• VCF 9.x introduces a new form of SSO authentication (VCF SSO) that offers customers greater choice when configuring external IDPs to authenticate users to the environment.
• Once an Identity Broker Deployment Mode (Embedded or External) has been chosen and configured an Identity Provider can be chosen and configured.
• One Identity Provider option is MicroSoft ADFS using SAML as the Identity Protocol
• The documentation for this configuration can be viewed here
• At Step 7 of this process the user is required to configure the Identity Provider details.
• One required configuration is the Identity Provider Metadata
• This can be provided either as a Metadata URL or a Metadata XML

VCF 9.0.x

• Using the Metadata URL option will fail with the error 'XML Metadata is invalid! Reason: certificate_unknown(46)' if "your identity provider is not publicly accessible or if the certificate lacks a signature from a recognized Certificate Authority (CA), VCF Operations cannot validate the metadata URL." (See documentation)
• A "recognized Certificate Authority (CA)" is defined, in this context, as a 'well known' CA such as Thales, Godaddy, etc..
• Internally trusted CAs, such as a MicroSoft CA, do not meet the criteria as "a recognized Certificate Authority (CA)".

Customers in this situation must use the Metadata XML option to proceed.

It is planned to expose new 'Create IDP' APIs in VCF 9.1 that will allow customer inputted certificates be used when configuring ADFS with SAML as an Identity Provider using the Metadata URL