PingOne / Ping Desktop errors with "Unknown document type"

[ckabalan]

I am attempting to configure saml2aws with a brand new deployment of PingOne / Ping Desktop and PingFederate backend. I'm getting an Unknown document type error, which I believe is the result of a different page/redirect structure than saml2aws is looking for.

My configuration:

account {
  URL: https://desktop.pingone.com/mycompany
  Username: [email protected]
  Provider: PingOne
  MFA: Auto
  SkipVerify: false
  AmazonWebservicesURN: urn:amazon:webservices
  SessionDuration: 3600
  Profile: saml
  RoleARN: 
  Region: 
}

Debug output:

> saml2aws login --verbose --force          
DEBU[0000] Running                                       command=login
DEBU[0000] check if Creds Exist                          command=login
DEBU[0000] Expand                                        name=/Users/ckabalan/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink                                name=/Users/ckabalan/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists                            filename=/Users/ckabalan/.aws/credentials pkg=awsconfig
Using IDP Account default to access PingOne https://desktop.pingone.com/mycompany
DEBU[0000] Get credentials                               helper=osxkeychain serverURL="https://desktop.pingone.com/mycompany"
To use saved password just hit enter.
? Username 
? Password ****************

DEBU[0003] building provider                             command=login idpAccount="account {\n  URL: https://desktop.pingone.com/mycompany\n  Username: [email protected]\n  Provider: PingOne\n  MFA: Auto\n  SkipVerify: false\n  AmazonWebservicesURN: urn:amazon:webservices\n  SessionDuration: 3600\n  Profile: saml\n  RoleARN: \n  Region: \n}"
Authenticating as [email protected] ...
DEBU[0003] HTTP Req                                      URL="https://desktop.pingone.com/mycompany" http=client method=GET
DEBU[0004] HTTP Res                                      Status="200 " http=client
DEBU[0004] doc detect                                    provider=pingone type=saml-request
DEBU[0004] HTTP Req                                      URL="https://ping.mycompany.com/idp/SSO.saml2" http=client method=POST
DEBU[0004] HTTP Res                                      Status="401 Unauthorized" http=client
DEBU[0004] doc detect                                    provider=pingone type=refresh
DEBU[0004] HTTP Req                                      URL="https://desktop.pingone.com/mycompany" http=client method=GET
DEBU[0004] HTTP Res                                      Status="200 " http=client
DEBU[0004] doc detect                                    provider=pingone type=saml-request
DEBU[0004] HTTP Req                                      URL="https://ping.mycompany.com/idp/SSO.saml2" http=client method=POST
DEBU[0004] HTTP Res                                      Status="401 Unauthorized" http=client
DEBU[0004] doc detect                                    provider=pingone type=login
DEBU[0004] base url                                      baseURL="https://ping.mycompany.com" provider=pingone
DEBU[0004] make absolute url                             base="https://ping.mycompany.com" provider=pingone v=/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping
DEBU[0004] HTTP Req                                      URL="https://ping.mycompany.com/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 OK" http=client
DEBU[0005] doc detect                                    provider=pingone type=form-redirect
DEBU[0005] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth" http=client method=POST
DEBU[0005] HTTP Res                                      Status="200 " http=client
DEBU[0005] doc detect                                    provider=pingone type=check-webauthn
DEBU[0005] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth" http=client method=POST
DEBU[0006] HTTP Res                                      Status="200 " http=client
DEBU[0006] doc detect                                    provider=pingone type=swipe
DEBU[0009] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0009] HTTP Res                                      Status="200 " http=client
DEBU[0012] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0012] HTTP Res                                      Status="200 " http=client
DEBU[0015] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0015] HTTP Res                                      Status="200 " http=client
DEBU[0015] HTTP Req                                      URL="https://authenticator.pingone.com/pingid/ppm/auth/response" http=client method=GET
DEBU[0016] HTTP Res                                      Status="200 " http=client
DEBU[0016] doc detect                                    provider=pingone type=form-redirect
DEBU[0016] HTTP Req                                      URL="https://ping.mycompany.com/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping" http=client method=POST
DEBU[0017] HTTP Res                                      Status="200 OK" http=client
DEBU[0017] doc detect                                    provider=pingone type=resume
DEBU[0017] HTTP Req                                      URL="https://sso.connect.pingidentity.com/sso/sp/ACS.saml2" http=client method=POST
DEBU[0017] HTTP Res                                      Status="200 " http=client
DEBU[0017] Unknown document type                         doc="<!-- template name: form.autopost.template.html --><html><head>\n\t<title>Submit Form</title>\n    <link href=\"/sso/assets/images/favicon.ico\" rel=\"shortcut icon\" type=\"image/x-icon\"/>\n    <link rel=\"apple-touch-icon\" href=\"/sso/assets/images/PingIdentity-logo.png\"/>\n    </head>\n    <body onload=\"javascript:document.forms[0].submit()\">\n       <noscript>\n            <p>\n                <strong>Note:</strong> Since your browser does not support JavaScript,\n                        you must press the Resume button once to proceed.\n            </p>\n        </noscript>\n        <form method=\"post\" action=\"https://desktop.pingone.com/mycompany/login/\">\n                        <input type=\"hidden\" name=\"tokenid\" value=\"I0WnHREDACTEDhjgPorYh5REDACTEDROGg3REDACTEDMJTAjHovFbUr\"/>\n                        <input type=\"hidden\" name=\"agentid\" value=\"REDACTED\"/>\n                        <noscript><input type=\"submit\" value=\"Resume\"/></noscript>\n        </form>\n    \n\n</body></html>" provider=pingone
Unknown document type
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
	github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
	github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
	runtime/proc.go:225
runtime.goexit
	runtime/asm_amd64.s:1371

I played around with the code and got this to be detected as a resume or redirect page. It moved further through the process and proceeded to a new page at https://desktop.pingone.com/mycompany/Selection?cmd=selection with some interesting variables like ppmRequest and ppmResponse. I believe this is our organization's dashboard page because shortly after this page is loaded in a browser via a normal login process it hits a URL ending in /apps which returns JSON related to the tiles on the Ping Desktop, which includes the redirect URL to PingFederate. I have no idea how to fill the gap between the Selection page and getting to the AWS redirect with SAML.

Any ideas? Am I the only one having this issue? Has the PingOne functionality been abandoned and no longer works with a new portal? Are we using a more modern portal from the rest of the customers and only we're broken?

Any insight would be helpful. I'm not a golang developer but I'm willing to try to do what I can and collaborate with any developers that want to help resolve this.

Thank you for your time.

[most-creative-name]

I had the same issue but with Ping.
At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail.
Deleted methods and tried with one MFA method, and it seems to work fine. Hopefully they'll resolve this soon.

[OSobky]

Hey @ckabalan
Did you find a way to solve this? I am currently facing the same problem

[abrinkman]

Also facing the same issue unfortunately.

[jaklan]

At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail.

+1, selecting the device doesn't work:

[Prakash-HPE]

Hi @ckabalan, did you find the solution for this? I am facing the same issue.

[ckabalan]

@Prakash-HPE and @OSobky: I have moved on to a different company (AWS actually), but never did find a solution. Our organization ended up moving to AWS Single Sign-On (IAM Identity Center), which was of course a conversation with the identity team, yada yada...

[sguo28]

I had the same issue but with Ping. At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail. Deleted methods and tried with one MFA method, and it seems to work fine. Hopefully they'll resolve this soon.

This works for me. I deleted one device and it's now connected.