When applications require additional attributes:

The Web Session must be configured to retrieve those attributes from the token provider (OIDC or PingFederate).

The Identity Mapping must be updated to forward those attributes to the application (e.g., as headers).

Exact Extract:

“Web sessions define how user attributes are retrieved from the token provider. Identity mappings determine how those attributes are inserted into requests to applications.”

Option A is not necessarily required; attributes can be retrieved via userinfo endpoint or access token, not only ID tokens.

Option B is correct — Identity Mappings must be updated to pass attributes to the app.

Option C is incorrect — Site Authenticators define how PingAccess authenticates to apps, not attribute handling.

Option D is incorrect unless the architecture specifically requires access token updates; PingAccess often uses the Web Session to fetch attributes.

Option E is correct — Web Session must be updated to retrieve additional attributes.

The admin.auth setting in the run.properties file is used to specify a fallback authentication method for the administrative console.

Exact Extract from official documentation:

“To define a fallback administrator authentication method if the OIDC token provider is unreachable, enable the admin.auth=native property in the run.properties file. This overrides any configured administrative authentication to basic authentication.”

This makes it clear that the purpose of admin.auth is to override any configured SSO for the admin UI and enforce native (basic) authentication instead.

Option A is incorrect because the admin.auth setting does not configure SSO. SSO for the admin UI is configured separately.

Option B is incorrect because this setting does not apply to the administrative API; it specifically applies to the admin UI console.

Option C is correct because it directly reflects the documented behavior: admin.auth overrides SSO configuration for the administrative UI and enables native authentication.

Option D is incorrect because the setting does not enable automatic authentication. It still requires credentials, but falls back to basic auth.

To enable Single Logout (SLO) , the SLO scope must be defined in the PingAccess Web Session configuration. This determines which sessions are ended when a logout request occurs.

Exact Extract:

“The SLO scope option in a web session specifies which applications are included in a logout event when Single Logout is triggered.”

Option A (SLO scope) is correct; it explicitly enables SLO support by linking session termination across apps.

Option B (Idle timeout) is unrelated; this controls session expiration, not SLO.

Option C (Validate Session) ensures session state is synchronized but does not configure SLO.

Option D (Refresh User Attributes) is unrelated; it only controls whether attributes are reloaded.

When APIs are remote, latency is introduced by frequent token validation requests. Enabling Cache Token on the OAuth Resource Server reduces repeated validation calls and improves performance.

Exact Extract:

“The OAuth Resource Server configuration includes a Cache Token option that improves performance by reducing round trips for token validation.”

Option A is incorrect — key rolling affects cryptographic keys, not API latency.

Option B is incorrect — virtual hosts control external FQDNs, not performance.

Option C is incorrect — token attribute size does not significantly affect remote latency.

Option D is correct — caching tokens reduces validation overhead.

When using the Authorization Code Flow for authentication, PingAccess must be configured with:

An OAuth Client ID that identifies the application to the IdP.

The OpenID Connect Login Type set to Authorization Code.

Exact Extract:

“When configuring an OIDC web session, specify the OAuth client ID and select the OpenID Connect login type (Authorization Code, Hybrid, or Implicit).”

Option A (OAuth Token Introspection Endpoint) is not required for Authorization Code flow — token introspection is used in other cases.

Option B (OAuth Client ID) is correct — required for OIDC authorization requests.

Option C (OpenID Connect Issuer) is discovered automatically via metadata when you configure the token provider.

Option D (Virtual Host) is required for application exposure but not specific to OIDC flow.

Option E (OpenID Connect Login Type) is correct — must be set to “Authorization Code.”

PingAccess resources have an Audit flag . When enabled, all access attempts (allowed or denied) are recorded in the audit logs.

Exact Extract:

“To audit access requests to a specific resource, enable the Audit option on that resource in the application configuration.”

Option A is correct — enabling audit for /admin ensures its access requests are logged.

Option B is incorrect — enabling audit for /* is overly broad and logs everything, not just /admin .

Option C is incorrect — Splunk integration is for log forwarding, not per-resource auditing.

Option D is incorrect — log4j2.xml controls log destinations/levels, not resource-specific auditing.

When configuring PingAccess to use PingFederate as the Standard Token Provider for runtime engines, PingAccess must know how to contact PingFederate. The configuration requires the Host (PingFederate base URL).

Exact Extract:

“When configuring the Standard Token Provider, specify the PingFederate host to which PingAccess engines will connect for token validation.”

Option A (Issuer) is part of OIDC metadata but not required explicitly in this configuration.

Option B (Client ID) is needed for OAuth clients but not when defining the token provider connection itself.

Option C (Host) is correct — this is required to connect to PingFederate.

Option D (Port) may be included within the host definition (host:port) but is not the required field.