
The purpose of this document is to install and validate the (global) mAP environment.


Following environment is required for installing mAP.

Table 2‑1 Required Software

Software Name



CentOS (64bit)


Operating System



Service Provider



Identity Provider

Apache HTTP Server

2.4 (*1)

WEB Server


OpenJDK 7.0.85

IdP Executable Environment

Apache Tomcat

7.0.54 (*1)

Servlet Container


5.5.44 (*1)

Relational Database


2.10 (*1)

Mail Transfer Agent


5.4.16 (*1)

Programing Language

*1 Latest version of yum package as of  2015/2/29


Installing Shibboleth SP

Please install Shibboleth SP while referring to the install guide.

Shibboleth SP Install Guide

In addition to shibboleth SP, apache, mod_ssl and NTP should be installed simultaneously. Please setup these environment as well.

Installing Shibboleth IdP

Please install Shibboleth IdP while referring to the install guide.

Shibboleth IdP Install Guide

In addition to Shibboleth IdP, Java and Tomcat should be installed as well. Please setup these environment as well.

Installing and Setting Up MariaDB

Install MariaDB by using following command.

$ sudo yum install mariadb-server

* If the MariaDB has already been installed as the initial component, you can skip this process.


Setup /etc/my.cnf
character-set-server = utf8
character-set-server = utf8
$ sudo systemctl start mariadb.service 
$ sudo systemctl enable mariadb.service


Create Database
$ mysql -u root

Installing and Setting Up PHP

Please install PHP by using following command.

$ sudo yum install php
$ sudo yum install php-devel php-gd php-mbstring php-pdo
$ sudo yum install php-mysql php-xml
$ sudo systemctl restart httpd.service


Setting Up Timezone

Add timezone in /etc/php.ini . Parameter “Asia/Tokyo” should be changed depending on your local time.

date.timezone = "Asia/Tokyo"

Installing and Setting Up Mail Server

Please install and setup mail server by using Postfix or Sendmail. Following instruction is for Postfix.

$ sudo yum install postfix
Setup Postfix

Please modify parameters depending on your local environment.

$ sudo systemctl start postfix.service
$ sudo systemctl enable postfix.service

Installing Attribute Provider (SP)

Shibboleth SP which has been installed in section 4 will be configured for Attribute Provider.

Download required files from following URL.

Please contact GakuNin Office if authentication is requested.



Modify Setting
Copy Files
$ sudo mkdir /var/www/html/secure
$ unzip index.zip
$ sudo cp index.php /var/www/html/secure/attr.php
$ sudo mkdir /var/www/html/js
$ sudo cp embedded-wayf_config.js /var/www/html/js/.
Metadata Deployment
$ sudo systemctl restart shibd.service
$ sudo systemctl restart httpd.service

Installing Attribute Provider (IdP)

Shibboleth IdP which has been installed in section 5 will be configured for Attribute Provider.

Download required file from following URL.

Please contact GakuNin Office if authentication is required.

Please download mariadb-java-client-1.3.x.jar from MariaDB site:


Please download trustany-ssl-1.0.x.jar from wiki.shibboleth.net:



Modify Configuration


Overwrite the configuration files.
Back Up First
$ cd /opt/shibboleth-idp/conf
$ sudo cp attribute-filter.xml attribute-filter.xml.bk
$ sudo cp attribute-resolver.xml attribute-resolver.xml.bk

Then Copy
$ cd
$ sudo cp attribute-filter.xml /opt/shibboleth-idp/conf/.
$ sudo cp attribute-resolver.xml /opt/shibboleth-idp/conf/.
Metadata Deployment
Deployment of the MariaDB driver
$ sudo cp mariadb-java-client-1.3.x.jar \
[TOMCAT install directory]/webapps/idp/WEB-INF/lib/.

$ sudo cp mariadb-java-client-1.3.x.jar /opt/shibboleth-idp/lib/.
Configuration for StoredID

Create table for StoredID in the MariaDB database.


“4. Create table in the database (In case of MariaDB)”

$ mysql -u root vo
mysql> put SQL commands here.
Deployment of the trustany-ssl
$ sudo cp trustany-ssl-1.0.x.jar [TOMCAT install directory]/lib/.
Back Channel

Configure for back channel by referring to the following instruction.

