Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 29 Current »

English / 日本語

This page contains information for those who are in charge of the "GakuNin" and off-campus networks at institutions (universities, etc.) that use our online analysis system.

Outline of the Demonstration Experiment

National Institute of Informatics (NII) is developing an "Online Analysis System" as part of Japan Society for the Promotion of Science (JSPS) project to promote the construction of a data infrastructure for the humanities and social sciences. Prior to the full-scale launch of the service, we will conduct a demonstration experiment targeting a small number of institutions (universities, etc.) in order to evaluate the practicality of the system and identify missing functions.

Users from your institution will need to change the Shibboleth IdP settings in order to participate in the demonstration experiment. We would like to ask the department in charge to please read this guide and take the necessary actions.

ProviderResearch Center for Open Science and Data Platform, National Institute of Informatics
Persons this system applies to

Holders of GakuNin compatible accounts at your institution (Researchers, faculty, students, etc.)

Service provided
LocationNII-owned computers in Japan
Experiment period

October 2020 - March 2022


Free of charge(There are no plans to charge a fee after the experiment is over.)

Incident Response Policy

The terms of service for this service will be established by the end of the demonstration experiment. During the period of the demonstration experiment, the service will be used in a way that trusts the good intentions of the users, but the following response policy is provided in case problems occur due to the intentional or negligent actions of the users.

  •  NII will record the user's behavior on the Service. Specifically, the following information will be logged.

    • User information obtained from IdP (eduPersonPrincipalName, mail).

    • Login time, logout time.

    • Unique ID, IP address, and port number of the container.

    • Other information necessary for follow-up investigation.

  • When NII detects that a user is using the service illegally, NII will take the following actions.

    • Temporarily prohibit the user from using the System.

    • Maintain a log of the user's activities.

    • Notify the department in charge of GakuNin at the institution to which the user belongs, and provide them with the log.

If you receive a notification that a user at your institution is using the service illegally, please cooperate with the following measures.

  • Take the same action against the user as you would have taken if the user had committed the same act on your system.

  • Report the status of the action to NII.

NII will decide whether or not to allow the user to resume using the system based on the status of the reported action.

Definition of unauthorized use

During the period of the demonstration experiment, NII will examine the line of abuse by observing the user's behavior. Currently, we consider the following actions to be abuse.

  • Using the functions of this service to configure a crawler to generate high frequency/volume communications to a third party's web server.

  • Configuring a web server using the functions of this service to enable the transmission of data to an unspecified third party.

  • Sending e-mail to unspecified third parties by configuring a mail server using the functions of this service.

  • Any other acts that NII deems to cause trouble to a third party.
  • Mining of virtual currency using the functions of the Service.
  • Use of P2P file sharing software using the functions of the Service.
  • Other acts that NII recognizes as causing trouble to other users of the Service.

We will add or modify this definition as the situation demands.

GakuNin Idp Setup Guide

In order for users to use this system, the Shibboleth IdP operated by your institution needs to be configured to send the user's attribute values to the SP of this service.

Attributes to be sent out
  • eduPersonPrincipalName (Required)
  • mail (Required


  • The IdP must have already been registered with GakuNin (Operational Federation). If you have not completed the registration to the operational federation, please contact us separately.
  • This explanation assumes that the IdP has been built according to the procedures described in the Technical Guide for GakuNin; if the IdP has been installed using a method specific to your institution, please change the file path accordingly.

Updating Metadata

If automatic metadata refresh is not enabled, follow the steps below to refresh the metadata cache file.

  1. Locate the cache file. It is usually located in /opt/shibboleth-idp/metadata/gakunin-metadata.xml.
  2. Open the cache file and search for the string "".
  3. If not found, get the latest metadata from and replace the cache file.

Configuring Attribute Sending

Follow the steps below to edit the Shibboleth IdP configuration file. For more details, please refer to the GakuNin Technical Guide.

  1. Open /opt/shibboleth-idp/conf/attribute-resolver.xml and search for the string "id="eduPersonPrincipalName"".

  2. If the following XML element is valid (not commented out), you are good to go. → Reference 

    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="%{idp.scope}" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:" friendlyName="eduPersonPrincipalName" encodeType="false" />

  3. Similarly, make sure that "id="mail"" is also valid. → Reference

    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />

  4. Open /opt/shibboleth-idp/conf/attribute-filter.xml and search for the string "</AttributeFilterPolicyGroup>".

  5. Add the following XML element just before the found tag. → Reference

    <AttributeFilterPolicy id="PolicyforNiiRdcDataAnalysisPlatform">
        <PolicyRequirementRule xsi:type="Requester" value="" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="ANY" />
  6. Restart the Shibboleth IdP service.

Operation check

  1. Access with a browser.
  2. If you are redirected to after going through the authentication screen, you are OK. 

Contact Information

  Research Center for Open Science, National Institute of Informatics

  Ikki Fujiwara, Online Analysis System <>

  • No labels