From 5412442b1d8d4785c6d5306e8a1b5378c44617a7 Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Mar 29 2023 14:30:27 +0000 Subject: Adding note about kerberos passthrough for browser Signed-off-by: Fabian Arrotin --- diff --git a/docs/auth.md b/docs/auth.md index e7143de..2e9ac6b 100644 --- a/docs/auth.md +++ b/docs/auth.md @@ -141,3 +141,66 @@ account with CentOS' Account System. From there on, everytime you visit this link, your group membership defined in ACO, will be refreshed on gitlab. + +## Authenticating to CentOS services with your accounts +Some infra services (but not all) are using the new authentication platform to give you access. + +### IdP for CentOS service + +As IPA backend itself doesn't provide IdP features, we have the service https://id.centos.org that is registered in IPA, and so that can be used as IdP, to support OpenID, OpenIDC, SAML2 authentication for applications/services that can recognize and use such protocol/standards + +### Authenticating with your username and password +Once you'll try to login to a service that requires auth, you'll be automatically redirected to https://id.centos.org. +You can then provide your username and password combination to proceed with authentication and be then redirected to the initial service you wanted to auth with. + +!!! warning + If you have enabled 2FA (see above), your password field is a combination of '''both''' your real password and the OTP token + + +### Enabling kerberos for IdP +If you want to instead use your kerberos ticket to auth against services (and so transparently) and not having to type your user/password (+OTP if enabled) combination each time, you can just configure your workstation to transparently use gssapi authentication against https://id.centos.org + +For this you need to first install a mandatory package, that has the needed configuration for kerberos : + +``` +sudo dnf install -y epel-release # Only on 8/8-stream, not needed on Fedora +sudo dnf install -y fedora-packager +``` + +!!! important + You need to have fedora-packager >= 0.6.0.5-2 installed on your system for this to work ! + + +After that, you can kinit as usual (see [[https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit|upstream doc]] and you should have your kerberos ticket ready to be used for authentication + +You still need to configure your browser : + +### Firefox settings +While in Firefox, type '''about:config''' in the location/url bar and press enter. +You can then edit the following key/value : + +``` +network.negotiate-auth.trusted-uris: .fedoraproject.org,.centos.org +``` + +Close and then firefox will allow kerberos/GSSAPI transaction to proceed, meaning that next time one service will redirect you to https://id.centos.org, you'll be automatically logged on through kerberos (no need to specify again user/password) + +### Chrome/Chromium +Depending on Chrome or Chromium, the path of the json file to create is different : + + * Chrome : /etc/opt/chrome/policies/managed/fedora-centos.json + * Chromium : /etc/chromium/policies/managed/fedora-centos.json + +You should have there something like this : + +``` +{ + "AuthServerAllowlist": "*.fedoraproject.org,*.centos.org", + "AuthNegotiateDelegateAllowlist": "*.fedoraproject.org,*.centos.org" +} +``` + +!!! warning + Chrome/Chromium browsers with version < '100' were using different names like ''AuthServerWhitelist'' and ''AuthNegotiateDelegateWhitelist'' so check version and adapt accordingly + +