• Home
  • Articles
  • PAP-001 Exam Dumps, PAP-001 Practice Test Questions [Q14-Q30]

PAP-001 Exam Dumps, PAP-001 Practice Test Questions [Q14-Q30]

Share

PAP-001 Exam Dumps, PAP-001 Practice Test Questions

PDF (New 2026) Actual Ping Identity PAP-001 Exam Questions


Ping Identity PAP-001 Exam Syllabus Topics:

TopicDetails
Topic 1
  • Product Overview: This section of the exam measures skills of Security Administrators and focuses on understanding PingAccess features, functionality, and its primary use cases. It also covers how PingAccess integrates with other Ping products to support secure access management solutions.
Topic 2
  • Policies and Rules: This section of the exam measures the skills of Security Administrators and focuses on how PingAccess evaluates paths for applying policies and resources. It covers the role of different rule types, their configuration, and the implementation of rule sets and rule set groups for consistent policy enforcement.
Topic 3
  • Integrations: This section of the exam measures skills of System Engineers and explains how PingAccess integrates with token providers, OAuth and OpenID Connect configurations, and site authenticators. It also includes the use of agents and securing web, API, and combined applications through appropriate integration settings.
Topic 4
  • Security: This section of the exam measures skills of Security Administrators and highlights how to manage certificates and certificate groups. It covers the association of certificates with virtual hosts or listeners and the use of administrator roles for authentication management.
Topic 5
  • Installation and Initial Configuration: This section of the exam measures skills of System Engineers and reviews installation prerequisites, methods of installing or removing PingAccess, and securing configuration database passwords. It explains the role of run.properties entries and outlines how to set up a basic on-premise PingAccess cluster.

 

NEW QUESTION # 14
An administrator is integrating a new PingAccess Proxied Application. The target site uses a certificate issued by an internal Certificate Authority hosted by the customer. Prior to assigning the certificate group in the Site configuration, which action should the administrator take to configure PingAccess to trust the certificate?

  • A. Import the certificate chain into Key Pairs and add it to the Trusted Certificate Group.
  • B. Configure the PingAccess Site to use the Java Trust Store Certificate Group.
  • C. Import the certificate chain and add it to the Trusted Certificate Group.
  • D. Import the certificate chain into Key Pairs and assign it to a new engine listener.

Answer: C

Explanation:
PingAccess must trust the back-end site's certificate to establish TLS. For internally issued certificates, the administrator imports thecertificate chaininto aTrusted Certificate Group.
Exact Extract:
"When a target site uses an internal CA, import the certificate or chain into a Trusted Certificate Group and assign that group to the site."
* Option Ais incorrect - the Java trust store does not contain the internal CA by default.
* Option Bis incorrect - Key Pairs store private keys for SSL termination, not trusted CA certs.
* Option Cis incorrect - engine listeners use key pairs for inbound SSL, not site trust.
* Option Dis correct - the certificate must be imported into Trusted Certificate Groups.
Reference:PingAccess Administration Guide -Trusted Certificate Groups


NEW QUESTION # 15
All access requests to the existing/adminresource must be captured in the audit log. How should this be accomplished?

  • A. Set Splunk audit logging for/admin
  • B. Enable the Audit option for the/adminresource
  • C. Enable the Audit option for the/*resource
  • D. Setlog4j2.xmlaudit logging for/admin

Answer: B

Explanation:
PingAccess resources have anAudit flag. When enabled, all access attempts (allowed or denied) are recorded in the audit logs.
Exact Extract:
"To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration."
* Option Ais correct - enabling audit for/adminensures its access requests are logged.
* Option Bis incorrect - enabling audit for/*is overly broad and logs everything, not just/admin.
* Option Cis incorrect - Splunk integration is for log forwarding, not per-resource auditing.
* Option Dis incorrect -log4j2.xmlcontrols log destinations/levels, not resource-specific auditing.
Reference:PingAccess Administration Guide -Resource Audit Logging


NEW QUESTION # 16
Which element in thelog4j2.xmlfile must be modified to change the log level in PingAccess?

