Symptom:

Attempting to use the 'Authenticate User or Group' assertion for a user which exists within a Federated Identity Provider fails with an error similar to the following:

Credentials failed for xxx due to 'Couldn't authorize X.509 credentials: Signer 'cn=zzzzzzz' is not trusted'

All supported versions of the CA API Gateway

This situation can be seen when the root or signing certificate associated with the certificate which identifies the user in question is contained within the gateways trusted certificate store but was not directly added to the FIP.

Be certain the already trusted root certificate is added within the FIP by following these steps:

-Launch policy manager and select the Identity Providers Tab

-Right click the FIP in question and select 'Properties'

-At Step 2 'Select the Trusted Certificates' dialog please add the

appropriate root certificate which is already trusted within the gateway