From 30c17719bca36f07971f8ae5bcd4ca2706263fea Mon Sep 17 00:00:00 2001
From: "Casale, Robert" <Robert.Casale@fmr.com>
Date: Wed, 23 Mar 2022 15:40:44 -0400
Subject: [PATCH] feat: add pingntlm provider support for pre-authentication
 issue

---
 .../pingntlm/exmaple/form-redirect.html       |  21 ++
 pkg/provider/pingntlm/exmaple/login.html      | 113 +++++++
 pkg/provider/pingntlm/exmaple/login2.html     | 158 +++++++++
 pkg/provider/pingntlm/exmaple/otp.html        | 103 ++++++
 pkg/provider/pingntlm/exmaple/swipe.html      |  98 ++++++
 pkg/provider/pingntlm/exmaple/webauthn.html   |  63 ++++
 pkg/provider/pingntlm/pingntlm.go             | 308 ++++++++++++++++++
 pkg/provider/pingntlm/pingntlm_test.go        | 151 +++++++++
 saml2aws.go                                   |   6 +
 9 files changed, 1021 insertions(+)
 create mode 100644 pkg/provider/pingntlm/exmaple/form-redirect.html
 create mode 100644 pkg/provider/pingntlm/exmaple/login.html
 create mode 100644 pkg/provider/pingntlm/exmaple/login2.html
 create mode 100644 pkg/provider/pingntlm/exmaple/otp.html
 create mode 100644 pkg/provider/pingntlm/exmaple/swipe.html
 create mode 100644 pkg/provider/pingntlm/exmaple/webauthn.html
 create mode 100644 pkg/provider/pingntlm/pingntlm.go
 create mode 100644 pkg/provider/pingntlm/pingntlm_test.go

diff --git a/pkg/provider/pingntlm/exmaple/form-redirect.html b/pkg/provider/pingntlm/exmaple/form-redirect.html
new file mode 100644
index 000000000..4bfa36f7d
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/form-redirect.html
@@ -0,0 +1,21 @@
+<html>
+
+<head>
+  <title>Submit Form</title>
+  <meta name="referrer" content="origin" />
+  <meta http-equiv="x-ua-compatible" content="IE=edge" />
+</head>
+
+<body onload="javascript:document.forms[0].submit()">
+  <noscript>
+    <p>
+      <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Resume button once to proceed.
+    </p>
+  </noscript>
+  <form method="post" action="https://authenticator.pingone.com/pingid/ppm/auth">
+    <input type="hidden" name="idp_account_id" value="some-uuid" />
+    <input type="hidden" name="ppm_request" value="secret" />
+    <noscript><input type="submit" value="Resume"/></noscript>
+  </form>
+</body>
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/exmaple/login.html b/pkg/provider/pingntlm/exmaple/login.html
new file mode 100644
index 000000000..3cdac6461
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/login.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<!--[if IEMobile 7 ]><html class="no-js no-touch iem7" lang="en"> <![endif]-->
+<!--[if lt IE 7]><html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" lang="en" xml:lang="en" id="ie6" class="no-js no-touch ie lt-ie12 lt-ie11 lt-ie10 lt-ie9 lt-ie8 lt-ie7"><![endif]-->
+<!--[if IE 7]><html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" lang="en" xml:lang="en" id="ie7" class="no-js no-touch ie lt-ie12 lt-ie11 lt-ie10 lt-ie9 lt-ie8 gt-ie6"><![endif]-->
+<!--[if IE 8]><html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" lang="en" xml:lang="en" id="ie8" class="no-js no-touch ie lt-ie12 lt-ie11 lt-ie10 lt-ie9 gt-ie6 gt-ie7"><![endif]-->
+<!--[if IE 9]><html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" lang="en" xml:lang="en" id="ie9" class="no-js no-touch ie lt-ie12 lt-ie11 lt-ie10 gt-ie8 gt-ie7 gt-ie6"><![endif]-->
+<!--[if !IE]><!-->
+<!--
+  Ping Discovery Login
+  w/ Progressive Profiling
+  discovery.form.template.html
+  v3.0
+-->
+<html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/" lang="en" xml:lang="en" class="no-touch no-js">
+<!--<![endif]-->
+<head>
+  <title>Login Page</title>
+  <!--[if lt IE 9]><meta http-equiv="X-UA-Compatible" content="IE=8" /><![endif]-->
+  <!--[if gt IE 8]><meta http-equiv="X-UA-Compatible" content="IE=edge" /><![endif]-->
+  <!--[if !IE]><meta http-equiv="X-UA-Compatible" content="chrome=1" /><![endif]-->
+  <meta charset="utf-8">
+  <meta name="HandheldFriendly" content="True" />
+  <meta name="MobileOptimized" content="320" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <!-- Mobile IE allows us to activate ClearType technology for smoothing fonts for easy reading -->
+  <meta http-equiv="cleartype" content="on">
+  <!-- Brought over from previous version of Login Page -->
+  <meta name="accessLevel" content="Guest" />
+  <meta name="country" content="US" />
+  <meta name="locale" content="US" />
+  <meta name="language" content="en" />
+  <meta name="title" content="Login Page" />
+  <script type="text/javascript" src="/etc/designs/cdc/clientlibs/responsive/js/foundation.js"></script>
+  <link rel="stylesheet" type="text/css" href="/etc/designs/cdc/clientlibs/responsive/css/login-federation.css">