  • A. Appenders
  • B. AsyncLogger
  • C. RollingFile
  • D. Logger

Answer: D

Explanation:
In Log4j2, theLoggerelement controls the log level (INFO,DEBUG,ERROR, etc.) for specific packages or classes.
Exact Extract:
"To modify logging levels, edit the<Logger>element inlog4j2.xmland change the level attribute."
* Option A (AsyncLogger)is a performance optimization, not for changing levels.
* Option B (RollingFile)defines file rotation, not log levels.
* Option C (Logger)is correct - this is where log levels are defined.
* Option D (Appenders)define output destinations, not severity levels.
Reference:PingAccess Administration Guide -Log Configuration


NEW QUESTION # 17
An administrator needs to add a set of rules to an application protected by a PingAccess agent. Which rule will be unavailable to add to the application?

  • A. Rate Limiting
  • B. Rewrite Cookie Domain
  • C. Cross-Origin Request
  • D. Network Range

Answer: B

Explanation:
PingAccess distinguishes betweengateway rulesandagent rules. Some processing rules, such asRewrite Cookie Domain, only apply when PingAccess is acting as areverse proxy (gateway), not when protecting applications viaagents.
Exact Extract:
"Rewrite Cookie Domain rules are not supported for agent applications. They are only available for proxied (gateway) applications."
* Option A (Rewrite Cookie Domain)is correct - unavailable with agent applications.
* Option B (Network Range)is available for both agents and gateways.
* Option C (Rate Limiting)is supported on both application types.
* Option D (Cross-Origin Request)is also supported in both.
Reference:PingAccess Administration Guide -Agent vs. Gateway Rules


NEW QUESTION # 18
A financial application should be prompted for step-up authentication on a URL that allows money transfers.
A previous administrator configured rules to be applied on the required application URL. Users are not prompted for step-up authentication when accessing the/sranafemmeneyURL endpoint.
Which two actions should the administrator take? (Choose 2 answers.)

  • A. Verify that a rejection handler rule exists and is applied to the application to see if a user has met the required authentication context
  • B. Create a new identity mapping containing authentication context values and add the mapping to the existing rule
  • C. Make sure that the existing rule's authentication requirements contain the appropriate minimum authentication requirements
  • D. Make sure that the existing rule's token validation contains the appropriate minimum authentication requirements
  • E. Verify that an authentication requirement rule is applied to the application to see if a user has met the required authentication context

Answer: C,E

Explanation:
Step-up authentication in PingAccess is enforced throughAuthentication Requirement Rules. If users are not prompted, the likely issues are:
* The rule is missing from the application/resource.
* The rule's minimum authentication context does not include MFA.
Exact Extract:
"Authentication requirement rules determine whether PingAccess will challenge a user with additional authentication (such as MFA). Ensure that the rule is applied to the resource and that the authentication context is set correctly."
* Option Ais incorrect - rejection handlers define error handling, not MFA enforcement.
* Option Bis correct - verify the authentication requirement rule is applied.
* Option Cis correct - ensure the rule contains the right MFA requirements.
* Option Dis incorrect - identity mappings do not enforce step-up authentication.
* Option Eis incorrect - token validation rules check validity, not MFA levels.
Reference:PingAccess Administration Guide -Authentication Requirements


NEW QUESTION # 19
Anycompany has several applications that need to load images and fonts fromwww.anycompany.com. Users are currently getting CORS errors. How should the Cross-Origin Request rule be set to allow secure access?

  • A. Allowed Origins to*and enable the Allow Credentials option
  • B. Allowed Origins to*.anycompany.comand disable the Allow Credentials option
  • C. Allowed Origins value for each of the listed domains
  • D. Allowed Origins towww.anycompany.comand enable the Allow Credentials option

Answer: D

Explanation:
To prevent CORS errors, administrators must configure aCross-Origin Request (CORS) Processing Rule.
The secure practice is to allow thespecific trusted domain(www.anycompany.com) and, when cookies or credentials are required, to enableAllow Credentials.
Exact Extract:
"For secure CORS, specify exact origins rather than wildcards. Enable 'Allow Credentials' when client-side resources must include cookies or authentication data."
* Option Ais incomplete - multiple values are possible, but in this case onlywww.anycompany.comis required.
* Option Bis less secure - using a wildcard (*.anycompany.com) broadens exposure unnecessarily.
* Option Cis insecure -*with credentials is disallowed by CORS specifications.
* Option Dis correct - restricts access to the trusted domain and allows credentialed requests.
Reference:PingAccess Administration Guide -Cross-Origin Request Rule


NEW QUESTION # 20
An administrator needs to use attributes that are not currently available in theIdentity Mapping Attribute Namedropdown. Which action should the administrator take?

