Ping Identity Updated PAP-001 Exam Questions and Answers by damon

When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:

AnOAuth Client IDthat identifies the application to the IdP.

TheOpenID Connect Login Typeset to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID)is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type)is correct — must be set to “Authorization Code.”

Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.

Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.

Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.

Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

When a PingAccess agent is compromised, the secure approach is toinvalidate the existing credentials and issue a new configuration filefrom the PingAccess Admin Console. This provides a freshagent.propertiesfile with new secrets, ensuring compromised keys cannot be reused.

Exact Extract:

“If an agent is compromised, revoke and regenerate the agent configuration by downloading a newagent.propertiesfile from the administrative console.”

Option Ais incorrect — manually changing the secret in the file does not propagate it to PingAccess.

Option Bis incorrect — trusted certificates are not tied to agent authentication.

Option Cis unnecessary — reinstalling the agent does not reset credentials.

Option Dis correct — downloading a newagent.propertiesfile re-secures the agent.

All administrative API calls that change PingAccess configuration are logged inpingaccess_api_audit.log. This allows administrators to track who made configuration changes.

Exact Extract:

“Thepingaccess_api_audit.logfile contains entries for all administrative API calls and is used to audit configuration changes.”

Option A (pingaccess.log)contains runtime system messages but not detailed API audit entries.

Option B (pingaccess_engine_audit.log)is specific to engine request/response audit logging.

Option C (pingaccess_agent_audit.log)is used for PingAccess Agent traffic auditing, not administrative changes.

Option D (pingaccess_api_audit.log)is correct — it tracks admin API modifications.