Create credential

# cd /opt/shibboleth-idp/credentials
# UMASKORIG="`umask`" ; umask 0077
# openssl pkcs12 -export -out server.p12 -in idp.crt -inkey idp.key -name HOST-NAME-OF-THIS-SERVER
Enter Export Password: YOUR-OWN-PASSOWRD
Verifying - Enter Export Password: YOUR-OWN-PASSWORD

# umask "$UMASKORIG"

* This instruction assume IdP certificate as idp.crt and idp.key.

Back Channel Port

Enable 8443 port in the server.xml of Tomcat configuration file.

Server.xml can be found in the following location if the Tomcat was installed by using yum


Add following configuration.

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        trustManagerClassName="net.shibboleth.utilities.ssl.TrustAnyCertificate" />
$ sudo systemctl restart tomcat.service

Restart SP as well in order to include the metadata of newly configured IdP.
$ sudo systemctl restart shibd.service
$ sudo systemctl restart httpd.service

Installing the Application

Download files from the following URL.



$ unzip cloudgateway-1.0.zip
$ sudo mv map /usr/local/.
Initial Setting
# Announce Information
$ cd /usr/local/map
$ mkdir -p app/webroot/tmp/
$ touch app/webroot/tmp/announce.txt
$ sudo chown -R apache.apache app/webroot/tmp

# Adjust permissions
$ sudo chown -R apache.apache /usr/local/map/app/tmp
$ sudo chmod +x /usr/local/map/cake/console/cake
$ sudo chmod +x /usr/local/map/app/vendors/shells/*.php
$ sudo chmod -R 777 /usr/local/map/app/tmp/cache

# Group Icons
$ sudo mkdir -p app/tmp/uploads/group/original
$ sudo mkdir -p app/tmp/uploads/group/thumbnails/{20,50,100,200}
$ sudo mkdir -p app/tmp/uploads/group/temp
$ sudo mkdir -p app/tmp/uploads/sp_group/thumbnails/64
$ sudo chown -R apache.apache app/tmp/uploads
# Deletion of Log Files and Cache Files
$ sudo rm -rf app/tmp/cache/models/*
$ sudo rm -rf app/tmp/cache/persistent/*
$ sudo rm -rf app/tmp/cache/views/*
$ sudo rm -rf app/tmp/logs/*

# Copy of Configuration Files
$ cp app/config/database.template.php app/config/database.php
$ cp app/config/core.template.php app/config/core.php
# Put random data on 'Security.salt' and 'Security.cipherSeed' in core.php.
$ vi app/config/core.php

# Deletion of Files for Development (if exist)
$ rm app/config/local.php
Configuration of httpd.conf

Include following configuration in /etc/httpd/conf/httpd.conf

<VirtualHost _default_:80>
  Redirect permanent / https://[HOST-NAME-OF-THIS-SERVER]/

Alias /map "/usr/local/map"
<Directory "/usr/local/map">
  Order allow,deny
  Allow from all
  Options ExecCGI FollowSymLinks
  AllowOverride All

<Location "/map">
  AuthType shibboleth
  ShibRequestSetting requireSession 0
  require shibboleth
$ sudo systemctl restart httpd.service
Database Configuration
$ mysql -u root vo < /usr/local/map/ddl/ddl.sql
$ mysql -u root vo < /usr/local/map/ddl/alter.sql
$ mysql -u root vo < /usr/local/map/ddl/index.sql
$ mysql -u root vo < /usr/local/map/ddl/init_system_admin.sql
$ mysql -u root vo
Open /usr/local/map/ddl/stored_procedure.sql and copy & paste the contents.
Application Configuration File
Registration of IdP administrators

By the following commands, will be registered IdP administrators.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app idp_administrator /path/to/somewhere/idp_administrator.tsv

/path/to/somewhere/idp_administrator.tsv must be created in the format below.

#eppn	eptid	entityID
XXX@nii.ac.jp		https://test-idp.gakunin.nii.ac.jp/idp/shibboleth
Registration of organizations

By the following commands, organization which if a part of the federaton member will be registered.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app organization /var/cache/shibboleth/federation-metadata.xml
Registration of SP administrators

By the following commands, will be registered SP administrators.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app sp_administrator /path/to/somewhere/sp_administrator.tsv

/path/to/somewhere/sp_administrator.tsv must be created in the format below.

