This article provides instructions for enabling SAML Authentication Request Signing when integrating vIDM with Microsoft Entra ID 3rd Party IDP. This configuration ensures that SAML AuthnRequests sent from vIDM to Microsoft Entra ID are digitally signed, meeting the security requirements for high-assurance authentication environments.

VMware Identity Manager 3.3.7

Prerequisites:

Before you begin, ensure the following requirements are met:

• A working Single Sign-On (SSO) integration is already configured between VMware vIDM and Azure Active Directory. If the base integration is not yet completed, refer to KB 368196 and finish the setup before proceeding.

• Signed SAML authentication requests are enforced in Azure Active Directory. Follow the steps provided in the applicable Microsoft KB article to enable and verify this configuration.

1. Update the SAML,Authn Request binding to HTTP POST

• Log in to the vIDM Admin Console.

• Navigate to Identity & Access Management > Identity Providers.

• Select the Identity Provider configured for Azure AD.

• Locate the SAML AuthnRequest Binding setting and change it from HTTP Redirect to HTTP POST.

• Save the configuration.

2. Download the signing certificate from the vIDM.

• In the vIDM Admin Console, go to Catalog > Settings.

• Select SAML Metadata from the left-hand menu.

• Locate the Identity Provider (IdP) Metadata section.

• Download the Signing Certificate (typically provided within the metadata XML or as a separate .cer/.pem download link in the Identity Provider settings).

3. Upload to the Microsoft Entra ID

• Log in to the Azure Portal and navigate to Microsoft Entra ID.

• Go to Enterprise Applications and select your vIDM/Workspace ONE application.

• Select Single sign-on from the left navigation.

• Scroll down to the Verification Certificates (optional) section.

• Upload the certificate downloaded from vIDM in the previous step.

• Ensure that "Require Verification Certificates" is enabled if your Azure PAM policy mandates signed requests.