<<TableOfContents>>

= Managing your account =
{{{#!wiki note 
Since April 2021, you only need one account for both the CentOS Project and the Fedora project.


Both projects were migrated to a new consolidated authentication platform (based on [[https://www.freeipa.org/|(Free)IPA]] ), and existing accounts merged into the new one. 

}}}
== Creating your account ==
You can create your account on our community portal running on https://accounts.centos.org.

To register/create an account, just click on "Register" on the portal and follow the process.
More information and user documentation is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/ | consolidated online documentation for the portal ]]

== Modifying your account ==
Once logged into the portal (still on https://accounts.centos.org) you can modify/edit your profile and see your group membership.

Some settings you can modify directly:
 * First/Last Name
 * Locale
 * Timezone
 * email address (attention that it '''needs''' to be a valid email address)
 * other personal details
 * your password
 * adding/removing OTP tokens (see below for 2FA)
 * ssh and gpg public keys

More information and user documentation is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/ | consolidated online documentation for the portal ]]


= Enabling 2FA =
It's adviced (but not mandatory) to implement 2 Factor Authentication on your account (for some critical accounts, that's though required).

You can add one (or more, adviced) OTP tokens on your profile. 
Known to work solutions so far : 
 * Yubikey (4 and above, that supports OTP) : through rpm pkg yubioath-desktop
 * FreeOTP (available on Google Play Store)
 * OTPClient (available as rpm pkg and flatpak/flathub)
 * others (list is non exhaustive)

More informations about 2FA is available on [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor | specific portal documentation ]]


= Authenticating to CentOS services with your accounts =
Some infra services (but not all) are using the new authentication platform to give you access.

== IdP for CentOS service ==
As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards

== Authenticating with your username and password ==
Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org.
You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.

{{{#!wiki warning
If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token
}}}

== Enabling kerberos for IdP ==
If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org

For this you need to first install a mandatory package, that has the needed configuration for kerberos :
{{{
sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora
sudo dnf install -y fedora-packager
}}}

{{{#!wiki important
You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !
}}}

After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication

You still need to configure your browser :
=== Firefox settings ===
While in Firefox, type '''about:config''' in the location/url bar and press enter.
You can then edit the following key/value : 

{{{
network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org
}}}

Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)

=== Chrome/Chromium ===
Depending on Chrome or Chromium, the path of the json file to create is different :
* Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json
* Chromium : /etc/chromium/policies/managed/fedora-centos.json

You should have there something like this : 
{{{
{
  "AuthServerWhitelist": "*.fedoraproject.org,*.centos.org",
  "AuthNegotiateDelegateWhitelist": "*.fedoraproject.org,*.centos.org"
}


}}}

== TLS certificate ==

To be able to request a signed TLS certificate, you need first to install the cli tool that will use kerberos auth first to request a locally generated (automatic) CSR to be sent to IPA for signing operation and you'll then get your certificate back.

Supported Linux distributions: CentOS 8/8-s , Fedora 32,33,34

{{{
sudo dnf install -y epel-release # only if you are on CentOS 8 / 8-stream not needed for Fedora
sudo dnf install -y centos-packager
}}}


Your user certificate bundle comes in the form of 1 file:
|| Filename || Purpose ||
|| ~/.centos.cert || PEM file with your X509 Client Certificate and Key ||


To generate your certificate you can use the 'centos-cert' tool included in the centos-packager package:

{{{
 centos-cert 

You need to call the script like this : /usr/bin/centos-cert -arguments
 -u : username ([REQUIRED] : your existing ACO/FAS username)
 -v : just validates the existing TLS certificate ([OPTIONAL])
 -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
 -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
 -h : display this help


}}}


If you've signed up with the account name '''tuser''', you can generate your new certificate like this:
{{{
    [tuser@myworkstation]$ centos-cert -u tuser 
    
}}}

{{{#!wiki important
Attention that '''centos-cert -u tuser ''' will request a new certificate, so that will automatically revoke any other certificate you had in the past. If you need to use cbs/koji on multiple machines, just copy the files mentioned above on the other machine. 
}}}

{{{#!wiki note
Important note WRT OTP: If you have enabled Two Factor auth, you absolutely need to get a valid kerberos ticket through other step *before* using centos-cert. See [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#twofactor|Fedora Accounts Documentation for this]] 
}}}