Infrastructure at your Service

Pascal Brand

How to check WebLogic SAML 2.0 Identity Provider WebSSO partner SSO signing certificat

One of the most frequent issue with WebLogic SAML 2.0 identity Asserter is that the Identity Provider metadata used to register the WebSSO partner contains an expired certificate.
I got the request to find out how to check the SAML 2.0 Identity Asserter WebSSO partner metadata using WLST.

The script below looks for a authentication provider having the word IDP in its name and checks the WebSSO partner metadata for the not after validity date.
In this specific case, there is only one WebSSO partner registered in the WebLogic SAML 2.0 identity Asserter

def getValidityDateForIDP() :
  cd('/')
  redirect('/dev/null','false')
  AuthList = ls('/SecurityConfiguration/' + domainName + '/DefaultRealm/myrealm/AuthenticationProviders')
  stopRedirect()
  for x in AuthList.split(' ') :
    if ( x.find('IDP' ) > 0) :
      atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider(x)
      cursor = atnr.listIdPPartners('*',2)
      webSSOPartner = atnr.getCurrentName(cursor)
      IdpPartner=atnr.getIdPPartner(webSSOPartner)
      Validitydate = IdpPartner.getSSOSigningCert().getNotAfter()
      return  Validitydate
return null

This WLST script should be included in the monitoring tool to prevent the Single Sign On not to work anymore due to this expired SSO Signing certificate.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pascal Brand
Pascal Brand

Senior Consultant & Middleware Technology Leader