One of the most frequent issue with WebLogic SAML 2.0 identity Asserter is that the Identity Provider metadata used to register the WebSSO partner contains an expired certificate.
I got the request to find out how to check the SAML 2.0 Identity Asserter WebSSO partner metadata using WLST.
The script below looks for a authentication provider having the word IDP in its name and checks the WebSSO partner metadata for the not after validity date.
In this specific case, there is only one WebSSO partner registered in the WebLogic SAML 2.0 identity Asserter
def getValidityDateForIDP() :
cd('/')
redirect('/dev/null','false')
AuthList = ls('/SecurityConfiguration/' + domainName + '/DefaultRealm/myrealm/AuthenticationProviders')
stopRedirect()
for x in AuthList.split(' ') :
if ( x.find('IDP' ) > 0) :
atnr=cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider(x)
cursor = atnr.listIdPPartners('*',2)
webSSOPartner = atnr.getCurrentName(cursor)
IdpPartner=atnr.getIdPPartner(webSSOPartner)
Validitydate = IdpPartner.getSSOSigningCert().getNotAfter()
return Validitydate
return null
This WLST script should be included in the monitoring tool to prevent the Single Sign On not to work anymore due to this expired SSO Signing certificate.
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/PBR_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/OLS_web-min-scaled.jpg)