For edge-initiated step-up or transactional authorization, the client must indicate which higher authentication context to invoke by supplying the query parameters authIndexType (typically set to service or module) and authIndexValue (the name of that service/module). No other parameters are mandatory.

B – “service” is not a separate parameter; it is the value of authIndexType.

C – ForceAuth is optional; only authIndexType/value are required.

D – Lacks the mandatory authIndexValue and misuses “service”.

1. ForgeRock Access Management 7.3 Authentication & SSO Guide, §6.6.4 “Requesting Step-Up Authentication” (authIndexType & authIndexValue required).

2. ForgeRock Identity Gateway 7.2 User Guide, §“Step-Up Authentication with AM” (lists mandatory parameters).

The error "user requires profile to login" occurs when PingAM is configured in a mode where it does not manage user profiles within its own data store, but an authentication journey attempts an action that requires one. This happens when the realm's "User Profile" setting is "Ignored". In this mode, AM expects the identity repository (e.g., an external LDAP) to be the sole source of truth. If a node in the authentication tree (e.g., "Data Store Decision" or "Attribute Collector") tries to read from or write to a local AM profile that doesn't exist, this specific error is triggered.

A. Policy misconfiguration would typically result in an authorization failure or "Access Denied" message, not a profile-specific error during login.

C. If a user has not filled in required profile information, the journey would typically direct them to a profile completion page or fail with a different message.

D. Incorrect credentials would result in a clear "Authentication Failed" or "Invalid username or password" error message.

1. Ping Identity Access Management Documentation, "Realms > To Create a Realm". In the "Identity Store" section, the "User Profile" property is described. Setting this to "Ignored" can lead to the specified error if authentication journeys are not designed accordingly.

2. Ping Identity Access Management Documentation, "Troubleshooting > Authentication". This section details common authentication errors. The error "user requires profile to login" is explicitly linked to the realm's user profile configuration being set to "Ignored" while a journey requires a profile write.

The forgeops delete command is designed to remove the specific Ping Identity Platform deployment created by the Cloud Developer Kit (CDK). This includes the Kubernetes resources that constitute the platform stack, such as the pods, services, and deployments for Access Management, Identity Management, and Directory Services. It also removes the associated Persistent Volume Claims (PVCs) and configuration artifacts. The command's scope is intentionally limited to the application stack itself and does not remove shared, cluster-level prerequisites.

A. The ingress controller is a cluster-level prerequisite and is not removed by the forgeops delete command.

B. The certificate manager and secret agent are cluster-level prerequisites and are not removed by the forgeops delete command.

C. The ingress controller, DS operator, certificate manager, and secret agent are all cluster-level prerequisites not managed by the CDK deployment lifecycle.

1. Ping Identity DevOps Documentation, forgeops > Get started > Clean up your CDK deployment. The documentation states: "When you're finished with your CDK deployment, run the forgeops delete command. This command deletes the Ping Identity Platform deployment and the persistent volume claims from your Kubernetes cluster." It makes no mention of removing cluster prerequisites like ingress or cert-manager.

Extended metadata in PingAM is a proprietary extension to the standard SAML 2.0 metadata format. Its purpose is to store and communicate additional configuration information specific to PingAM that is not covered by the SAML standard. This can include settings for attribute mapping, transient user creation, account linking, and other specific processing rules that are necessary for federation partnerships to function correctly within a PingAM environment (formerly a "Circle of Trust"). This allows for richer integration and configuration than standard metadata alone permits.

A. It specifies the certificates and keys for the SAML2 entity: Certificates and keys are part of the standard SAML 2.0 metadata specification within the KeyDescriptor element.

B. It specifies the policy to invoke during SAML2 federation: While this is an example of information that can be in extended metadata, it is not the overall purpose. Option D is a more accurate, general definition.

C. It is a standard way to communicate supported SAML2 features: Extended metadata is, by definition, non-standard and specific to PingAM. Standard features are communicated through standard metadata elements and protocol messages.

Ping Identity Documentation, PingAM > Federation > SAML v2.0 Guide for Administrators > The Extended Metadata Template. The guide states: "AM uses an extended metadata file to store information that is not included in the standard SAML v2.0 metadata."

Ping Identity Documentation, PingAM > Administration > Realms > Realm > Applications > Federation > Entity Providers. The configuration options for SAML2 entity providers detail numerous settings (e.g., Attribute Mapper, NameID format) that are stored in this extended metadata.

In PingAM authentication trees, the sharedState is the designated mechanism for passing information between nodes within a single authentication transaction. For a mobile device, a device profiling node can collect context data and write it to the sharedState. A subsequent node, such as one performing risk analysis, can then read this data from the sharedState to inform its decision. This approach is best practice because the data is transient, scoped only to the current authentication flow, and does not permanently alter the user's profile.

A. The session state is generally created after a successful authentication journey, not for passing data between nodes during it.

C. The user profile is for storing persistent identity attributes, not for temporary, transactional context data like device information.

D. Storing potentially sensitive, server-side context data in a client-side browser cookie is insecure and not a viable pattern for trees.

1. Ping Identity Documentation, PingAM > Develop > "Custom nodes," Section "How state is passed between nodes," describes the use of sharedState and transientState for communication between nodes.

2. Ping Identity Documentation, PingAM > Authenticate > "Nodes," describes how various nodes (e.g., Device Profile Collector) place information into the shared state for consumption by other nodes.

