Why am I getting the "Inter-institutional access failure. Please contact your system administrator for assistance." error when using SAML authentication and EZproxy?
Symptom
- After submitting credentials on my SAML SSO login screen, I get the error message "Inter-institutional access failure. Please contact your system administrator for assistance."
Applies to
- EZproxy
Resolution
Follow these steps:
- Check your messages.txt file to see what errors you are getting.
- Generate new metadata from your SSO system and load it to your EZproxy server.
- Generate new metadata from your EZproxy system and load it to your SSO system.
- If version 6.6.2 or newer, update the shibboleth metadata directives -SignResponse=false -SignAssertion=true -EncryptAssertion=false \ based upon the error in the messages.txt file.
- Make sure the -cert= number is the same as the certificate number that was use to generate the EZproxy metadata file.
Additional information
This error usually means that the certificates used for SAML authentication have been changed on one or both systems, and the available metadata has not been updated to reflect the new certificates. If the error in the messages.txt file states SAML Assertion is not signed, a signature is required. Change the flag for -SignAssertion= from true to false, which is true of all flags.
The HTML error page can be customized by placing a file named shibfailure.htm into the EZproxy docs directory.