Free Ping Identity PT-AM-CPE Exam Actual Questions & Explanations

Last updated on: Jul 16, 2026
Author: Luna Bryant (Identity & Access Management Certification Specialist)

The PT-AM-CPE (Certified Professional - PingAM Exam) validates your expertise in Ping Identity access management solutions. This exam is designed for professionals who implement, configure, and manage Ping Identity platforms in production environments. Whether you're advancing your career in identity and access management or deepening your technical knowledge, this page provides a clear roadmap for exam preparation. The Ping Identity Certifications program recognizes practitioners who demonstrate both conceptual understanding and hands-on capability.

PT-AM-CPE Exam Syllabus & Core Topics

Use this topic map to guide your study for Ping Identity PT-AM-CPE (Certified Professional - PingAM Exam) within the Ping Identity Certifications path.

  • Installing and Deploying AM: Install Ping Identity AM in single and clustered environments, configure system prerequisites, and validate deployment health across infrastructure.
  • Improving Access Management Security: Implement authentication policies, enforce password requirements, configure multi-factor authentication flows, and audit security posture within AM.
  • Enhancing Intelligent Access: Build adaptive access rules, leverage risk signals, create conditional authentication journeys, and personalize user experiences based on context.
  • Extending Services Using OAuth2-Based Protocols: Configure OAuth2 authorization servers, manage scopes and client credentials, troubleshoot token flows, and integrate third-party applications securely.
  • Federating Across Entities Using SAML2: Set up SAML2 identity providers and service providers, manage metadata, configure attribute mappings, and enable cross-organization authentication.

Question Formats & What They Test

The PT-AM-CPE exam combines multiple question types to assess both foundational knowledge and applied problem-solving in real-world access management scenarios.

  • Multiple choice: Test understanding of AM architecture, protocol mechanics, configuration options, and best practices through direct recall and concept application.
  • Scenario-based items: Present realistic deployment challenges, security incidents, or integration requests; you select the most appropriate configuration decision or troubleshooting approach.
  • Configuration-focused questions: Evaluate your ability to interpret requirements and identify correct settings, policy rules, or workflow sequences needed to achieve a business outcome.

Questions progress in difficulty, moving from foundational terminology to complex multi-step scenarios that mirror production decision-making.

Preparation Guidance

A structured study plan tied to the five core topics helps you build confidence and identify knowledge gaps early. Dedicate focused time to each domain, practice with realistic scenarios, and refine your pacing before exam day.

  • Organize your study into weekly blocks, assigning one or two topics per week; track completion and revisit weaker areas.
  • Work through practice question sets, review detailed explanations for both correct and incorrect answers, and note patterns in your mistakes.
  • Connect concepts across topics: for example, understand how OAuth2 scopes relate to security policies and how SAML2 attribute mappings support intelligent access rules.
  • Complete a timed practice test under exam conditions to build pacing awareness and reduce test-day anxiety.
  • In the final week, focus on scenario-based questions and review any topics where your practice scores fell below 80 percent.

Explore other Ping Identity certifications: view all Ping Identity exams.

Get the PDF & Practice Test

Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to PT-AM-CPE and cover practical scenarios with clear explanations.

  • Q&A PDF with explanations: Topic-mapped questions that clarify why correct options are right and others aren't.
  • Practice Test: Realistic items, timed and untimed modes, progress tracking, and detailed review.
  • Focused coverage: Aligned to Installing and Deploying AM, Improving Access Management Security, Enhancing Intelligent Access, Extending Services Using OAuth2-Based Protocols, and Federating Across Entities Using SAML2, so you study what matters most.
  • Regular updates: Content refreshes that reflect syllabus and product changes.

Visit the exam page to download the PDF, Online Practice Test, or get a bundle discount for both formats: Certified Professional - PingAM Exam.

Frequently Asked Questions

Which topics carry the most weight on the PT-AM-CPE exam?

Security and deployment topics typically account for a significant portion of the exam. Improving Access Management Security and Installing and Deploying AM are foundational; expect approximately 30-35 percent of items to cover these areas. The remaining questions distribute across OAuth2, SAML2, and intelligent access features, with emphasis on how these integrate in real environments.

How do OAuth2 and SAML2 protocols work together in a Ping Identity deployment?

OAuth2 and SAML2 serve different purposes but often coexist in the same deployment. SAML2 handles user authentication and federation between organizations, while OAuth2 manages authorization and token-based access to APIs and applications. In practice, you might use SAML2 to authenticate a user from a partner organization, then issue an OAuth2 token so that user can access a REST API. Understanding both protocols and when to apply each is critical for the exam and production scenarios.