+</head>
+<body id="wcq" class="fw-res cdc-login ping">
+  <div id="fw-overlay-spinner">
+    <div class="spinner-icon"></div>
+    <div id="fw-content" class="">
+      <div class="language">
+        <section id="fw-language-select">
+          <div class="dropdown-header" tabindex="5">United States - English</div>
+          <!-- default -->
+          <ul class="dropdown-content"></ul>
+        </section>
+      </div>
+      <header id="fw-masthead-temp" class=" cdc-landing" data-owner="ID">
+        <div id="fw-banner-temp">
+          <a id="fw-logo-temp" href="/c/en/us/index.html">
+                </a>
+        </div>
+      </header>
+      <div id="login-wrapper">
+        <article id="login">
+          <div class="title">
+            <section id="fw-title-nav-login">
+              <h1 class="pagetitle">Log in to your account</h1>
+            </section>
+          </div>
+          <div class="info-text">
+            <div class="close"><span tabindex="0"></span></div>
+          </div>
+          <form id="login-form" method="post" name="login-form" action="https://sso.example.com/idp/resumeSAML20/idp/startSSO.ping">
+            <ul>
+              <li id="containUser">
+                <label id="usernameLabel" for="userInput" class="username-label hint">Username or email</label>
+                <input id="userInput" class="" type="text" name="pf.username" value="" size="33" maxlength="105" autocomplete="off" autocorrect="off" autocapitalize="off" tabindex="1" />
+                <p class="msg idNull">We couldn't find that. Try again.</p>
+              </li>
+              <li id="containPass">
+                <label id="passwordLabel" for="passwordInput" class="password-label hint">Password</label>
+                <input id="passwordInput" class="" type="password" name="pf.pass" value="" size="33" maxlength="105" autocomplete="off" autocorrect="off" autocapitalize="off" tabindex="2" />
+              </li>
+              <input type="hidden" name="target" value="" />
+            </ul>
+            <!-- pass lookup values to/from ping -->
+            <input type="hidden" id="usertype" name="pf.userType" value="">
+            <input type="hidden" id="idpId" name="pf.idpId" value="">
+            <input type="hidden" id="isUserStale" name="pf.isUserStale" value="">
+            <input type="hidden" id="idpurl" name="pf.idpUrl" value="">
+            <input type="hidden" id="targetresource" name="pf.TargetResource" value="">
+            <input id="login-button" type="submit" name="login-button" value="Log in" tabindex="3" />
+            <span id="login-button-next" class="textholder">Next</span>
+            <span id="login-button-submit" class="textholder">Log in</span>
+            <input type="hidden" class="cancel" name="pf.cancel" value="" />
+          </form>
+          <div id="back-link"> <a href="">&lt; Back</a></div>
+          <div class="">
+            <aside id="register"></aside>
+          </div>
+        </article>
+      </div>
+      <div id="link-accounts-wrapper">
+      </div>
+      <div id="redirect-msg-wrapper">
+      </div>
+      <div id="create-cdc-wrapper">
+      </div>
+      <!-- pass lookup values to/from ping - post -->
+      <input type="hidden" id="link_idpurl" name="pf.idpUrl" value="">
+    </div>
+  </div>
+  <script type="text/javascript">
+    cdc = typeof cdc == "undefined" ? {} : cdc;
+    cdc.login = typeof cdc.login == "undefined" ? {} : cdc.login;
+    cdc.login.prefsObj = {
+      login_localize: true,
+      login_discovery: true
+    };
+  </script>
+  <script type="text/javascript" src="/etc/designs/cdc/clientlibs/responsive/js/login-federation.js"></script>
+</body>
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/exmaple/login2.html b/pkg/provider/pingntlm/exmaple/login2.html
new file mode 100644
index 000000000..8f9643b49
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/login2.html
@@ -0,0 +1,158 @@
+<!DOCTYPE html>
+<html lang="en" dir="ltr">
+
+<head>
+    <title>Sign On</title>
+    <base href="https://id.example.com/">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <meta name="viewport" content="initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no">
+    <meta http-equiv="x-ua-compatible" content="IE=edge">
+    <link rel="stylesheet" type="text/css" href="assets/css/main.css">
+</head>
+
+<body onload="setFocus()">
+
+    <div class="ping-container ping-signin">
+
+        <!-- 
+    if there is a logo present in the 'company-logo' container,
+    then 'has-logo' class should be added to 'ping-header' container.
