WebLogic with Azure AD via LDAP

Azure Active Directory configuration

The entire process of setting up an Azure AD DS instance coupled with WLS is outlined in this section. Azure Active Directory does not natively support the Lightweight Directory Access Protocol (LDAP) and Secure LDAP. The Azure Active Directory Domain Services (Azure AD DS) instance within your Azure AD tenant is where help is instead made available.

Create an Azure AD Domain Services managed domain

Enable user accounts for Azure AD DS and create and configure an Azure Active Directory Domain Services managed domain. In the context of this tutorial, that portion necessitates specific handling, as detailed in the next section. Make sure you carry out the DNS procedures entirely and accurately.

Create users and reset passwords

For users to successfully propagate across LDAP, the methods to create them and change their passwords are included in this section.

1. Make that the directory corresponding to the Azure AD tenant is the one that is active in the Azure portal. See add an Azure subscription to your Azure AD tenant for information on how to choose the appropriate directory. You won't be able to create users if the wrong directory is chosen, or you'll create users in the wrong directory.
    
2. Enter "Users" in the search box at the top of the Azure interface.
    
3. Choose a New user.
    
4. Ensure that Create user is chosen.
    
5. Give your user name, first name, and last name the appropriate values. Keep the default settings for the remaining fields.
    
6. Choose to Create.
    
7. In the table, choose the recently created user.
    
8. Choose Password Reset.

1. Select Reset Password from the screen that displays.
    
2. Record the temporary password somewhere.
    
3. Visit the Azure portal and sign in using the user's credentials and password in an "incognito" browser window.
    
4. When prompted, modify the password. Note the new password down. Later, you'll apply it.
    
5. Log out and close the "incognito" window.

For each user you want to enable, repeat the process from "Select New user" to "Log and out close."

Allow LDAP in Azure AD DS

To ensure that the testing is successful, take the following actions.

1. Visit the Azure AD Domain Services instance overview page in the portal.
    
2. Select Properties from the Settings section.
    
3. Scroll down to the Admin group on the right side of the page. There ought to be a link to AAD DC Administrators under this heading. Choose that link.
    
4. Select Members from the Manage menu.
    
5. Choose Members to add.
    
6. Enter some characters in the Search text area to find one of the users you created in the previous stage.
    
7. After choosing a user, click the Select button.
    
8. Steps in the Test queries to the managed domain section must be carried out using this user.

Note the Secure LDAP external IP address value under Configure DNS zone for external access. Later, you'll apply it.

Use these steps to obtain the IP address if the Secure LDAP external IP address value is not immediately obvious.

1. Locate the resource group that houses the Azure AD Domain Services resource on the portal.
    
2. Select the public IP resource for the Azure AD Domain Services from the list of resources, as shown in the illustration below. Most likely, the public IP will begin with aads.
    
3. The label IP address is displayed next to the public IP.

Disable weak TLS v1

TLS v1, regarded as weak and not supported in WebLogic Server 14 and later, is enabled by default by Azure Active Directory Domain Services (Azure AD DS) and is therefore not recommended.

You can learn how to disable the TLS v1 cipher in this section.

Obtain the resource ID of the LDAP-enabling Azure Domain Service instance first. The example below retrieves the ID of a resource group called aadds-rg that contains an Azure Domain Service instance called aaddscontoso.com.

AADDS_ID=$(az resource show --resource-group aadds-rg --resource-type "Microsoft.AAD/DomainServices" --name aaddscontoso.com --query "id" --output tsv)

To disable TLS v1, run the following command: 

az resource update --ids $AADDS_ID --set properties.domainSecuritySettings.tlsV1=Disabled

WLS Configuration

You can decide to have the deployment of any of the Azure Applications listed in the Oracle WebLogic Server. Azure Applications automatically connect to an already-existing LDAP server. Alternately, you may use the Active Directory integration subtemplate later to configure the LDAP connection. The official documentation's Appendix A contains a description of this strategy. In either case, the ARM template must get the required parameter values.

Integrating Azure AD DS LDAP with WLS

The configuration can now be started with the configuration above parameters and the Azure AD DS LDAP deployed. There are two ways to finish this procedure.

During WLS deployment

Go to Oracle WebLogic Server Azure Applications and choose either the cluster offer or the admin option. Azure Active Directory will be one of the tabs available throughout the offer's deployment. The Connect to Azure Active Directory setting should be set to Yes. Using the data gathered in the previous section, fill out the values. You must immediately upload the .cer file for the certificate.

After WLS deployment

The values you gathered in the previous step can be used to complete the setup if you didn't switch the Connect to Azure Active Directory setting to Yes at deployment time.

Validate the deployment

Use one of the two ways mentioned above to deploy WLS and configure LDAP, then perform the following steps to ensure the integration was successful.

1. Check out the WLS Admin console.
    
2. Expand the tree in the left navigator and choose Security Realms -> myrealm -> Providers.
    
3. If the integration were successful, you'd locate the Azure AD provider, for instance, AzureActiveDirectoryProvider.
    
4. Expand the tree in the left navigator and choose Security Realms -> myrealm -> Users and Groups.
    
5. If the integration worked, users from the Azure AD provider should be visible.

Lock down and secure LDAP access over the internet

We had specified the source as Any for the AllowLDAPS rule in the network security group while setting up the secure LDAP in the previous stages. Get the public IP address of the WLS Admin Server using the Azure portal now that it has been installed and connected to LDAP. Change Any to the exact IP address of the WLS Admin server when you go back to Lock down secure LDAP access across the internet.

Frequently Asked Questions

How can I leave a tenant when I am added as a collaborator?

You can switch between tenants when you are added as a collaborator to another organization's tenant by using the "tenant switcher" in the upper right. Microsoft is attempting to add this functionality because there is currently no option to leave the inviting company.

What do you mean by Tomcat on Azure?

The Apache Software Foundation (ASF) created the Java Servlet Container, Tomcat, which is open-source. An extremely well-liked open-source relational database management system is MySQL.

Can I manage my on-premises infrastructure with the aid of Azure AD?

Yes. You can access Azure AD Connect Health if you have the Azure AD Premium edition. You can keep an eye on and learn more about your on-premises identity infrastructure and synchronization services with the aid of Azure AD Connect Health.

Does my organization's user base access a self-service portal using Azure AD?

The Azure AD Access Panel for user self-service and application access is available from Azure AD. Many of the same features may be found via the Office 365 interface if you're a Microsoft 365 subscriber.

Can I enable Azure AD Domain Services on a virtual network created by Azure Resource Manager?

Yes. An Azure Resource Manager virtual network can have Azure AD Domain Services enabled. Traditional Azure virtual networks are no longer accessible when you build a managed domain.

Conclusion

In this article, we have learned how to use Azure Active Directory to give Java apps running on WebLogic Server enterprise-grade end-user authentication and authorization. To continue learning more about Azure, check out our other blogs on the AWS vs azure vs google cloud, Microsoft Azure, Azure Service Fabric, and Microsoft Azure certification.

Refer to our guided paths on Coding Ninjas Studio to learn about Data Structure and Algorithms, Competitive Programming, JavaScript, etc. Enroll in our courses and refer to our mock test available. Have a look at the interview experiences and interview bundle for placement preparations.

Happy Coding!