If a service policy attempts to authenticate against a specific identity provider and that identity provider contains the same certificate with two or more users then the authentication attempt will fail. The following log entries may be printed when the behavior manifests:

com.l7tech.server.identity.ldap.LdapIdentityProviderImpl: credentials did not authenticate for jsmith

com.l7tech.server.policy.assertion.identity.ServerMemberOfGroup: could not verify membership of group <group> with credentials from <user>

com.l7tech.server.policy.assertion.identity.ServerMemberOfGroup: ServerIdentityAssertion failed

com.l7tech.identity.AuthenticationException: Error authorizing X.509 credentials: Found multiple users with same subject DN

Caused by: com.l7tech.objectmodel.FindException: Found multiple users with same subject DN

The Layer 7 Gateway can use client certificate authentication to secure a published service and protected endpoint. The Gateway can leverage client certificates from multiple different identity providers. The Gateway supports searching for certificates within the Internal Identity Provider, an external identity provider (such as an LDAP directory), or a federated identity provider. The Gateway requires that a particular certificate be associated with a particular user in an external, internal, or federated identity provider. The Gateway is not engineered to accept certificates that are leveraged by multiple identities.

This issue can be resolved by ensuring that each user within an identity provider contains a completely unique distinguished name and a completely unique X.509 certificate. An administrator or operator can verify the DN or certificate of each user in the identity provider. If it is absolutely necessary to have multiple users with the same certificate or DN then an additional identity provider will need to be created for those users that uses different filters to differentiate users.