+    -->
+        <div class="ping-header">
+            <span class="company-logo">
+                <!-- client company logo here -->
+            </span>
+            Sign On
+        </div>
+        <!-- .ping-header -->
+
+        <div class="ping-body-container">
+
+            <div>
+                <form method="POST" action="/idp/9ABjD/resumeSAML20/idp/startSSO.ping" autocomplete="off">
+                    <div class="ping-messages">
+
+
+
+                    </div>
+
+                    <div class="ping-input-label">
+                        Username
+                    </div>
+                    <div class="ping-input-container">
+                        <input id="username" type="text" size="36" name="pf.username" value="" autocorrect="off" autocapitalize="off" onkeypress="return postOnReturn(event)">
+                        <!---->
+                    </div>
+
+                    <div class="ping-input-label">
+                        Password
+                    </div>
+                    <div class="ping-input-container">
+                        <input id="password" type="password" size="36" name="pf.pass" onkeypress="return postOnReturn(event)">
+                    </div>
+
+
+                    <div class="ping-buttons">
+                        <input type="hidden" name="pf.ok" value="">
+                        <input type="hidden" name="pf.cancel" value="">
+
+                        <a onclick="postOk();" class="ping-button normal allow" title="Sign On">
+                            Sign On
+                        </a>
+                    </div>
+                    <!-- .ping-buttons -->
+
+                    <div class="ping-input-link ping-pass-change">
+                        <a href="/idp/9ABjD/resumeSAML20/idp/startSSO.ping?ChangePassword=true" class="password-change">Change Password?</a>
+                    </div>
+
+                    <input type="hidden" name="pf.adapterId" id="pf.adapterId" value="VersentForm">
+                </form>
+            </div>
+            <!-- .ping-body -->
+        </div>
+        <!-- .ping-body-container -->
+
+        <div class="ping-footer-container">
+            <div class="ping-footer">
+                <div class="ping-credits"></div>
+                <div class="ping-copyright">Copyright © 2003-2017. Ping Identity Corporation. All rights reserved.</div>
+            </div>
+            <!-- .ping-footer -->
+        </div>
+        <!-- .ping-footer-container -->
+
+    </div>
+    <!-- .ping-container -->
+
+    <script type="text/javascript">
+
+        function getForgotPasswordUrl() {
+            var base = "https://id.example.com/ext/pwdreset/Identify?referrer=https%3A%2F%2Fid.example.com%2Fidp%2F9ABjD%2FresumeSAML20%2Fidp%2FstartSSO.ping&adapterId=ExampleForm";
+            window.location.href = base;
+        }
+
+        function postOk() {
+            document.forms[0]['pf.ok'].value = 'clicked';
+            document.forms[0].submit();
+        }
+        function postCancel() {
+            document.forms[0]['pf.cancel'].value = 'clicked';
+            document.forms[0].submit();
+        }
+        function postOnReturn(e) {
+            var keycode;
+            if (window.event) keycode = window.event.keyCode;
+            else if (e) keycode = e.which;
+            else return true;
+
+            if (keycode == 13) {
+                document.forms[0].submit();
+                return false;
+            } else {
+                return true;
+            }
+        }
+        function setFocus() {
+            var platform = navigator.platform;
+            if (platform != null && platform.indexOf("iPhone") == -1) {
+                document.getElementById('username').focus();
+            }
+        }
+        function setMobile(mobile) {
+            var className = ' mobile',
+                hasClass = (bodyTag.className.indexOf(className) !== -1);
+
+            if (mobile && !hasClass) {
+                bodyTag.className += className;
+
+            } else if (!mobile && hasClass) {
+                bodyTag.className = bodyTag.className.replace(className, '');
+            }
+
+        }
+        function getScreenWidth() {
+            return (window.outerHeight) ? window.outerWidth : document.body.clientWidth;
+        }
+
+        var bodyTag = document.getElementsByTagName('body')[0],
+            width = getScreenWidth(),
+            remember = false && false;
+
+
+        if (/Android|webOS|iPhone|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
+            setMobile(true);
+        } else {
+            setMobile((width <= 480));
+            window.onresize = function () {
+                width = getScreenWidth();
+                setMobile((width <= 480));
+            }
+        }
+    </script>
+
+
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/exmaple/otp.html b/pkg/provider/pingntlm/exmaple/otp.html
new file mode 100644
index 000000000..32f7d5656
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/otp.html
@@ -0,0 +1,103 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta http-equiv="x-ua-compatible" content="IE=edge">
+  <title>PingID</title>
+  <link rel="stylesheet" href="/pingid/assets/css/main-v21.144.css" media="screen" title="no title" charset="utf-8">
+  <link rel="stylesheet" media="screen" type="text/css" href="/pingid/assets/css/jsdisabled.css" />
+  <script type="text/javascript" src="/pingid/assets/js/jquery-1.11.1.min.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/utils/ViewUtil.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/wizards/otp.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/utils/getAuthStatus.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/utils/selfsubmitinstantotp.js"></script>
+</head>
+<body>
+  <noscript>
+    <!DOCTYPE html>
+    <html>
+    <head>
+    	<title></title>
+    	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    	<meta name = "format-detection" content = "telephone=no">
+    	<link rel="stylesheet" href="/pingid/assets/css/jsdisabled.css" media="screen" title="no title" charset="utf-8">
+    </head>
+    <body>
+        <div class="nojspage">
+                <div class="window error">
+                    <div class="content">
+                        <div class="status"></div>
+            			<div class="title-text">
+            			    Important
+                        </div>
+            	            <div class="error-text">
+            					<div class="text">
+            					    PingID requires Javascript to be enabled. If the problem persists, please contact your administrator.
+            					</div>
+            	            </div>
+                    </div>
+                </div>
+                <div class="footer">
+                    <div class="pingid_logo"></div>
+                    <div class="copyright">
+                        Copyright &copy; 2003-2018 Ping Identity Corporation. All rights reserved.
+                    </div>
+                </div>
+        </div>
+    </body>
+    </html>
+    <style type="text/css">
+  		.dialog { display:none; }
+  	</style>
+  </noscript>
+  <div class="dialog">
+    <div class="window settings">
+      <div class="error-message"></div>
+      <div class="content">
+        <h1>
+				Authentication
+			</h1>
+        <div class="success-message">
+          Authenticating with Desktop Mac
+        </div>
+        <p>
+          Enter the passcode displayed in PingID desktop.
