheWeb Sessionmust be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

TheIdentity Mappingmust be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option Ais not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option Bis correct — Identity Mappings must be updated to pass attributes to the app.

Option Cis incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option Dis incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option Eis correct — Web Session must be updated to retrieve additional attributes.

Virtual Hostsin PingAccess define the external FQDNs (and ports) through which applications are accessed. An application can be bound to multiple virtual hosts to allow access via multiple FQDNs.

Exact Extract:

“A virtual host specifies the fully qualified domain name and port number through which an application is accessed.”

Option A (Virtual Hosts)is correct — multiple FQDNs can be supported by assigning multiple virtual hosts.

Option B (Applications)define resource protection but do not manage FQDN binding.

Option C (Sites)define back-end targets, not the public-facing FQDN.

Option D (Web Sessions)handle authentication state, unrelated to hostnames.

When PingAccess is first installed, theAdministrative Console(the web-based UI for managing configuration) is bound to adefault port of 9000. This is documented in the installation and configuration guides:

Exact Extract from documentation:

“By default, the administrative console is available athttps:// :9000.”

(PingAccess Installation Guide – Default Ports)

This means that unless the administrator has explicitly changed the port inrun.propertiesor during installation, the console will always be available onport 9000.

Option Analysis:

A. 9000✅Correct. Default administrative console port.

B. 3000❌Incorrect. This is not a PingAccess default port.

C. 9090❌Incorrect. Sometimes used by other Ping products for APIs, but not the PingAccess admin console.

D. 3030❌Incorrect. Not a default PingAccess port.

When configuring PingAccess to use PingFederate as theStandard Token Providerfor runtime engines, PingAccess must know how to contact PingFederate. The configuration requires theHost(PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer)is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID)is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host)is correct — this is required to connect to PingFederate.

Option D (Port)may be included within the host definition (host:port) but is not the required field.

To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule. The secure practice is to allow thespecific trusted domain(www.anycompany.com ) and, when cookies or credentials are required, to enableAllow Credentials.

Exact Extract:

“For secure CORS, specify exact origins rather than wildcards. Enable ‘Allow Credentials’ when client-side resources must include cookies or authentication data.”

Option Ais incomplete — multiple values are possible, but in this case onlywww.anycompany.com is required.

Option Bis less secure — using a wildcard (*.anycompany.com) broadens exposure unnecessarily.

Option Cis insecure —*with credentials is disallowed by CORS specifications.

Option Dis correct — restricts access to the trusted domain and allows credentialed requests.

PingAccess resources have anAudit flag. When enabled, all access attempts (allowed or denied) are recorded in the audit logs.

Exact Extract:

“To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration.”

Option Ais correct — enabling audit for/adminensures its access requests are logged.

Option Bis incorrect — enabling audit for/*is overly broad and logs everything, not just/admin.

Option Cis incorrect — Splunk integration is for log forwarding, not per-resource auditing.

Option Dis incorrect —log4j2.xmlcontrols log destinations/levels, not resource-specific auditing.

All administrative API calls that change PingAccess configuration are logged inpingaccess_api_audit.log. This allows administrators to track who made configuration changes.

Exact Extract:

“Thepingaccess_api_audit.logfile contains entries for all administrative API calls and is used to audit configuration changes.”

Option A (pingaccess.log)contains runtime system messages but not detailed API audit entries.

Option B (pingaccess_engine_audit.log)is specific to engine request/response audit logging.

Option C (pingaccess_agent_audit.log)is used for PingAccess Agent traffic auditing, not administrative changes.

Option D (pingaccess_api_audit.log)is correct — it tracks admin API modifications.