#eppn	eptid	entityID
XXX@nii.ac.jp		https://test-sp.gakunin.nii.ac.jp/shibboleth-sp
Registration of SP

By the following commands, SP information which if a part of the federaton member will be registered.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app sp_host /var/cache/shibboleth/federation-metadata.xml
Registration of IdP groups

By the following commands, IdP groups which if a part of the federaton member will be registered.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app idp_group_creator /var/cache/shibboleth/federation-metadata.xml
Registration of SP connectors

By the following commands, IdP groups which if a part of the federaton member will be registered.

$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app sp_connector_creator /var/cache/shibboleth/federation-metadata.xml test-map
Notify the administrator via mail

Notify the administrator when applying to join the group.



Confirm the authentication page after accessing to the following URL.


After integrating the metadata of this IdP into the related SPs and enable SimpleAggregation AttributeResolver, you can check the connecting test.

Advanced Configuration


If you want to run on multiple servers to set the following.

Application Configuration File
Create sessions table
$ cd /usr/local/map/cake/console
$ ./cake schema create sessions
Shibboleth Configuration File

Add the SP manually

Register the SP which is not a member of the federation

If you would like to register the SP which is not a member of the federation, it’s easy to add the SP in the /var/cache/shibboleth/federation-metadata.xml and then execute the above command.

Register SP Administrator in the Database.

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD

mysql> insert into sp_administrators(eppn, host_name, entityid, created) 

Example1)Registration for researchmap and kyouindb
mysql> insert into sp_administrators(eppn, host_name, entityid, created) \
values('xxxx@kyoto-u.ac.jp', 'researchmap.jp', 'https://researchmap.jp/shibboleth-sp', NOW());

mysql> insert into sp_administrators(eppn, host_name, entityid, created) \
values('xxxx@kyoto-u.ac.jp', 'kyouindb.iimc.kyoto-u.ac.jp', \
'https://kyouindb.iimc.kyoto-u.ac.jp/shibboleth-sp', NOW());

Exmaple2) Registration for test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp
mysql> insert into sp_administrators(eppn, host_name, entityid, created) \
values('xxxxxx@ebook-idp.nii.ac.jp', 'test-meatmail.nii.ac.jp', \
'https://test-meatmail.nii.ac.jp/shibboleth-sp', NOW());

mysql> insert into sp_administrators(eppn, host_name, entityid, created) \
values(' xxxxxx@ebook-idp.nii.ac.jp', 'test-map-sp1.nii.ac.jp', \
'https://test-map-sp1.nii.ac.jp/shibboleth-sp', NOW());
Create SP Connector

Create SP Connector of the utilized SP by executing the following SQL.

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD
mysql> insert into groups(group_key,name,introduction,active,public,openmember,\
created,modified) values('GROUP-KEY', 'SERVICE-NAME', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOW(), NOW());

Example1)Researchmap and kyouindb
mysql> insert into groups(group_key,name,introduction,active,public,openmember,\
inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \
values('researchmap', 'Researchmap', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOW(), NOW());

mysql> insert into groups(group_key,name,introduction,active,public,openmember,\
inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified \
) values('kyouindb', 'kyouindb', '', 0, 1, 1, 1, 0, 2, 0, 2, 1, NOW(), NOW());

Example2)test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp
mysql> insert into groups(group_key,name,introduction,active,public,openmember,\
inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \
values('test-meatmail.nii.ac.jp', 'test-meatmail.nii.ac.jp', '', \
0, 1, 1, 1, 0, 2, 0, 2, 1, NOW(), NOW());

mysql> insert into groups(group_key,name,introduction,active,public,openmember,\
inspectjoin,inspectquit,down_permission,up_permission,group_response,sp,created,modified) \
values('test-map-sp1.nii.ac.jp', 'test-map-sp1.nii.ac.jp', '', \
0, 1, 1, 1, 0, 2, 0, 2, 1, NOW(), NOW());


Register the administrator of SP Connector to the database.

