Identity Servers at Site A and Site B need to use the contract you specified in your user matching expression to be the default contract for Site A, Site B, and the protected resources of Access Gateway.
For the user matching expression contract, see step 2 in Configuring Site B for User Account Matching.
To configure the default contracts for Site A and Site B:
In Administration Console for Site B, click Devices > Identity Servers > Edit > Local > Defaults.
For the Authentication Contract, select the name of the contract used by the user matching expression.
Click OK, then update Identity Server.
For Site A, repeat step 1 through step 3.
For Access Gateway, review the contracts you have assigned to the protected resources:
In Administration Console for Site B, click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Protected Resources.
For single sign-on, change the contract to match the contract for the user matching expression.
(Conditional) If you have multiple reverse proxies and proxy services, verify the contracts on all protected services that you want enabled for single sign-on.
Click OK and update Access Gateway.
Continue with Verifying the Trust Relationship with SAML 1.1.