How much hands-on lab experience is necessary to pass PT-AM-CPE?

Hands-on experience significantly improves exam performance. Prioritize labs that cover deployment procedures, policy configuration, OAuth2 client setup, and SAML2 metadata management. Even 10-15 hours of practical work, configuring authentication flows, testing multi-factor authentication, and troubleshooting token issues, builds the intuition needed to answer scenario-based questions confidently. If lab access is limited, study detailed configuration walkthroughs and practice test explanations as a supplement.

What are common mistakes that lead to lost points on this exam?

Candidates often confuse OAuth2 grant types or misapply them to scenarios where a different flow is appropriate. Another frequent error is overlooking security implications when choosing authentication methods or attribute mappings. Additionally, some test-takers rush through scenario questions without fully reading the business requirement, leading to incorrect policy or configuration choices. Slow down, re-read each scenario, and verify that your answer addresses all stated constraints before moving on.

What should I focus on in the final week before the exam?

Review your practice test results and identify any topic where you scored below 80 percent; spend 2-3 hours reinforcing those areas. Work through 2-3 full-length timed practice tests to build stamina and pacing confidence. On the day before the exam, do a light review of key terminology and protocol flows rather than heavy studying. Ensure you understand the exam format, logistics, and time allocation so you can focus entirely on the questions during the test.

Question No. 1

A customer wishes to customize the OpenID Connect (OIDC) id_token JSON Web Token (JWT) to include the subject's employee number. Which of the following scripts should be customized to meet this requirement?

Show Answer Hide Answer
Correct Answer: B

In PingAM 8.0.2, the OpenID Connect (OIDC) Claims Script is the specific extensibility point designed to govern how user information is mapped and transformed into claims within an OIDC ID token or the UserInfo response. While PingAM supports standard scopes like profile and email out of the box, specialized business requirements---such as including an 'employee number' which might be stored as employeenumber in an LDAP directory---require a custom transformation.

According to the 'OIDC Claims Script' reference in the PingAM documentation:

The script acts as a bridge between the Identity Store (the source of truth) and the OIDC Provider (the issuer). When a client requests a token, PingAM executes this script, providing it with a claimObjects map and the userProfile. The developer can then write Groovy or JavaScript logic to retrieve the employeeNumber attribute from the user's profile and add it to the resulting claims set.

The script typically follows this logical flow:

Identify the requested claims from the OIDC scope.

Fetch the corresponding raw attributes from the Identity Store (e.g., PingDS or AD).

Format and name the claim as per the OIDC specification or the specific client requirement (e.g., mapping LDAP employeenumber to OIDC claim emp_id).

Return the claims to be signed and embedded into the JWT.

Why other options are incorrect: Options A, C, and D reference script types that do not exist under those specific names in the standard PingAM 8.0.2 scripting engine. While there are 'Access Token Modification' scripts and 'Client Registration' scripts, the OIDC Claims Script is the only one authorized and designed to manage the payload of the id_token.


Question No. 2

If the session cookie is configured as a domain based cookie for the am.example.com domain, in which of the following domains is the cookie visible?

A . example.com

B . am.example.com

C . sub.am.example.com

D . login.am.example.com

Show Answer Hide Answer
Correct Answer: C

This question tests the understanding of Session Cookie Domains and browser behavior in a PingAM 8.0.2 deployment. According to the 'Secure Session Cookies' documentation, the Cookie Domain setting in a realm determines the scope of the SSO token.

Standard browser cookie rules (RFC 6265) dictate that a cookie set for a specific domain is visible to that domain and all of its subdomains. However, a cookie is not visible to a parent domain or a 'sibling' domain.

In this scenario, the cookie is set for am.example.com:

A . example.com: This is the parent domain. A cookie set for am.example.com is not visible here. To make it visible to example.com, the cookie domain would have to be explicitly set to .example.com.

B . am.example.com: The cookie is directly set for this domain, so it is obviously visible.

C . sub.am.example.com: This is a subdomain of am.example.com. Under standard cookie rules, it will receive the cookie.

D . login.am.example.com: While this is also a subdomain, the question implies a specific selection.

Looking at the provided options (B and C), Option C accurately reflects the inheritance rule where the domain itself and its immediate sub-levels are covered. While login.am.example.com (Option D) is technically also a subdomain, the standard documentation examples for 'Cross-domain' or 'Sub-domain' visibility typically emphasize the relationship between the primary AM host and its child applications. Therefore, the combination of B and C is the most accurate representation of how the browser handles the scope of an am.example.com cookie.