+        </p>
+        <p></p>
+        <form id="otp-form" action="https://authenticator.pingone.com/pingid/ppm/auth/otp" method="post">
+          <input id="otp" name="otp" type="text" class="passcode-input" value="" maxlength="6" autocomplete="off" />
+          <input type="hidden" name="csrfToken" id="csrfToken" value="62919d71-34d1-40a0-942d-f346efad3eca" encode="false" />
+          <div class="call-again-link">
+            &nbsp;
+          </div>
+          <div class="buttons">
+            <a class="button" href="/pingid/ppm/devices">Change Device</a>
+            <input type="submit" value="Sign On" class="primary" disabled>
+          </div>
+        </form>
+      </div>
+    </div>
+    <div class="admin-message">Corporate MOTD</div>
+    <div class="footer">
+      <a class="button settings-btn" href="https://authenticator.pingone.com/pingid/ppm/settings">Settings</a>
+      <div class="logo"></div>
+      <div class="copyright">
+        Copyright &copy; 2003-2018 Ping Identity Corporation. All rights reserved.
+      </div>
+    </div>
+    <!-- Instant OTP response view -->
+    <form method="GET" action="" id="reponseView">
+      <input type="hidden" name="csrfToken" id="csrfToken" value="62919d71-34d1-40a0-942d-f346efad3eca" encode="false" />
+    </form>
+    <!-- Instant OTP error response view -->
+    <form method="GET" action="" id="errorReponseView">
+      <input type="hidden" name="csrfToken" id="csrfToken" value="62919d71-34d1-40a0-942d-f346efad3eca" encode="false" />
+    </form>
+    <div id="authModelSection">
+      <input type="hidden" name="isUseCodeAllowed" id="isUseCodeAllowed" value="false" encode="false" />
+      <input type="hidden" name="pollLink" id="pollLink" value="" encode="false" />
+    </div>
+  </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/exmaple/swipe.html b/pkg/provider/pingntlm/exmaple/swipe.html
new file mode 100644
index 000000000..27c5ddb43
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/swipe.html
@@ -0,0 +1,98 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title></title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta name="format-detection" content="telephone=no">
+  <meta http-equiv="x-ua-compatible" content="IE=edge">
+  <link rel="stylesheet" href="/pingid/assets/css/main-v21.144.css" media="screen" title="no title" charset="utf-8">
+  <link rel="stylesheet" media="screen" type="text/css" href="/pingid/assets/css/jsdisabled.css" />
+  <script type="text/javascript" src="/pingid/assets/js/jquery-1.11.1.min.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/spin.js"></script>
+</head>
+<body>
+  <noscript>
+    <!DOCTYPE html>
+    <html>
+    <head>
+    	<title></title>
+    	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    	<meta name = "format-detection" content = "telephone=no">
+    	<link rel="stylesheet" href="/pingid/assets/css/jsdisabled.css" media="screen" title="no title" charset="utf-8">
+    </head>
+    <body>
+        <div class="nojspage">
+                <div class="window error">
+                    <div class="content">
+                        <div class="status"></div>
+            			<div class="title-text">
+            			    Important
+                        </div>
+            	            <div class="error-text">
+            					<div class="text">
+            					    PingID requires Javascript to be enabled. If the problem persists, please contact your administrator.
+            					</div>
+            	            </div>
+                    </div>
+                </div>
+                <div class="footer">
+                    <div class="pingid_logo"></div>
+                    <div class="copyright">
+                        Copyright &copy; 2003-2018 Ping Identity Corporation. All rights reserved.
+                    </div>
+                </div>
+        </div>
+    </body>
+    </html>
+    <style type="text/css">
+			.dialog { display:none; }
+    </style>
+	</noscript>
+  <div class="dialog">
+    <div class="window authenticating">
+      <div class="content">
+        <div class="status">
+          <div id="spinner"></div>
+        </div>
+        <div class="text device">
+          Authenticating on
+          <div class="device-name">
+            iPhone X
+          </div>
+        </div>
+        <a class="button" href="/pingid/ppm/devices">Change Device</a>
+      </div>
+    </div>
+    <div class="admin-message">corporate motd</div>
+    <div class="footer">
+      <a class="button settings-btn" href="https://authenticator.pingone.com/pingid/ppm/settings">Settings</a>
+      <div class="logo"></div>
+      <div class="copyright">
+        Copyright &copy; 2003-2018 Ping Identity Corporation. All rights reserved.