PingAM supports a wide range of multi-factor authentication (MFA) mechanisms through its authentication tree framework. The options listed in C represent three distinct and modern MFA methods: Open Authentication (OATH) for Time-based One-Time Passwords (TOTP), Web Authentication (WebAuthn) for FIDO2/passkeys, and Push Authentication for mobile device notifications. While Security Questions (B) and U2F (D) are also supported, the combination in C provides a strong representation of contemporary MFA protocols and methods available in PingAM. U2F is an older standard largely superseded by WebAuthn.

A, B, and D: These options are incomplete or include less common/older methods. While all individual items (A, B, C, D, E) are supported by PingAM, the question seeks the best combination representing its MFA capabilities.

Ping Identity, PingAM Documentation, "Authentication nodes," Section: "Node Groups." This section lists available nodes including "OATH Authenticator Node," "Push Sender Node," "WebAuthn Authentication Node," "U2F Registration Node," and "Knowledge-Based Authentication Node," confirming support for all listed mechanisms.

Ping Identity, PingAM Documentation, "About multi-factor authentication." This guide provides an overview of MFA concepts and highlights the use of OATH, Push, and WebAuthn as primary methods.

The "Set Session Properties" node is a component within PingAM authentication trees specifically designed to add or update key-value pairs in the authenticated user's session. After this node executes successfully within a journey, the specified properties become available in the session state. This data can then be retrieved by other nodes later in the flow, used by policy conditions, or passed to applications in tokens, enabling dynamic and stateful authentication experiences.

A. The Get Session Data node: This node retrieves existing data from the session to make decisions; it does not set or add new properties.

B. You have to use a webhook, not a node: While a webhook can interact with external systems, PingAM provides a dedicated, internal node for this common task, making it the direct and correct answer.

C. The Provision Dynamic Account node: This node is used for just-in-time user provisioning into a data store, not for manipulating session state.

PingAM Documentation, "Authentication and single sign-on Guide" -> "Nodes reference" -> "Set Session Properties node". The documentation states, "Use this node to add properties to the user's session. The properties are stored as key-value pairs in the session properties."

Both Push notifications and Open Authentication (OATH) typically require a separate physical device, such as a smartphone, and a specific application installed on it. For Push, an application like PingID receives a notification to approve or deny a login attempt. For OATH (specifically TOTP/HOTP), an authenticator application (e.g., PingID, Google Authenticator) on the device generates a one-time passcode. Both methods fulfill the dual requirement of a separate device and a dedicated application.

A. Push, WebAuthn: WebAuthn does not always require a separate device; it supports platform authenticators (e.g., Windows Hello, Touch ID) built into the primary device.

B. Push, WebAuthn, Open Authentication: This option is incorrect because WebAuthn does not strictly meet the criteria, as explained above.

C. WebAuthn, Open Authentication: This option is incorrect because WebAuthn can use same-device platform authenticators, thus not requiring a separate device.

1. Ping Identity Documentation, PingID, "PingID authentication methods". This documentation describes Push notifications as requiring the PingID mobile app on a paired device. It also describes OATH TOTP support via the same app or other third-party authenticator apps.

2. Ping Identity Documentation, PingID, "FIDO2 authenticators". This source explains that WebAuthn (part of FIDO2) supports both roaming authenticators (separate devices like security keys) and platform authenticators (built into the user's computer or phone).

The "Default Failure Login URL" is a configurable property within a PingAM realm's authentication settings. Its purpose is to serve as the fallback redirection target when a user's authentication process fails. This URL is used only when a more specific failure URL has not been provided, for instance, through a policy configuration or as a gotoOnFail parameter in the initial authentication request. It ensures a consistent and predictable user experience for unhandled authentication failures.

A: It is the URL used when the gotoOnFail parameter is absent, not the default value of the parameter itself.

C: The "Failure URL" node in an authentication tree is for defining a specific, non-default failure path and must be configured manually by the administrator.

D: This describes the content of the destination page, whereas the "Default Failure Login URL" is the configuration setting for the redirection URL itself.

1. Ping Identity, PingAM Documentation, "Authentication and single sign-on guide" > "Configuring realms" > "Authentication settings". (The documentation for realm properties describes the "Default Failure Login URL" as the URL to which users are redirected if authentication fails).

2. Ping Identity, PingAM Documentation, "Authentication and single sign-on guide" > "Authentication services" > "Service configuration properties". (Describes the "Login Failure URL" property at the service level, which functions similarly).

In a SAML 2.0 federation, a Service Provider (SP) must establish a local session for a user who has authenticated at a remote Identity Provider (IdP). The account mapper on the SP is responsible for this linkage. It uses information from the incoming SAML assertion (the "remote user" identity), such as the NameID or other attributes, to find or create a corresponding user account in the SP's local data store (the "local user profile"). This mapping is a crucial step before a local session can be created.

A: This is incorrect. The account mapper processes a single assertion at a time to map one remote identity to one local account.

B: This describes account linking, a different feature for consolidating multiple local accounts. The SAML mapper's purpose is to link a remote identity to a local one.

C: This describes the process in reverse. The mapper uses attributes from the remote user's assertion to find and map to a local user profile.

1. Ping Identity Access Management Documentation, "Federation and single sign-on > Configuring SAML v2.0 > How AM processes assertions at a service provider." The documentation states, "AM uses the contents of the NameID or other attributes in the assertion to map the remote identity to a user in its local data store."