Symptom:

Attempting to use the 'Authenticate User or Group' assertion for a user

which exists within a Federated Identity Provider fails with an error

similar to the following:

Credentials failed for xxx due to 'Couldn't authorize X.509 credentials: Signer 'cn=zzzzzzz' is not trusted'

Environment:

Situation can be seen on any Layer 7 Gateway version.

Cause:

This situation can be seen when the root or signing certificate associated with the certificate which identifies the user in question

is contained within the gateways trusted certificate store but was not directly added to the FIP.

Resolution:

Be certain the already trusted root certificate is added within the FIP by following these steps:

-Launch policy manager and select the Identity Providers Tab

-Right click the FIP in question and select 'Properties'

-At Step 2 'Select the Trusted Certificates' dialog please add the

appropriate root certificate which is already trusted within the gateway