+      </div>
+    </div>
+    <!-- This can be removed once Async FF is removed. -->
+    <form method="POST" action="https://authenticator.pingone.com/pingid/ppm/auth/status" id="form1">
+      <input type="hidden" name="csrfToken" id="csrfToken" value="abdb4264-6aab-4e1a-a830-63c9188e2395" encode="false" />
+      <noscript><input type="submit" value="Resume"/></noscript>
+    </form>
+    <form method="GET" action="https://authenticator.pingone.com/pingid/ppm/auth/response" id="reponseView">
+      <input type="hidden" name="csrfToken" id="csrfToken" value="abdb4264-6aab-4e1a-a830-63c9188e2395" encode="false" />
+      <input type="hidden" name="status" id="status" encode="false" />
+      <noscript><input type="submit" value="Resume"/></noscript>
+    </form>
+    <form method="GET" action="https://authenticator.pingone.com/pingid/ppm/auth/response" id="errorReponseView">
+      <input type="hidden" name="csrfToken" id="csrfToken" value="abdb4264-6aab-4e1a-a830-63c9188e2395" encode="false" />
+    </form>
+    <div id="authModelSection">
+      <input type="hidden" name="isAsync" id="isAsync" value="true" encode="false" />
+      <input type="hidden" name="actionLink" id="actionLink" value="https://authenticator.pingone.com/pingid/ppm/auth/status" encode="false" />
+      <input type="hidden" name="useCodeUrl" id="useCodeUrl" value="/pingid/ppm/auth/usecode" encode="false" />
+    </div>
+    <script type="text/javascript" src="/pingid/assets/js/utils/spinner.js"></script>
+    <script type="text/javascript" src="/pingid/assets/js/utils/getAuthStatus.js"></script>
+    <script type="text/javascript" src="/pingid/assets/js/utils/authenticationselfsubmit.js"></script>
+    <script type="text/javascript" src="/pingid/assets/js/utils/usecodesubmit.js"></script>
+  </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/exmaple/webauthn.html b/pkg/provider/pingntlm/exmaple/webauthn.html
new file mode 100644
index 000000000..3589e91be
--- /dev/null
+++ b/pkg/provider/pingntlm/exmaple/webauthn.html
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title></title>
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta name="format-detection" content="telephone=no" />
+  <meta http-equiv="x-ua-compatible" content="IE=edge" />
+  <link rel="stylesheet" href="/pingid/assets/css/main-v21.190.css" media="screen" title="no title" charset="utf-8" />
+  <link rel="stylesheet" media="screen" type="text/css" href="/pingid/assets/css/jsdisabled.css" />
+  <script type="text/javascript" src="/pingid/assets/js/jquery-1.11.1.min.js"></script>
+  <script type="text/javascript" src="/pingid/assets/js/spin.js"></script>
+</head>
+<body>
+  <noscript>
+    <!DOCTYPE html>
+    <html>
+    <head>
+      <title></title>
+      <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+      <meta name="format-detection" content="telephone=no">
+      <link rel="stylesheet" href="/pingid/assets/css/jsdisabled.css" media="screen" title="no title" charset="utf-8">
+    </head>
+    <body>
+      <div class="nojspage">
+        <div class="window error">
+          <div class="content">
+            <div class="status"></div>
+            <div class="title-text">
+              Important
+            </div>
+            <div class="error-text">
+              <div class="text">
+                PingID requires Javascript to be enabled. If the problem persists, please contact your administrator.
+              </div>
+            </div>
+          </div>
+        </div>
+        <div class="footer">
+          <div class="pingid_logo"></div>
+          <div class="copyright">
+            Copyright &copy; 2003-2019 Ping Identity Corporation. All rights reserved.
+          </div>
+        </div>
+      </div>
+    </body>
+    </html>
+    <style type="text/css">
+      .dialog {
+        display: none;
+      }
+    </style>
+  </noscript>
+
+
+  <div class="dialog">
+    <script type="text/javascript" src="/pingid/assets/js/utils/webauthn/webauthn.js"></script>
+    <form method="post" action="https://authenticator.pingone.com/pingid/ppm/auth" id="start-form">
+      <input type="hidden" name="isWebAuthnSupportedByBrowser" />
+    </form>
+    <script type="text/javascript" src="/pingid/assets/js/utils/startAuthSubmit.js"></script>
+  </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/pkg/provider/pingntlm/pingntlm.go b/pkg/provider/pingntlm/pingntlm.go
new file mode 100644
index 000000000..12218919f
--- /dev/null
+++ b/pkg/provider/pingntlm/pingntlm.go
@@ -0,0 +1,308 @@
+package pingntlm
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/cookiejar"
+	"net/url"
+	"time"
+
+	"github.com/PuerkitoBio/goquery"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/tidwall/gjson"
+	"github.com/versent/saml2aws/v2/pkg/cfg"
+	"github.com/versent/saml2aws/v2/pkg/creds"
+	"github.com/versent/saml2aws/v2/pkg/page"
+	"github.com/versent/saml2aws/v2/pkg/prompter"
+	"github.com/versent/saml2aws/v2/pkg/provider"
+
+	"golang.org/x/net/publicsuffix"
+
+	"github.com/Azure/go-ntlmssp"
+)
+
+var logger = logrus.WithField("provider", "pingntlm")
+
+// Client wrapper around PingFed + PingId enabling authentication and retrieval of assertions with the
+// addition of NTLM
+type Client struct {
+	provider.ValidateBase
+
+	client     *http.Client
+	idpAccount *cfg.IDPAccount
+}
+
+// New create a new PingFed client
+func New(idpAccount *cfg.IDPAccount) (*Client, error) {
+
+	transport := &ntlmssp.Negotiator{
+		RoundTripper: &http.Transport{
+			Proxy:           http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: idpAccount.SkipVerify, Renegotiation: tls.RenegotiateFreelyAsClient},
+		},
+	}
+
+	jar, err := cookiejar.New(&cookiejar.Options{
+		PublicSuffixList: publicsuffix.List,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	client := &http.Client{
+		Transport: transport,
+		Jar:       jar,
+	}
+
+	// assign a response validator to ensure all responses are either success or a redirect
+	// this is to avoid have explicit checks for every single response
+	//client.CheckResponseStatus = provider.SuccessOrRedirectResponseValidator
+
+	return &Client{
+		client:     client,
+		idpAccount: idpAccount,
+	}, nil
+}
+
+type ctxKey string
+
+// Authenticate Authenticate to PingFed and return the data from the body of the SAML assertion.
