Why am I getting the "Inter-institutional access failure. Please contact your system administrator for assistance." error when using SAML authentication and EZproxy?
Symptom
- After submitting credentials on my SAML SSO login screen, I get the error message "Inter-institutional access failure. Please contact your system administrator for assistance."
Applies to
- EZproxy
Resolution
Follow these steps:
- Check your messages.txt file to see what errors you are getting.
- Generate new metadata from your SSO system and load it to your EZproxy server.
- Generate new metadata from your EZproxy system and load it to your SSO system.
- If version 6.6.2 or newer, update the shibboleth metadata directives -SignResponse=false -SignAssertion=true -EncryptAssertion=false \ based upon the error in the messages.txt file.
- Make sure the -cert= number is the same as the certificate number that was use to generate the EZproxy metadata file.
Additional information
This error usually means that the certificates used for SAML authentication have been changed on one or both systems, and the available metadata has not been updated to reflect the new certificates.
Possible errors in messages.txt:
SAML Assertion is signed; signature is invalid
1) Check if the provided IdP metadata is correct. For example, an element "<KeyDescriptor use="signing">" needs to be present and it needs to contain a certificate:
2) If using a metadata URL starting with login.microsoftonline.com, make sure to have the appid specific part at the end: https://login.microsoftonline.com/SO...ME_OTHER_VALUE
In Microsoft terms, this is called the "App Federation Metadata URL".
SAML Assertion is not signed, a signature is required
Change the flag for -SignAssertion= from true to false, which is true of all flags.
The HTML error page can be customized by placing a file named shibfailure.htm into the EZproxy docs directory.