diff --git a/docs/auth.md b/docs/auth.md
index e7143de..2e9ac6b 100644
--- a/docs/auth.md
+++ b/docs/auth.md
@@ -141,3 +141,66 @@ account with CentOS' Account System.
 
 From there on, everytime you visit this link, your group membership defined in
 ACO, will be refreshed on gitlab.
+
+## Authenticating to CentOS services with your accounts 
+Some infra services (but not all) are using the new authentication platform to give you access.
+
+### IdP for CentOS service 
+
+As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards
+
+### Authenticating with your username and password 
+Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org.
+You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with.
+
+!!! warning
+    If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token
+
+
+### Enabling kerberos for IdP
+If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org
+
+For this you need to first install a mandatory package, that has the needed configuration for kerberos :
+
+```
+sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora
+sudo dnf install -y fedora-packager
+```
+
+!!! important
+    You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work !
+
+
+After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication
+
+You still need to configure your browser :
+
+### Firefox settings 
+While in Firefox, type '''about:config''' in the location/url bar and press enter.
+You can then edit the following key/value : 
+
+```
+network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org
+```
+
+Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password)
+
+### Chrome/Chromium
+Depending on Chrome or Chromium, the path of the json file to create is different :
+
+ * Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json
+ * Chromium : /etc/chromium/policies/managed/fedora-centos.json
+
+You should have there something like this : 
+
+```
+{
+  "AuthServerAllowlist": "*.fedoraproject.org,*.centos.org",
+  "AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org"
+}
+```
+
+!!! warning
+    Chrome/Chromium browsers with version < '100' were using different names like ''AuthServerWhitelist'' and ''AuthNegotiateDelegateWhitelist'' so check version and adapt accordingly
+
+