+func (ac *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) {
+	ac.client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		req.SetBasicAuth(loginDetails.Username, loginDetails.Password)
+		return nil
+	}
+
+	ac.client.Transport = ntlmssp.Negotiator{
+		RoundTripper: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		},
+	}
+
+	url := fmt.Sprintf("%s/idp/startSSO.ping?PartnerSpId=%s", loginDetails.URL, ac.idpAccount.AmazonWebservicesURN)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return "", errors.Wrap(err, "error building request")
+	}
+
+	req.Header.Set("User-Agent", "Automation")
+	req.SetBasicAuth(loginDetails.Username, loginDetails.Password)
+
+	ctx := context.WithValue(context.Background(), ctxKey("login"), loginDetails)
+	return ac.follow(ctx, req)
+}
+
+func (ac *Client) follow(ctx context.Context, req *http.Request) (string, error) {
+	res, err := ac.client.Do(req)
+	if err != nil {
+		return "", errors.Wrap(err, "error following")
+	}
+
+	doc, err := goquery.NewDocumentFromReader(res.Body)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to build document from response")
+	}
+
+	var handler func(context.Context, *goquery.Document) (context.Context, *http.Request, error)
+
+	if docIsFormRedirectToAWS(doc) {
+		logger.WithField("type", "saml-response-to-aws").Debug("doc detect")
+		if samlResponse, ok := extractSAMLResponse(doc); ok {
+			decodedSamlResponse, err := base64.StdEncoding.DecodeString(samlResponse)
+			if err != nil {
+				return "", errors.Wrap(err, "failed to decode saml-response")
+			}
+			logger.WithField("type", "saml-response").WithField("saml-response", string(decodedSamlResponse)).Debug("doc detect")
+			return samlResponse, nil
+		}
+	} else if docIsFormSamlRequest(doc) {
+		logger.WithField("type", "saml-request").Debug("doc detect")
+		handler = ac.handleFormRedirect
+	} else if docIsFormResume(doc) {
+		logger.WithField("type", "resume").Debug("doc detect")
+		handler = ac.handleFormRedirect
+	} else if docIsFormSamlResponse(doc) {
+		logger.WithField("type", "saml-response").Debug("doc detect")
+		handler = ac.handleFormRedirect
+	} else if docIsLogin(doc) {
+		logger.WithField("type", "login").Debug("doc detect")
+		handler = ac.handleLogin
+	} else if docIsOTP(doc) {
+		logger.WithField("type", "otp").Debug("doc detect")
+		handler = ac.handleOTP
+	} else if docIsSwipe(doc) {
+		logger.WithField("type", "swipe").Debug("doc detect")
+		handler = ac.handleSwipe
+	} else if docIsFormRedirect(doc) {
+		logger.WithField("type", "form-redirect").Debug("doc detect")
+		handler = ac.handleFormRedirect
+	} else if docIsWebAuthn(doc) {
+		logger.WithField("type", "webauthn").Debug("doc detect")
+		handler = ac.handleWebAuthn
+	}
+	if handler == nil {
+		html, _ := doc.Selection.Html()
+		logger.WithField("doc", html).Debug("Unknown document type")
+		return "", fmt.Errorf("Unknown document type")
+	}
+
+	ctx, req, err = handler(ctx, doc)
+	if err != nil {
+		return "", err
+	}
+	return ac.follow(ctx, req)
+}
+
+func (ac *Client) handleLogin(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) {
+	loginDetails, ok := ctx.Value(ctxKey("login")).(*creds.LoginDetails)
+	if !ok {
+		return ctx, nil, fmt.Errorf("no context value for 'login'")
+	}
+
+	form, err := page.NewFormFromDocument(doc, "form")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting login form")
+	}
+
+	form.Values.Set("pf.username", loginDetails.Username)
+	form.Values.Set("pf.pass", loginDetails.Password)
+	form.URL = makeAbsoluteURL(form.URL, loginDetails.URL)
+
+	req, err := form.BuildRequest()
+	return ctx, req, err
+}
+
+func (ac *Client) handleOTP(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) {
+	form, err := page.NewFormFromDocument(doc, "#otp-form")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting OTP form")
+	}
+
+	token := prompter.StringRequired("Enter passcode")
+	form.Values.Set("otp", token)
+	req, err := form.BuildRequest()
+	return ctx, req, err
+}
+
+func (ac *Client) handleSwipe(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) {
+	form, err := page.NewFormFromDocument(doc, "#form1")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting swipe status form")
+	}
+
+	// poll status. request must specifically be a GET
+	form.Method = "GET"
+	req, err := form.BuildRequest()
+	if err != nil {
+		return ctx, nil, err
+	}
+
+	for {
+		time.Sleep(3 * time.Second)
+
+		res, err := ac.client.Do(req)
+		if err != nil {
+			return ctx, nil, errors.Wrap(err, "error polling swipe status")
+		}
+
+		body, err := ioutil.ReadAll(res.Body)
+		if err != nil {
+			return ctx, nil, errors.Wrap(err, "error parsing body from swipe status response")
+		}
+
+		resp := string(body)
+
+		pingfedMFAStatusResponse := gjson.Get(resp, "status").String()
+
+		//ASYNC_AUTH_WAIT indicates we keep going
+		//OK indicates someone swiped
+		//DEVICE_CLAIM_TIMEOUT indicates nobody swiped
+		//otherwise loop forever?