  • A. Create a Rewrite Content rule for the additional attributes
  • B. Create a Web Session Attribute rule for the additional attributes
  • C. Request that the additional attributes be added by the token provider administrator
  • D. Request that the additional attributes be added by the web developer

Answer: C

Explanation:
Identity Mapping in PingAccess relies on attributes provided by thetoken provider(e.g., PingFederate, OIDC provider). If the desired attributes are not present in the dropdown, it means they are not being provided in the token or userinfo response.
Exact Extract:
"Attributes available in identity mappings are those provided in the web session by the token provider. If attributes are missing, they must be added to the token by the identity provider."
* Option Ais correct - the token provider administrator must configure the IdP to include the additional attributes.
* Option Bis incorrect - rewrite rules modify content but do not supply new identity attributes.
* Option Cis incorrect - developers cannot directly add identity attributes; they must come from the IdP.
* Option Dis incorrect - Web Session Attribute rules only evaluate available attributes; they don't create new ones.
Reference:PingAccess Administration Guide -Identity Mapping and Attributes


NEW QUESTION # 21
What is the purpose of theadmin.authconfiguration setting?

  • A. To configure SSO for the administrative user interface.
  • B. To define the method to use for authenticating to the administrative API.
  • C. To enable automatic authentication to the PingAccess administrative console.
  • D. To override the SSO configuration for the administrative user interface.

Answer: D

Explanation:
Theadmin.authsetting in therun.propertiesfile is used to specify a fallback authentication method for the administrative console.
Exact Extract from official documentation:
"To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication." This makes it clear that the purpose ofadmin.authis tooverrideany configured SSO for the admin UI and enforce native (basic) authentication instead.
* Option Ais incorrect because theadmin.authsetting does not configure SSO. SSO for the admin UI is configured separately.
* Option Bis incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.
* Option Cis correct because it directly reflects the documented behavior:admin.authoverrides SSO configuration for the administrative UI and enables native authentication.
* Option Dis incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.
Reference:PingAccess User Interface Reference Guide -Configuring Admin UI SSO Authentication


NEW QUESTION # 22
Refer to the following applications:
* hr.company.com
* finance.company.com
* customer.order.company.com
Which action should be taken to allow these applications to share the same web session?

  • A. Use Rewrite Cookie Path rule
  • B. Use Rewrite Cookie Domain rule
  • C. Set Cookie Domain option
  • D. Set Audience option

Answer: C

Explanation:
For multiple subdomains to share the same PingAccess session, theCookie Domainmust be configured so that the session cookie is valid across all listed applications.
Exact Extract:
"Set the Cookie Domain in the web session configuration to a parent domain (for example, .company.com) to enable applications in different subdomains to share the same session."
* Option A (Set Audience option)applies to OAuth token validation, not cookie sharing.
* Option B (Set Cookie Domain option)is correct - e.g., setting.company.comallows session cookies to be shared.
* Option C (Rewrite Cookie Domain rule)modifies upstream cookies for back-end applications, not PingAccess session cookies.
* Option D (Rewrite Cookie Path rule)is unrelated; it modifies paths for cookies, not domains.
Reference:PingAccess Administration Guide -Web Session Configuration


NEW QUESTION # 23
An administrator must protect an application on multiple domains or hosts. What should the administrator configure to complete this action?

