VMware Identity Manager (vIDM) Certificate Rotation for Entra ID Integration
search cancel

VMware Identity Manager (vIDM) Certificate Rotation for Entra ID Integration

book

Article ID: 437482

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

This article provides the procedure for rotating the SAML signing certificate for Entra ID in a VMware Identity Manager (vIDM) environment.

Environment

VMware Identity Manager 3.3.7

Resolution

Important Notes

  • Snapshot Requirement: Take a snapshot of the vIDM all 3 nodes before you perform any operation to be on safer side.

  • Service Continuity: Following the steps below ensures a seamless transition of the SAML trust, preventing authentication downtime.

Procedure

Step 1: Generate & Download New Certificate (Entra ID)

  1. Sign in to the Microsoft Entra admin center and go to Enterprise applications.

  2. Select your application (vIDM) and select Single sign-on.

  3. In the SAML Certificates section, click Edit.

  4. If you already have a new certificate then skip this step and go to 6, Click New Certificate and select an expiration date.

  5. Click Save.

  6. download the Federation Metadata XML file.

NOTE: Keep both the old and new certificates temporarily to prevent downtime.

Step 2: Update Certificate in vIDM (SP Side) 

  1. Log in to the vIDM console using admin.

  2. Navigate to Identity & Access Management > Identity Providers.

  3. Select the Identity Provider configuration associated with Entra ID.

  4. In the SAML Metadata section, click Choose File and upload the new Federation Metadata XML file downloaded in Step 1, or paste the new content into the SAML Metadata section.

  5. Save the changes.

Step 3: Activate New Certificate (Entra ID)

  1. Return to the SAML Certificates section in the Entra ID portal.

  2. Click Make Certificate active next to the new certificate.

Step 4: Verify

  1. Attempt to log into vIDM with a user to ensure SSO is functioning with the new certificate.

  2. Once confirmed, you can remove the old certificate from both Entra ID and vIDM or you can leave it as well.

Additional Information

vIDM 3.3.7 can safely handle SAML metadata containing both old and new certificates during transition. Here's why:

  • SAML Standard Behavior

  • Multiple Certificate Support: The SAML 2.0 specification explicitly supports multiple elements in metadata for certificate rollover scenarios.

  • Certificate Validation Logic: When verifying signatures, SAML implementations try each certificate until one successfully validates the signature.

  • Graceful Fallback: If the first certificate fails validation, it automatically tries the next available certificate.

Powered by Wolken Software