Step-up authentication in PingAccess is enforced throughAuthentication Requirement Rules. If users are not prompted, the likely issues are:

The rule is missing from the application/resource.

The rule’s minimum authentication context does not include MFA.

Exact Extract:

“Authentication requirement rules determine whether PingAccess will challenge a user with additional authentication (such as MFA). Ensure that the rule is applied to the resource and that the authentication context is set correctly.”

Option Ais incorrect — rejection handlers define error handling, not MFA enforcement.

Option Bis correct — verify the authentication requirement rule is applied.

Option Cis correct — ensure the rule contains the right MFA requirements.

Option Dis incorrect — identity mappings do not enforce step-up authentication.

Option Eis incorrect — token validation rules check validity, not MFA levels.

PingAccess validates access tokens usingAccess Token Managers, which are typically backed byPingFederateor ageneric OIDC provider.

Exact Extract:

“PingAccess validates tokens through Access Token Managers, which can be configured against PingFederate or a common OIDC provider.”

Option A (PingFederate)is correct — the most common token provider.

Option B (Kerberos)is not supported for token validation.

Option C (SAML provider)is incorrect — PingAccess does not natively consume SAML assertions.

Option D (Common OIDC provider)is correct — tokens can be validated against any OIDC-compliant IdP.

Option E (PingAuthorize)is an authorization engine, not a token provider.

PingAccess is designed to work with modern identity protocols. It doesnotsupport legacy WS-* protocols directly.

Exact Extract:

“PingAccess integrates with OAuth 2.0 and OpenID Connect (OIDC) to provide authentication and authorization for web and API resources.”

Option A (SAML)is incorrect — PingAccess does not natively consume SAML assertions; SAML can be used indirectly via PingFederate.

Option B (WS-Fed)is not supported.

Option C (WS-Trust)is not supported.

Option D (OAuth2)is correct — used for authorization and token validation.

Option E (OIDC)is correct — used for user authentication and sessions.

PingAccess supports logging directly to a relational database usingLog4j database appenders. To enable this:

Configurelog4j2.xmlto use a JDBC Appender.

Configurelog4j2.db.propertieswith the database connection information.

Provide the appropriate database driver in thePA_HOME/libdirectory.

Exact Extract:

“To log to a database, configure log4j2.xml and log4j2.db.properties, and place the JDBC driver JAR file in PA_HOME/lib.”

Option Ais correct — both files must be configured.

Option Bis incorrect — existing logs do not need removal.

Option Cis incorrect — enabling audit is unrelated to database logging.

Option Dis correct — the Oracle JDBC driver must be installed in PA_HOME/lib.

Option Eis incorrect unless TLS is used to connect to the DB, but it is not required for standard DB logging setup.

Exact Extract (from PingAccess documentation):

“The key pair that you create for theCONFIG QUERYlistener must include both the administrative node and the replica administrative node. To make sure the replica administrative node is included, you can eitheruse a wildcard certificateordefine subject alternative namesin the key pair that use the replica administrative node’s DNS name.”

Why B and D are correct:

*B. Subject = .company.com— A wildcard certificate for *.company.com is valid for both pa-admin.company.com and pa-admin2.company.com, satisfying the documented requirement that the key pair include both hostnames for the CONFIG QUERY listener.

D. Subject Alternative Names = pa-admin.company.com, pa-admin2.company.com— Explicitly placing both DNS names in the SAN extension also satisfies the requirement that the certificate cover both the administrative node and the replica administrative node.

Why the other options are incorrect:

A. Issuer = pa-admin.company.com— TheIssuerfield identifies the certificate authority (CA) that signed the certificate, not the service hostname. Setting the issuer to a host value is not how X.509 server certificates are validated and would not meet the hostname‑matching requirement.

C. Subject = pa-admin.company.com— While this covers the administrative node, itdoes not include the replica administrative node. Without a wildcard or SAN entries, it fails the requirement that the key pair include both hostnames.

E. Subject = pa-admin2.company.com— Similarly, this would only cover the replica administrative node andnotthe primary administrative node, failing the requirement.