Versent
PingOne / Ping Desktop errors with "Unknown document type"
I am attempting to configure saml2aws with a brand new deployment of PingOne / Ping Desktop and PingFederate backend. I'm getting an Unknown document type error, which I believe is the result of a different page/redirect structure than saml2aws is looking for.
My configuration:
account {
URL: https://desktop.pingone.com/mycompany
Username: [email protected]
Provider: PingOne
MFA: Auto
SkipVerify: false
AmazonWebservicesURN: urn:amazon:webservices
SessionDuration: 3600
Profile: saml
RoleARN:
Region:
}
Debug output:
> saml2aws login --verbose --force
DEBU[0000] Running command=login
DEBU[0000] check if Creds Exist command=login
DEBU[0000] Expand name=/Users/ckabalan/.aws/credentials pkg=awsconfig
DEBU[0000] resolveSymlink name=/Users/ckabalan/.aws/credentials pkg=awsconfig
DEBU[0000] ensureConfigExists filename=/Users/ckabalan/.aws/credentials pkg=awsconfig
Using IDP Account default to access PingOne https://desktop.pingone.com/mycompany
DEBU[0000] Get credentials helper=osxkeychain serverURL="https://desktop.pingone.com/mycompany"
To use saved password just hit enter.
? Username
? Password ****************
DEBU[0003] building provider command=login idpAccount="account {\n URL: https://desktop.pingone.com/mycompany\n Username: [email protected]\n Provider: PingOne\n MFA: Auto\n SkipVerify: false\n AmazonWebservicesURN: urn:amazon:webservices\n SessionDuration: 3600\n Profile: saml\n RoleARN: \n Region: \n}"
Authenticating as [email protected] ...
DEBU[0003] HTTP Req URL="https://desktop.pingone.com/mycompany" http=client method=GET
DEBU[0004] HTTP Res Status="200 " http=client
DEBU[0004] doc detect provider=pingone type=saml-request
DEBU[0004] HTTP Req URL="https://ping.mycompany.com/idp/SSO.saml2" http=client method=POST
DEBU[0004] HTTP Res Status="401 Unauthorized" http=client
DEBU[0004] doc detect provider=pingone type=refresh
DEBU[0004] HTTP Req URL="https://desktop.pingone.com/mycompany" http=client method=GET
DEBU[0004] HTTP Res Status="200 " http=client
DEBU[0004] doc detect provider=pingone type=saml-request
DEBU[0004] HTTP Req URL="https://ping.mycompany.com/idp/SSO.saml2" http=client method=POST
DEBU[0004] HTTP Res Status="401 Unauthorized" http=client
DEBU[0004] doc detect provider=pingone type=login
DEBU[0004] base url baseURL="https://ping.mycompany.com" provider=pingone
DEBU[0004] make absolute url base="https://ping.mycompany.com" provider=pingone v=/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping
DEBU[0004] HTTP Req URL="https://ping.mycompany.com/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping" http=client method=POST
DEBU[0005] HTTP Res Status="200 OK" http=client
DEBU[0005] doc detect provider=pingone type=form-redirect
DEBU[0005] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth" http=client method=POST
DEBU[0005] HTTP Res Status="200 " http=client
DEBU[0005] doc detect provider=pingone type=check-webauthn
DEBU[0005] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth" http=client method=POST
DEBU[0006] HTTP Res Status="200 " http=client
DEBU[0006] doc detect provider=pingone type=swipe
DEBU[0009] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0009] HTTP Res Status="200 " http=client
DEBU[0012] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0012] HTTP Res Status="200 " http=client
DEBU[0015] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth/status" http=client method=GET
DEBU[0015] HTTP Res Status="200 " http=client
DEBU[0015] HTTP Req URL="https://authenticator.pingone.com/pingid/ppm/auth/response" http=client method=GET
DEBU[0016] HTTP Res Status="200 " http=client
DEBU[0016] doc detect provider=pingone type=form-redirect
DEBU[0016] HTTP Req URL="https://ping.mycompany.com/idp/AgAZm_aE2pB/resumeSAML20/idp/SSO.ping" http=client method=POST
DEBU[0017] HTTP Res Status="200 OK" http=client
DEBU[0017] doc detect provider=pingone type=resume
DEBU[0017] HTTP Req URL="https://sso.connect.pingidentity.com/sso/sp/ACS.saml2" http=client method=POST
DEBU[0017] HTTP Res Status="200 " http=client
DEBU[0017] Unknown document type doc="<!-- template name: form.autopost.template.html --><html><head>\n\t<title>Submit Form</title>\n <link href=\"/sso/assets/images/favicon.ico\" rel=\"shortcut icon\" type=\"image/x-icon\"/>\n <link rel=\"apple-touch-icon\" href=\"/sso/assets/images/PingIdentity-logo.png\"/>\n </head>\n <body onload=\"javascript:document.forms[0].submit()\">\n <noscript>\n <p>\n <strong>Note:</strong> Since your browser does not support JavaScript,\n you must press the Resume button once to proceed.\n </p>\n </noscript>\n <form method=\"post\" action=\"https://desktop.pingone.com/mycompany/login/\">\n <input type=\"hidden\" name=\"tokenid\" value=\"I0WnHREDACTEDhjgPorYh5REDACTEDROGg3REDACTEDMJTAjHovFbUr\"/>\n <input type=\"hidden\" name=\"agentid\" value=\"REDACTED\"/>\n <noscript><input type=\"submit\" value=\"Resume\"/></noscript>\n </form>\n \n\n</body></html>" provider=pingone
Unknown document type
error authenticating to IdP
github.com/versent/saml2aws/v2/cmd/saml2aws/commands.Login
github.com/versent/saml2aws/v2/cmd/saml2aws/commands/login.go:107
main.main
github.com/versent/saml2aws/v2/cmd/saml2aws/main.go:187
runtime.main
runtime/proc.go:225
runtime.goexit
runtime/asm_amd64.s:1371
I played around with the code and got this to be detected as a resume or redirect page. It moved further through the process and proceeded to a new page at https://desktop.pingone.com/mycompany/Selection?cmd=selection with some interesting variables like ppmRequest and ppmResponse. I believe this is our organization's dashboard page because shortly after this page is loaded in a browser via a normal login process it hits a URL ending in /apps which returns JSON related to the tiles on the Ping Desktop, which includes the redirect URL to PingFederate. I have no idea how to fill the gap between the Selection page and getting to the AWS redirect with SAML.
Any ideas? Am I the only one having this issue? Has the PingOne functionality been abandoned and no longer works with a new portal? Are we using a more modern portal from the rest of the customers and only we're broken?
Any insight would be helpful. I'm not a golang developer but I'm willing to try to do what I can and collaborate with any developers that want to help resolve this.
Thank you for your time.
I had the same issue but with Ping. At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail. Deleted methods and tried with one MFA method, and it seems to work fine. Hopefully they'll resolve this soon.
Hey @ckabalan Did you find a way to solve this? I am currently facing the same problem
At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail.
+1, selecting the device doesn't work:
Hi @ckabalan, did you find the solution for this? I am facing the same issue.
@Prakash-HPE and @OSobky: I have moved on to a different company (AWS actually), but never did find a solution. Our organization ended up moving to AWS Single Sign-On (IAM Identity Center), which was of course a conversation with the identity team, yada yada...
I had the same issue but with Ping. At least for me, if you have multiple MFA methods (app, text, etc.), saml2aws seems to fail. Deleted methods and tried with one MFA method, and it seems to work fine. Hopefully they'll resolve this soon.
This works for me. I deleted one device and it's now connected.
