Inmor Trust Anchor Documentation

Inmor is a Trust Anchor (TA) implementation for OpenID Federation 1.0. It provides a complete solution for managing OpenID Federation trust chains, subordinate entities, and trust marks.

The system consists of two components:

• Trust Anchor (Rust): High-performance federation server handling entity statements, trust marks, and resolution

• Collection CLI (Rust): inmor-collection tool that walks federation trees and populates the collection endpoint data

• Admin Portal (Python/Django): REST API for managing subordinates, trust mark types, and trust marks

Note

Inmor is currently under active development and is not yet production-ready.

Danger

Production Security: The Admin API must be protected with authentication (at minimum HTTP Basic Auth) before exposing to any network. See Securing the Admin API for details.

Quick Start

The fastest way to get Inmor running is with Docker Compose:

# Clone the repository (includes signing keys for development)
git clone https://github.com/SUNET/inmor.git
cd inmor

# Build and start all services
just build
just build-rs
just up

# Initialize the Trust Anchor
curl -X POST http://localhost:8000/api/v1/server/entity
curl -X POST http://localhost:8000/api/v1/server/historical_keys

The repository includes development signing keys, so no key generation is needed for getting started. For production, you should generate your own keys.

For detailed instructions, see Installation.

Documentation Contents

Getting Started

• Installation
  • Prerequisites
  • Quick Installation
  • Docker Compose Files
  • Key Generation
  • Directory Structure
  • Verifying Installation
  • Stopping Services
  • Development Setup
  • Production Deployment
  • Troubleshooting
• Docker Compose Deployment
  • Architecture
  • Production Deployment
  • Running Behind a Reverse Proxy
  • Volume Mounts
  • Database Persistence
  • Redis Data
  • Entity Collection CLI (inmor-collection)
  • Scheduled Tasks
  • Health Checks
  • Scaling Considerations
  • Environment Variables
  • Generating the Signing Key
  • Initialization Workflow
  • Logs and Monitoring
• Reverse Proxy Configuration
  • Architecture
  • Securing the Admin API
  • nginx Configuration
  • Apache (httpd) Configuration
  • Caddy Configuration
  • TLS Certificate Management
  • Security Best Practices
  • Updating Django Settings
  • Testing the Setup

API Reference

• Admin API Reference
  • Authentication
  • Trust Mark Types
  • Trust Marks
  • Subordinates
  • Server Operations
  • Audit Log
  • Error Responses
  • Pagination
• Trust Anchor API Reference
  • OpenID Federation Endpoints
  • Trust Mark Endpoints
  • Other Endpoints
  • Error Responses
  • Chain constraints (§6.2)
  • Trust Mark Delegation (§7.2)
  • Signed JWKS URIs (§5.2.1)
  • Transient-error retry semantics (§10.5)
  • Critical-claim handling
  • Content Types

Configuration

• Configuration Reference
  • Trust Anchor Configuration (taconfig.toml)
  • Admin Portal Configuration (settings.py)
  • Environment Variables
  • Key Files
  • Redis Key Structure
  • Example Configuration Files

User Guides

• Admin UI Guide
  • Overview
  • Screenshots
  • Running the Frontend
  • Authentication
  • Configuration
  • Tech Stack
  • CSS Design System
  • Recording Demo Videos
  • Taking Screenshots
• Multi-Factor Authentication (MFA)
  • Overview
  • Accessing MFA Settings
  • Setting Up TOTP
  • Setting Up Security Keys
  • Recovery Codes
  • Logging In with MFA
  • Re-authentication
  • Disabling MFA
  • Configuration
  • Troubleshooting
• API Key Authentication
  • Overview
  • Command-Line Management
  • Creating a Key via Admin UI
  • Using an API Key
  • Managing Keys via Admin UI
  • Security Best Practices
  • How It Works
• Trust Mark Management
  • Understanding Trust Marks
  • Creating Trust Mark Types
  • Issuing Trust Marks
  • Viewing Trust Marks
  • Renewing Trust Marks
  • Revoking Trust Marks
  • Updating Trust Mark Claims
  • Verifying Trust Marks
  • Listing Trust Mark Holders
  • Trust Marks for the Trust Anchor
  • Trusted Trust Mark Issuers (Federation Recognition)
  • Best Practices
  • Workflow Example
• Subordinate Management
  • Understanding Subordinates
  • Prerequisites
  • Registering a Subordinate
  • Viewing Subordinates
  • Updating Subordinates
  • Disabling Subordinates
  • Subordinate Statement Structure
  • Fetching Subordinate Statements
  • Resolving Trust Chains
  • Entity Types
  • Metadata Policy
  • Renewing Subordinates
  • Workflow Example
  • Troubleshooting
• Management Commands
  • createsuperuser
  • changepassword
  • apikey
  • reload_issued_tms
  • reissue_alltms
  • readd_subordinates
  • pre_migrate_check
  • create_api_key

Architecture Overview

┌─────────────────────────────────────────────────────────────────┐
│                        External Clients                         │
│                    (Federation Entities, RPs, OPs)              │
└─────────────────────────────────────────────────────────────────┘
                                 │
                                 ▼
┌─────────────────────────────────────────────────────────────────┐
│                    Reverse Proxy (nginx)                        │
│                     TLS Termination                             │
└─────────────────────────────────────────────────────────────────┘
           │                                        │
           ▼                                        ▼
┌─────────────────────┐                ┌─────────────────────────┐
│   Trust Anchor      │                │    Admin Portal         │
│   (Rust/Actix)      │◄──────────────►│    (Django/Ninja)       │
│   Port 8080         │    Redis       │    Port 8000            │
└─────────────────────┘                └─────────────────────────┘
           │                                        │
           ▼                                        ▼
┌─────────────────────┐                ┌─────────────────────────┐
│       Redis         │                │      PostgreSQL         │
│   Federation Cache  │                │   Persistent Storage    │
└─────────────────────┘                └─────────────────────────┘

OpenID Federation Compliance

Inmor implements the following OpenID Federation endpoints:

• /.well-known/openid-federation - Entity configuration

• /fetch - Fetch subordinate statements

• /list - List subordinates

• /resolve - Resolve trust chains

• /trust_mark - Get trust marks

• /trust_mark_list - List entities with trust marks

• /trust_mark_status - Validate trust marks

• /historical_keys - Historical/expired key set

• /collection - Entity collection (populated by inmor-collection CLI)

Indices and tables

• Index

• Search Page