PT-AM-CPE

Explanation:
The Security Token Service (STS) in PingAM 8.0.2 acts as a broker that translates security tokens from one format to another, allowing for interoperability between different security domains (e.g., translating a web-based session into a SOAP-based SAML assertion).
According to the PingAM "Security Token Service (STS)" documentation and the "Rest-Based STS" reference, the service supports a specific set of input and output token types. Supported input (source) tokens typically include Username Tokens, SAML2 Tokens, X.509 Certificates, Kerberos Tokens, and the internal PingAM Session Token (SSOToken). The service can transform these into output (target) tokens such as SAML2 Assertions or OIDC ID Tokens.
Analysis of the options:
Option A (Username token -> SAML2): Supported. This is a common use case where a client provides a username and password (WS-Security format) and receives a SAML2 assertion.
Option B (Kerberos -> SAML2): Supported. Used in Windows Desktop SSO environments where a SPNEGO/Kerberos token is exchanged for a SAML assertion for cloud applications.
Option D (PingAM SessionToken -> SAML2): Supported. This allows a user who already has a valid AM session to obtain a SAML2 token for a back-end web service.
Option C (OpenID Connect -> SAML2): Not supported by the REST STS implementation in version

Explanation:
This error message is directly related to the User Profile configuration within a specific realm in PingAM 8.0.2. In the "Core Authentication Attributes" of a realm, PingAM defines how it should handle user identities after they have successfully provided valid credentials through an authentication tree or chain.
There are primarily four modes for the User Profile setting:
Required: This is often the default. It specifies that after a user successfully authenticates, PingAM must be able to locate a corresponding user entry in the configured Identity Store. If the user exists in the datastore, the session is created. If the user does not exist, authentication fails with the error message "user requires profile to login" (or a similar profile-related exception in the logs).
Ignored: In this mode, PingAM issues an SSO session token immediately upon successful credential validation, regardless of whether a user profile exists in the back-end repository. This is useful for temporary or guest access where no permanent record is needed.
Dynamic: AM attempts to find the user; if the user is not found, it automatically creates a new profile in the identity store.
Dynamic with User Alias: Similar to dynamic creation but supports aliasing.
If an administrator sees the "user requires profile to login" error, it confirms that the credentials themselves were technically correct (the user passed the authentication nodes), but the realm is currently in Required mode (it has not been set to Ignore or Dynamic) and no matching entry exists in the identity store. This frequently happens in migration scenarios or when using external identity providers (like Social IDPs) where the "Link" or "Provisioning" step has not been properly configured in the authentication journey. To resolve this, the administrator must either pre-provision the user, set the mode to Ignore, or implement a Create Object node within the authentication tree to handle dynamic provisioning.

Explanation:
The May Act script is a critical component of the OAuth 2.0 Token Exchange implementation in PingAM 8.0.2. It allows for the validation of impersonation or delegation requests. Because token exchange can be configured both globally for all clients and specifically for individual applications, the script can be attached at two different levels in the Administrative UI.
OAuth2 Provider Service > Advanced Tab (A): This is the global configuration level. If you want to apply a standard "May Act" validation script across the entire realm for any client performing a token exchange, you configure it here. This script will be the default unless specifically overridden. OAuth2 Client Profile > OAuth2 Provider Overrides Tab (D): PingAM allows for granular control per client. If a specific "Confidential Client" (like a backend microservice) requires unique logic for determining who it can act as, you can specify a different script or override the global setting. This is done in the "OAuth2 Provider Overrides" tab within that specific client's configuration profile.
Why other options are incorrect: The Core tab (B) is used for basic settings like issuer names and token lifetimes, not for advanced scripting hooks. The Advanced tab of the Client Profile (C) contains settings like TTLs and Logout URLs, but the specific ability to override "Provider" level logic (like the May Act script) is moved to the specialized Overrides tab to keep the interface organized. Therefore, the correct locations are A and D, as identified in the "Token Exchange Configuration" guide for version 8.0.2.

Explanation:
In SAML 2.0, an Artifact is a reference (a "pointer" or "ticket") used in the SAML Artifact Binding.5 This is an alternative to the more common POST or Redirect bindings where the actual XML assertion is sent through the user's browser.
According to the PingAM "SAML 2.0 Bindings" documentation:
When using the Artifact binding, the Identity Provider (IdP) does not send the full SAML Assertion through the browser.6 Instead, it sends a small, opaque string called the Artifact to the Service Provider (SP).
Issuance: The IdP stores the real assertion in its own local memory/cache and sends the Artifact to the SP via the browser redirect.
Resolution: The Service Provider receives the Artifact and then makes a direct, secure back-channel call (SOAP over HTTPS) to the IdP's Artifact Resolution Endpoint.
Exchange: The SP presents the Artifact, and the IdP returns the actual SAML Assertion.
Therefore, the Artifact is the value sent to retrieve the assertion (Option D). It is not the assertion itself (Option A), nor is it a binding name or an attribute name. The Artifact binding is often used for security reasons, as it prevents the sensitive assertion data from ever passing through the user's browser, thus mitigating certain types of interception attacks.

Explanation:
The Authentication Context Class Reference (acr) is a standard parameter in OpenID Connect (OIDC) used by a client (Relying Party) to request a specific level or method of authentication from the OpenID Provider (PingAM 8.0.2).
According to the "OpenID Connect 1.0" and "OAuth2 Provider Service" documentation in PingAM, there is a specific configuration mapping for ACR to Authentication Tree. In the AM console, under the OAuth2 Provider > OpenID Connect tab, administrators define a list of mappings. Each entry consists of an ACR string (e.g., urn:mace:incommon:iap:silver or simply MFA) and its corresponding Authentication Tree name.
When an OIDC client sends a request to the /authorize endpoint containing the acr_values parameter, PingAM performs a lookup:
It checks the incoming acr_values against the configured map.
If a match is found, PingAM ignores the default realm authentication configuration and initiates the Authentication Tree mapped to that specific ACR value.
Upon successful completion, the resulting ID Token will contain the acr claim with the requested value, confirming to the client that the specific journey was completed.
This mechanism allows developers to programmatically request "Step-up" or "Social Login" or "MFA" specifically from their application code by leveraging OIDC standard parameters. While ACR values are often related to Authentication Levels (Option D) conceptually, in PingAM's internal architecture, they are directly used to select and trigger a specific Authentication Tree (Option A).