  • A. Sites
  • B. Redirects
  • C. Virtual Hosts
  • D. Rules

Answer: C

Explanation:
Applications in PingAccess can be associated with multipleVirtual Hosts. Each virtual host defines an FQDN and port combination through which the application is exposed, allowing protection across multiple domains or hostnames.
Exact Extract:
"Virtual hosts specify the fully qualified domain names (FQDNs) and ports that PingAccess uses to expose applications."
* Option A (Sites)represent the target back-end servers, not the external FQDN.
* Option B (Virtual Hosts)is correct - use multiple virtual hosts for multiple domains.
* Option C (Redirects)are unrelated to multi-domain application protection.
* Option D (Rules)define access policies, not hostnames.
Reference:PingAccess Administration Guide -Virtual Hosts


NEW QUESTION # 24
Developers report an issue with an application that is protected by PingAccess. Certain requests are not providing claims that are part of the access token.
What should the administrator add for the access token claims?

  • A. An identity mapping definition
  • B. A web session attribute rule
  • C. An authentication requirement definition
  • D. An OAuth attribute rule

Answer: D

Explanation:
In PingAccess, when an application relies on claims from an OAuth access token, you must configure PingAccess to evaluate those claims and potentially inject them into headers for the backend application.
* Exact Extract from PingAccess documentation:
"OAuth rules allow you to evaluate claims in OAuth access tokens. You can configure PingAccess to look at specific claims and enforce policies or pass them to target applications."
"To extract attributes from an access token, configure anOAuth Attribute Rule." This clearly matches optionD.
Analysis of each option:
* A. An authentication requirement definition
* Incorrect. Authentication requirements determine how users authenticate to applications (OIDC provider, etc.), but do not manage access token claims.
* B. A web session attribute rule
* Incorrect. Web session attribute rules map attributes from the authenticated user's web session (SSO session), not from OAuth access tokens.
* C. An identity mapping definition
* Incorrect. Identity mappings transform user attributes (from IdP to app), but they don't directly pull claims from OAuth tokens.
* D. An OAuth attribute rule
* Correct. This rule is specifically designed to extract and enforce policies onclaims from OAuth access tokens.
Therefore, the correct answer isD. An OAuth attribute rule.
Reference:PingAccess Administration Guide-Rules # OAuth Attribute Rules.


NEW QUESTION # 25
An administrator is setting up PingAccess to terminate SSL for a proxied application. What action must the administrator take to configure an existing certificate for that application?

  • A. Assign the Key Pair to the Agent Listener
  • B. Assign the Key Pair to the Virtual Host
  • C. Set the secure flag to Yes in the Site configuration
  • D. Enable Require HTTPS in the Application configuration

Answer: B

Explanation:
PingAccess terminates SSL at theVirtual Hostlevel. To configure an existing certificate, the administrator must assign the appropriateKey Pair(which contains the certificate and private key) to the Virtual Host.
Exact Extract:
"SSL termination occurs on the engine listener through virtual hosts. Assign the certificate's key pair to the virtual host to secure proxied applications."
* Option Ais correct - assign the key pair to the Virtual Host for SSL termination.
* Option Bis incorrect - Require HTTPS enforces secure access but does not configure SSL termination.
* Option Cis incorrect - Agent Listener is for PingAccess Agents, not proxied apps.
* Option Dis incorrect - secure flag affects cookie settings, not SSL certificates.
Reference:PingAccess Administration Guide -Virtual Hosts and Key Pairs


NEW QUESTION # 26
Any user who accesses an application must be insalesunless the user is amanager in the marketing department. The administrator creates the following web session rules:
* (A) Look for department = sales
* (B) Look for department = marketing
* (C) Look for job_title = manager
Which additional actions should be taken to properly enforce this requirement?

  • A. Create a Rule Set (D) to accept ANY (A) # Create a Rule Set (E) to accept ALL (B) (C) # Create a Rule Set Group (F) to accept ANY (D) (E) # Add Rule Set Group (F) to the resource
  • B. Create a Rule Set (D) to accept ALL (A) # Create a Rule Set (E) to accept ANY (B) (C) # Create a Rule Set Group (F) to accept ALL (D) (E) # Add Rule Set Group (F) to the resource
  • C. Create a Rule Set (D) to accept ANY (A) (B) (C) # Add Rule Set (D) to the resource
  • D. Create a Rule Set (D) to accept ALL (A) (B AND C) # Add Rule Set (D) to the resource

