In a standard configuration, this is supposed to be generated and provided by Service Provider which is airwatch/WS1. I dont understand why WS1 is asking admin to provide this.

Anycase  this can be left empty, its just the saml request would present unsigned to iDP. The important thing is the response from  iDP needs to be verified which is done by uploaded Identity Provider Certificate in the SAML configuration of WS1.