+
+		if pingfedMFAStatusResponse == "OK" || pingfedMFAStatusResponse == "DEVICE_CLAIM_TIMEOUT" || pingfedMFAStatusResponse == "TIMEOUT" {
+			break
+		}
+	}
+
+	// now build a request for getting response of MFA
+	form, err = page.NewFormFromDocument(doc, "#reponseView")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting swipe response form")
+	}
+	req, err = form.BuildRequest()
+	return ctx, req, err
+}
+
+func (ac *Client) handleFormRedirect(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) {
+	form, err := page.NewFormFromDocument(doc, "")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting redirect form")
+	}
+	req, err := form.BuildRequest()
+	return ctx, req, err
+}
+
+func (ac *Client) handleWebAuthn(ctx context.Context, doc *goquery.Document) (context.Context, *http.Request, error) {
+	form, err := page.NewFormFromDocument(doc, "")
+	if err != nil {
+		return ctx, nil, errors.Wrap(err, "error extracting webauthn form")
+	}
+	form.Values.Set("isWebAuthnSupportedByBrowser", "false")
+	req, err := form.BuildRequest()
+	return ctx, req, err
+}
+
+func docIsLogin(doc *goquery.Document) bool {
+	return doc.Has("input[name=\"pf.pass\"]").Size() == 1
+}
+
+func docIsOTP(doc *goquery.Document) bool {
+	return doc.Has("form#otp-form").Size() == 1
+}
+
+func docIsSwipe(doc *goquery.Document) bool {
+	return doc.Has("form#form1").Size() == 1 && doc.Has("form#reponseView").Size() == 1
+}
+
+func docIsFormRedirect(doc *goquery.Document) bool {
+	return doc.Has("input[name=\"ppm_request\"]").Size() == 1
+}
+
+func docIsWebAuthn(doc *goquery.Document) bool {
+	return doc.Has("input[name=\"isWebAuthnSupportedByBrowser\"]").Size() == 1
+}
+
+func docIsFormSamlRequest(doc *goquery.Document) bool {
+	return doc.Find("input[name=\"SAMLRequest\"]").Size() == 1
+}
+
+func docIsFormSamlResponse(doc *goquery.Document) bool {
+	return doc.Find("input[name=\"SAMLResponse\"]").Size() == 1
+}
+
+func docIsFormResume(doc *goquery.Document) bool {
+	return doc.Find("input[name=\"RelayState\"]").Size() == 1
+}
+
+func docIsFormRedirectToAWS(doc *goquery.Document) bool {
+	return doc.Find("form[action=\"https://signin.aws.amazon.com/saml\"]").Size() == 1
+}
+
+func extractSAMLResponse(doc *goquery.Document) (v string, ok bool) {
+	return doc.Find("input[name=\"SAMLResponse\"]").Attr("value")
+}
+
+// ensures given url is an absolute URL. if not, it will be combined with the base URL
+func makeAbsoluteURL(v string, base string) string {
+	if u, err := url.ParseRequestURI(v); err == nil && !u.IsAbs() {
+		return fmt.Sprintf("%s%s", base, v)
+	}
+	return v
+}
diff --git a/pkg/provider/pingntlm/pingntlm_test.go b/pkg/provider/pingntlm/pingntlm_test.go
new file mode 100644
index 000000000..a30d5050e
--- /dev/null
+++ b/pkg/provider/pingntlm/pingntlm_test.go
@@ -0,0 +1,151 @@
+package pingntlm
+
+import (
+	"bytes"
+	"context"
+	"io/ioutil"
+	"testing"
+
+	"github.com/PuerkitoBio/goquery"
+	"github.com/stretchr/testify/require"
+	"github.com/versent/saml2aws/v2/mocks"
+	"github.com/versent/saml2aws/v2/pkg/creds"
+	"github.com/versent/saml2aws/v2/pkg/prompter"
+)
+
+func TestMakeAbsoluteURL(t *testing.T) {
+	require.Equal(t, makeAbsoluteURL("/a", "https://example.com"), "https://example.com/a")
+	require.Equal(t, makeAbsoluteURL("https://foo.com/a/b", "https://bar.com"), "https://foo.com/a/b")
+}
+
+var docTests = []struct {
+	fn       func(*goquery.Document) bool
+	file     string
+	expected bool
+}{
+	{docIsLogin, "example/login.html", true},
+	{docIsLogin, "example/login2.html", true},
+	{docIsLogin, "example/otp.html", false},
+	{docIsLogin, "example/swipe.html", false},
+	{docIsLogin, "example/form-redirect.html", false},
+	{docIsLogin, "example/webauthn.html", false},
+	{docIsOTP, "example/login.html", false},
+	{docIsOTP, "example/otp.html", true},
+	{docIsOTP, "example/swipe.html", false},
+	{docIsOTP, "example/form-redirect.html", false},
+	{docIsOTP, "example/webauthn.html", false},
+	{docIsSwipe, "example/login.html", false},
+	{docIsSwipe, "example/otp.html", false},
+	{docIsSwipe, "example/swipe.html", true},
+	{docIsSwipe, "example/form-redirect.html", false},
+	{docIsSwipe, "example/webauthn.html", false},