Answer: A

Explanation:
The requirement is:
* Allow access ifuser is in sales
* OR ifuser is in marketing AND is a manager
This is logically represented as:
(A) OR (B AND C)
To configure this in PingAccess:
* Rule Set (D) = ANY (A)
* Rule Set (E) = ALL (B, C)
* Rule Set Group (F) = ANY (D, E)
* Assign Group (F) to the resource
This exactly matchesOption D.
* Option Ais incorrect - requires both A and (B AND C), which is stricter than the requirement.
* Option Bis incorrect - ANY(A, B, C) would allow users in marketing or managers without requiring both.
* Option Cis incorrect - it uses ALL(D, E), which would require both conditions instead of OR.
* Option Dis correct - it models (A OR (B AND C)).
Reference:PingAccess Administration Guide -Rule Sets and Rule Set Groups


NEW QUESTION # 27
A business requires logs to be written to a centralized Oracle database. Which two actions must the PingAccess administrator take to enable this? (Choose 2 answers.)

  • A. Remove the logs located in PA_HOME/log.
  • B. Copy the database driver JAR file to the PA_HOME/lib directory.
  • C. Enable the Audit flag in the Resource.
  • D. Configure log4j2.xml and log4j2.db.properties.
  • E. Import the database certificate into the Trusted Certificate Group.

Answer: B,D

Explanation:
PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:
* Configurelog4j2.xmlto use a JDBC Appender.
* Configurelog4j2.db.propertieswith the database connection information.
* Provide the appropriate database driver in thePA_HOME/libdirectory.
Exact Extract:
"To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib."
* Option Ais correct - both files must be configured.
* Option Bis incorrect - existing logs do not need removal.
* Option Cis incorrect - enabling audit is unrelated to database logging.
* Option Dis correct - the Oracle JDBC driver must be installed in PA_HOME/lib.
* Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.
Reference:PingAccess Administration Guide -Log Configuration


NEW QUESTION # 28
An administrator needs to configure a protected web application using theAuthorization Codelogin flow.
Which two configuration parameters must be set? (Choose 2 answers.)

  • A. OAuth Client ID
  • B. OAuth Token Introspection Endpoint
  • C. OpenID Connect Login Type
  • D. OpenID Connect Issuer
  • E. Virtual Host

Answer: A,C

Explanation:
When using theAuthorization Code Flowfor authentication, PingAccess must be configured with:
* AnOAuth Client IDthat identifies the application to the IdP.
* TheOpenID Connect Login Typeset to Authorization Code.
Exact Extract:
"When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit)."
* Option A (OAuth Token Introspection Endpoint)is not required for Authorization Code flow - token introspection is used in other cases.
* Option B (OAuth Client ID)is correct - required for OIDC authorization requests.
* Option C (OpenID Connect Issuer)is discovered automatically via metadata when you configure the token provider.
* Option D (Virtual Host)is required for application exposure but not specific to OIDC flow.
* Option E (OpenID Connect Login Type)is correct - must be set to "Authorization Code." Reference:PingAccess Administration Guide -Configuring OIDC Web Sessions


NEW QUESTION # 29
What is the purpose of PingAccess processing rules?

  • A. To modify web traffic in real time
  • B. To collect data for offline processing
  • C. To allow for more detailed auditing
  • D. To override upstream access control decisions

Answer: A

Explanation:
Processing Rulesin PingAccess apply transformations to HTTP traffic (requests or responses) in real time, such as modifying headers, handling CORS, or rewriting cookies.
Exact Extract:
"Processing rules allow PingAccess to modify HTTP requests and responses in real time, such as adding headers or enabling cross-origin requests."
* Option Ais incorrect - they are not for offline data collection.
* Option Bis correct - their purpose is real-time modification of web traffic.
* Option Cis incorrect - access control rules enforce or override authorization, not processing rules.
* Option Dis incorrect - auditing is handled in log configurations, not processing rules.
Reference:PingAccess Administration Guide -Rules Overview (Processing Rules)


NEW QUESTION # 30
......

Updated Jan-2026 Pass PAP-001 Exam - Real Practice Test Questions: https://2cram.actualtestsit.com/Ping-Identity/PAP-001-exam-prep-dumps.html

Related Articles

more
Ping Identity PAP-001 Certification Practice Exam