Authenticating WebLogic Admin Console with SAML 2.0 and PingID

by Lisa

April 22, 2025

Log into your console. Navigate to “Security Realms” and click on your admin console’s realm – here “myrealm”

From the first row of tabs, select “Providers”. On the second row of tabs, ensure you are on “Authentication”. Click “New” to create a new identity asserter.

Provide a name – here, it is called SAML_IA – and ensure the type is “SAML2IdentityAsserter”

Click OK to create the item. Then click the “New” button again to create a new SAML Authenticator

Restart the WebLogic server, then navigate to “Environment” => “Servers” and select the AdminServer

On the first row of tabs, select “Configuration”, on the second row of tabs, select “Federation Servies”, and on the third row of tabs select “SAML 2.0 General”

The published site URL will be your WebLogic host base followed by /saml2

Provide a unique entity ID that needs to match up with what we configure in PingID. Here, I used “LJRWebLogic”

Save the changes and then use the “Publish Metadata” button to save a metadata file that I will use with PingID. You will be saving an XML file

Now select the “SAML 2.0 Service Provider” tab on the third row of tabs. Click “Enabled” to enable the service provider. POST binding should be enabled, but we do not need Artifact binding enabled. Click “Save” to save the changes.

Navigate back to “Security Realms” and select your realm. On the first row of tabs, select “Providers”; on the second row of tabs, select “Authentication”. Click the hyperlink for “SAML_IA”

Click the “Management” tab

You will be provided a metadata file from PingID. Place that somewhere on your server (I used /tmp). Click “New” and then select “New Web Single Sign-On Identity Provider Partner”

Navigate to the metadata file and select it. Provide a name for the identity provider – here, I used PingID. Cilck “OK” to import the PingID details.

Click on the new entry to configure it

Click “Enabled” to enable the Identity Provider. The redirect URIs should be /console/*

Finally, on the WebLogic Server Admin Console, navigate to the domain name -> [Configuration] -> [General] and expand the [Advanced] link

Update cookie name in WLS admin console to be JSESSIONID.

Save the changes and restart the WebLogic server. Navigating to the console, here https://docker.rushworth.us:7001/console, will direct the user to PingID for authentication and then redirect the user’s browser back to the WebLogic server. Looking in the upper right corner of the screen, they will see they are logged in with their directory ID.

Note: You can still access the local authentication dialog by navigating directly to console/login/LoginForm.jsp – e.g. http://docker.rushworth.us:7001/console/login/LoginForm.jsp — but the “normal” URL will redirect users to PingID

Note Also: There needs to be some step here to map PingID users to a role in WebLogic

Failing to do so, you will complete the PingID authentication but be denied access to the WebLogic Admin Console:

Enabling SSL on the WebLogic Server Administration Console

by Lisa

April 21, 2025

Prior to enabling SAML authentication, please ensure your WebLogic Admin Console is using SSL. You will need a JKS keystore with your public/private key pair.

If you have a base64 encoded public/private key pair, create a JKS file as follows:

openssl pkcs12 -export -out docker.p12 -inkey docker.rushworth.us.key -in docker.rushworth.us.cer -name docker_rushworth_us -password pass:IChangedIt

keytool -importkeystore -srckeystore docker.p12 -srcstoretype PKCS12 -destkeystore docker.jks -deststoretype JKS -deststorepass IChangedIt -srcstorepass IChangedIt

List the keystore contents to confirm your certificate is present using:

keytool -list -keystore docker.jks -storepass IChangedIt

The certificate’s alias will be needed to configure SSL on the console. In this example, my certificate’s alias is docker_rushworth_us

Once there is a JKS file with your keypair located on the server, configure WebLogic to use it. On the WebLogic Admin Console, navigate to [domain]->Environment->Servers and select the system you want to configure. Here, AdminServer(admin)

On the “Configuration” tab, select the “General” sub-tab. Check the box for “SSL Listen Port Enabled” and supply a port number.

On the Keystores sub-tab, click “Change” to change the keystore being used.

Select “Custom Identity and Java Standard Trust”. Enter the path to your JKS file. The keystore type is jks. Enter and confirm the password you used to create the keystore. Enter the password for the cacerts file (java default is changeit)

On the SSL sub-tab, input the alias of the certificate. Also enter and confirm the key passphrase.

The Third Term

by Lisa

March 30, 2025

I keep hearing “jokes” (and now more serious statements) about Trump’s third term & how they’ve got ways to achieve it … I think there are:

Run as VP – I’m sure they’d call it something else to avoid “insulting” dude, but this has the advantage of all the campaigning and fund raising fun. Pres steps down, VP assumes presidency. Wasn’t elected as president, and I’m sure there would be a lot of legal challenges to clarify the generally accepted belief that a former president cannot be VP. But it’s going to end up as a court decision.
Get voted in as speaker of the house – risks not winning the house, but you were absolutely not elected to the office of president. And I don’t see anything in the constitution or law that explicitly states a two term president cannot be in the line of succession.
Have a cohort run on the “I do what he tells me to” platform. I’ve long thought we could start to move away from representative democracy to technology-facilitated direct democracy by having candidates run on the platform of a platform that allows constituents to vote on every bill. I, your so-called representative, will vote in whatever way the voters say to vote. There’s no law about how elected officials make decisions – both taking input from direct voting of the masses or just doing whatever the cannot-run-for-office-again former president says are your decision.

Now, if I were trying to be a three-term president, I might combine #3 with being elected as speaker of the house. Now I control two branches of the government — legislation isn’t coming to the floor unless I OK it, and I tell the acting president to sign it.

Maple Syrup – Second Boil

by Lisa

March 28, 2025

We had another week of overnight freezes that extended the maple season – got about 40 gallons of maple sap and 10 gallons of walnut sap. We boiled it all in a single day, and finished it this morning. We added another 3/4 of a gallon of maple syrup and a little over a pint of walnut syrup. Half of the buckets have been collected. We’ve got more buckets, taps, and ratchet straps to collect … but maple season is over for 2025.

Farmhouse Cleanup

by Lisa

March 27, 2025

A lot of work to do, but we’re making progress cleaning up the farmhouse.

Strawberries

by Lisa

March 20, 2025

I got the strawberry plants going in the greenhouse — we’ve got a few more weeks with overnight freezes, but hopefully they will be cozy in here.

Purple Crocus

by Lisa

March 16, 2025

The purple crocus flowers have finally bloomed

Maple Syrup and Black Walnut Syrup – First Batch

by Lisa

March 15, 2025

We finished boiling the sap today — three gallons of maple syrup and about half a gallon of black walnut syrup.

Daffodils Sprouting

by Lisa

March 15, 2025

I remember hearing that maple sap should be running when the daffodils sprout … I guess our daffodils were late this year. The daffodils we planted along the driveway are sprouting up, and we found new daffodils at the farm house.

Still collecting sap

by Lisa

March 14, 2025