+	{docIsFormRedirect, "example/login.html", false},
+	{docIsFormRedirect, "example/otp.html", false},
+	{docIsFormRedirect, "example/swipe.html", false},
+	{docIsFormRedirect, "example/form-redirect.html", true},
+	{docIsFormRedirect, "example/webauthn.html", false},
+	{docIsWebAuthn, "example/login.html", false},
+	{docIsWebAuthn, "example/otp.html", false},
+	{docIsWebAuthn, "example/swipe.html", false},
+	{docIsWebAuthn, "example/form-redirect.html", false},
+	{docIsWebAuthn, "example/webauthn.html", true},
+}
+
+func TestDocTypes(t *testing.T) {
+	for _, tt := range docTests {
+		data, err := ioutil.ReadFile(tt.file)
+		require.Nil(t, err)
+
+		doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data))
+		require.Nil(t, err)
+
+		if tt.fn(doc) != tt.expected {
+			t.Errorf("expect doc check of %v to be %v", tt.file, tt.expected)
+		}
+	}
+}
+
+func TestHandleLogin(t *testing.T) {
+	ac := Client{}
+	loginDetails := creds.LoginDetails{
+		Username: "fdsa",
+		Password: "secret",
+		URL:      "https://example.com/foo",
+	}
+	ctx := context.WithValue(context.Background(), ctxKey("login"), &loginDetails)
+
+	data, err := ioutil.ReadFile("example/login.html")
+	require.Nil(t, err)
+
+	doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data))
+	require.Nil(t, err)
+
+	ctx, req, err := ac.handleLogin(ctx, doc)
+	require.Nil(t, err)
+
+	b, err := ioutil.ReadAll(req.Body)
+	require.Nil(t, err)
+
+	s := string(b[:])
+	require.Contains(t, s, "pf.username=fdsa")
+	require.Contains(t, s, "pf.pass=secret")
+}
+
+func TestHandleOTP(t *testing.T) {
+	pr := &mocks.Prompter{}
+	prompter.SetPrompter(pr)
+	pr.Mock.On("StringRequired", "Enter passcode").Return("5309")
+
+	data, err := ioutil.ReadFile("example/otp.html")
+	require.Nil(t, err)
+
+	doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data))
+	require.Nil(t, err)
+
+	ac := Client{}
+	_, req, err := ac.handleOTP(context.Background(), doc)
+	require.Nil(t, err)
+
+	b, err := ioutil.ReadAll(req.Body)
+	require.Nil(t, err)
+
+	s := string(b[:])
+	require.Contains(t, s, "otp=5309")
+}
+
+func TestHandleFormRedirect(t *testing.T) {
+	data, err := ioutil.ReadFile("example/form-redirect.html")
+	require.Nil(t, err)
+
+	doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data))
+	require.Nil(t, err)
+
+	ac := Client{}
+	_, req, err := ac.handleFormRedirect(context.Background(), doc)
+	require.Nil(t, err)
+
+	b, err := ioutil.ReadAll(req.Body)
+	require.Nil(t, err)
+
+	s := string(b[:])
+	require.Contains(t, s, "ppm_request=secret")
+	require.Contains(t, s, "idp_account_id=some-uuid")
+}
+
+func TestHandleWebAuthn(t *testing.T) {
+	data, err := ioutil.ReadFile("example/webauthn.html")
+	require.Nil(t, err)
+
+	doc, err := goquery.NewDocumentFromReader(bytes.NewReader(data))
+	require.Nil(t, err)
+
+	ac := Client{}
+	_, req, err := ac.handleWebAuthn(context.Background(), doc)
+	require.Nil(t, err)
+
+	b, err := ioutil.ReadAll(req.Body)
+	require.Nil(t, err)
+
+	s := string(b[:])
+	require.Contains(t, s, "isWebAuthnSupportedByBrowser=false")
+}
diff --git a/saml2aws.go b/saml2aws.go
index 010c42aca..466108050 100644
--- a/saml2aws.go
+++ b/saml2aws.go
@@ -20,6 +20,7 @@ import (
 	"github.com/versent/saml2aws/v2/pkg/provider/okta"
 	"github.com/versent/saml2aws/v2/pkg/provider/onelogin"
 	"github.com/versent/saml2aws/v2/pkg/provider/pingfed"
+	"github.com/versent/saml2aws/v2/pkg/provider/pingntlm"
 	"github.com/versent/saml2aws/v2/pkg/provider/pingone"
 	"github.com/versent/saml2aws/v2/pkg/provider/shell"
 	"github.com/versent/saml2aws/v2/pkg/provider/shibboleth"
@@ -114,6 +115,11 @@ func NewSAMLClient(idpAccount *cfg.IDPAccount) (SAMLClient, error) {
 			return nil, fmt.Errorf("Invalid MFA type: %v for %v provider", idpAccount.MFA, idpAccount.Provider)
 		}
 		return pingfed.New(idpAccount)
+	case "PingNTLM":
+		if invalidMFA(idpAccount.Provider, idpAccount.MFA) {
+			return nil, fmt.Errorf("Invalid MFA type: %v for %v provider", idpAccount.MFA, idpAccount.Provider)
+		}
+		return pingntlm.New(idpAccount)
 	case "PingOne":
 		if invalidMFA(idpAccount.Provider, idpAccount.MFA) {
 			return nil, fmt.Errorf("Invalid MFA type: %v for %v provider", idpAccount.MFA, idpAccount.Provider)