============


Question No. 3

Which of the following statements about the PingAM tree designer is not true?

Show Answer Hide Answer
Correct Answer: B

The Tree Designer in PingAM 8.0.2 is a visual, drag-and-drop tool used to build sophisticated login journeys. While it is highly flexible, it follows specific structural rules to ensure the authentication engine can execute the logic predictably.

Analysis of the statements:

Statement A is true: Trees must terminate in an outcome. Success and Failure nodes are standard. Additionally, the Inner Tree Evaluator node allows one tree to hand off processing to another 'child' tree.

Statement C is true: The designer is extensible. Administrators can develop their own Java or Scripted nodes, and the Ping Identity Marketplace provides a wide range of third-party nodes (e.g., for biometric providers or specialized risk engines) that appear in the designer palette once installed.

Statement D is true: 'Inner trees' are a supported concept, allowing for modularity where common logic (like MFA) can be built once and called from multiple parent trees.

Statement B is the 'not true' statement. While the designer allows for complex logic and loops (e.g., looping back to a username prompt if a password is wrong), it does not support nesting nodes within a tree. In PingAM architecture, nodes are atomic components placed on a flat canvas. You cannot 'nest' a node inside another node's configuration in the visual designer. Complexity is achieved through the branching and linking of these atomic nodes. If logic needs to be 'nested' or grouped, it is done by creating a separate tree and calling it as an Inner Tree. Understanding this structural limitation is key for architects designing modular authentication frameworks.


Question No. 4

In a multi-server deployment, what is the impact of not ensuring stickiness in the load balancer configuration?

Show Answer Hide Answer
Correct Answer: D

In a high-availability PingAM 8.0.2 cluster, the Load Balancer (LB) is responsible for distributing traffic across multiple AM instances. Session Stickiness (also known as session affinity) ensures that all requests from a specific user session are routed to the same AM server that initially created the session.

According to the PingAM 'Deployment Planning' and 'Load Balancing' documentation, PingAM is designed to be 'sticky-preferred' but not 'sticky-required' if the Core Token Service (CTS) is used. If stickiness is not ensured:

Performance Impact: Every time a user request lands on a different AM server (Server B) than the one that holds the session in local memory (Server A), Server B must query the CTS (External Store) to retrieve the session details, deserialize the object, and reconstruct the session state. This cross-server look-up introduces significant latency and increases the load on the PingDS instances hosting the CTS.

CTS Load: Without stickiness, every single request becomes a 'Global' session lookup. This drastically increases the I/O and CPU overhead on the back-end directory servers, potentially leading to performance degradation of the entire identity platform.

Why other options are incorrect:

Option A: Session failover requires the CTS, but stickiness actually minimizes the need for failover logic during normal operation. Failover still works without stickiness, it just becomes the 'default' behavior for every request.

Option B: AM servers in a cluster share the same encryption keys and back-end stores. Any server can technically validate a session by looking it up in the CTS; the browser doesn't 'know' which server is correct.

Option C: Redirects are handled at the application logic level. While some internal processing changes, it doesn't necessarily result in extra browser-level HTTP redirects.

Thus, the primary negative impact of lacking stickiness in a correctly configured cluster is a decrease in performance (Option D) due to the constant session synchronization overhead.

============


Question No. 5

Which one of the default PingAM audit log file contains messages related to changes made to sessions by end users?

Show Answer Hide Answer
Correct Answer: A

In PingAM 8.0.2, the audit logging service is designed to provide a comprehensive record of events for security, compliance, and troubleshooting. The audit logs are categorized by the type of event they record. According to the 'Audit Logging Reference,' PingAM generates several default log files, typically in JSON format.

The access.audit.json file is the primary log for events related to the lifecycle of a session and access to resources. This includes:

Session Creation: When a user successfully authenticates and a new session is established.

Session Termination: When a user logs out or a session expires.

Session Updates: Any changes made to the session, such as a Session Upgrade or modification of session properties by the end user or an application.

Policy Evaluations: Records of when a user requests access to a protected resource and the resulting permit or deny decision.

By contrast, the config.audit.json (Option B) records administrative changes to the system configuration (e.g., modifying a realm or a node). The authentication.audit.json (Option C) focuses specifically on the steps within an authentication tree, such as which nodes were visited and whether they succeeded or failed. While session changes happen after or as a result of authentication, the resulting session management event is logged in the access audit. The activity.audit.json (Option D) is generally used for internal system tasks and background processes. Therefore, for monitoring end-user session modifications, the access.audit.json is the correct authoritative source defined in the PingAM 8 documentation.

============