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD
mysql> select id,name,mail from accounts;
mysql> select id,group_key,name from groups where sp=1;

Find your ID and Group table ID by the search com"mand above and then put it in the "YOUR-ACCOUNT-ID"and "GroupID" in the following SQL.
mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(YOUR-ACCOUNT-ID, GroupID, 1, NOW(), NOW());

Example) In case of creating 3 SP Connectors
mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 2, 1, NOW(), NOW());
mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 3, 1, NOW(), NOW());
mysql> insert into mygroups(account_id, groupid, admin, created, modified) values(1, 4, 1, NOW(), NOW());
Connection between SP Connecor and SP.

Connect SP Connector and SP by executing the following SQL.

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD

Search utilizes SP Connector ID.
mysql> select id, name from groups where sp = 1;

Search utilizes SP ID
mysql> select id, name from sp_hosts;

Based on the search result, register connecting information between SP Connector and SP.
insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \

・SP Connector ID:ID of groups table
・SP ID:ID of sp_hosts table

Example1)Researchmap and kyouindb
mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \
values(2, 3, 'http://researchmap.jp/', NOW(),NOW(), 'Researchmap');

mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \
values(3, 15, 'http://kyouindb.iimc.kyoto-u.ac.jp/', NOW(),NOW(), 'kyouindb');

Example2)test-meatmail.nii.ac.jp and test-map-sp1.nii.ac.jp
mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \
values(2, 80, 'https://test-meatmail.nii.ac.jp/', NOW(),NOW(), 'Test-MeatMail');
mysql> insert into group_sphosts(group_id,sp_id,lead_url,created,modified,service_name) \
values(3, 175, 'https://test-map-sp1.nii.ac.jp/', NOW(),NOW(), 'Test-mAP-SP1');


Automatic Connection of SP Connector

This enables users to utilize SP (ex. Researchmap, kyouindb) by connecting SP connector automatically when the user create new group.

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD

Obtain ID by searching SP Connector
mysql> select id, name from groups where sp = 1;

Set the found ID in the following SQL and then execute.
mysql> insert into sp_auto_connectors(groupid,created) values(FOUND-ID, NOW());

mysql> insert into sp_auto_connectors(groupid,created) values(2, NOW());
mysql> insert into sp_auto_connectors(groupid,created) values(3, NOW());


Attribute Consent Setting for SP Connector

Set the consent information which will be utilized by the SP Connector

$ mysql -u vouser vo -pYOUR-OWN-PASSWORD

Obtain ID by searching SP Connector
mysql> select id, name from groups where sp = 1;

Set ID for SP Connector in the following SQL and then execute.
mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\
language,organization,created,modified) values(FOUND-ID, 1, 1, 1, 1, 1, 1, 1, 1, NOW(),NOW());

select id, name from groups where sp = 1;
| id | name                    |
|  2 | xxxxxxx                 |
|  3 | yyyyyyy                 |
|  4 | zzzzzzz                 |
mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\
language,organization,created,modified) values(2, 1, 1, 1, 1, 1, 1, 1, 1, NOW(),NOW());
mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\
language,organization,created,modified) values(3, 1, 1, 1, 1, 1, 1, 1, 1, NOW(),NOW());
mysql> insert into provide_attributes(group_id,ismemberof,eptid,name,mail,idp,introduction,\
language,organization,created,modified) values(4, 1, 1, 1, 1, 1, 1, 1, 1, NOW(),NOW());

Importing the Account Data from the Existing Database

If there exist the data in the existing database, it can be imported by means of TSV file.

Format of the TSV is as follows

Note that display name have to be within 50 characters.



Import command is as follows.

$ export TERM=vt100
$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app kyoto_u_ac_jp_import [TSV-FILE-NAME] [IdP-ENTITY-ID]

Example 1)Normal Execution
$ export TERM=vt100
$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app kyoto_u_ac_jp_import \
/var/local/map/tmp/kyoto-u.ac.jp.sample.tsv \

Example 2)Send Email after Execution
$ export TERM=vt100
$ cd /usr/local/map/cake/console
$ ./cake -app /usr/local/map/app kyoto_u_ac_jp_import \
/var/local/map/tmp/kyoto-u.ac.jp.sample.tsv \
https://authidp1.iimc.kyoto-u.ac.jp/idp/shibboleth | mail -s "Import Result" EMAIL-ADDRESS