The `enroll` command enrolls your Ockam Identity with Ockam Orchestrator.
It involves multiple steps. In the first step, if you specify an Identity using the `--identity` argument, the command uses it. If you don't specify an Identity, it checks if you have a default Identity. If you have one, the command uses this default Identity. If you do not have a default Identity, the command generates a new Identity in your default Vault. If you do not have a default Vault, the command creates a new one on your file system, makes it the default Vault, and uses it to store the private keys of your new Identity.
You will also need to use your web browser to type in a one-time code in order to activate the machine you are using to run the `enroll` command. You will then be required to log in to your Orchestrator account to complete activating this machine. To do so, you can choose to authenticate using GitHub or create a new email and password. If you choose the latter, then you will need to verify your email address.
Orchestrator is a SaaS product that allows remote relays, add-ons integration like Confluent, Okta, etc. If this is your first time signing in, the Orchestrator creates a new dedicated Space and Project for you. A Project offers two services: a Membership Authority and a Relay service.
The `enroll` command then asks this Project’s Membership Authority to sign and issue a Credential that attests that your Identifier is a member of this Project. Since your account in Orchestrator is the creator and hence first administrator on this new Project, the Membership Authority issues this Credential. The command stores the Credential for later use and exits.