This browser extension uses a locally running Microsoft Identity Broker to authenticate the current user on Microsoft Entra ID on Linux devices. By that, also sites behind conditional access policies can be accessed. The extension is written for Firefox but provides a limited support for Google Chrome (and Chromium).
This extension will only work on intune-enabled Linux devices. Please double
check this by running the intune-portal
application and check if your user
is logged in (after clicking sign-in
).
Also make sure to install the host components (see Installation below).
The extension requires pydbus as a runtime dependency. On a Debian system please install python3-pydbus
.
If you are using a python version manager such as asdf
you must install the python packages manually: pip install PyGObject pydbus
You can get a signed version of the browser extension from our Github releases. As this only covers the browser part, the host tooling still needs to be installed manually:
- clone this repository
- run
make local-install-firefox
- Get the
linux_entra_sso-<version>.xpi
file from the project's releases page - Enable "Access your data for
https://login.microsoftonline.com
" under the extension's permissions
You can get a signed version of the browser extension from the Chrome Web Store. As this only covers the browser part, the host tooling still needs to be installed manually:
- clone this repository
- run
make local-install-chrome
- Install the linux-entra-sso Chrome extension from the Chrome Web Store
If you want to execute unsigned versions of the extension (e.g. test builds) on Firefox, you have to use either Firefox ESR, nightly or developer, as standard Firefox does not allow installing unsigned extensions since version 48.
To build the extension and install the host parts, perform the following steps:
- clone this repository
- run
make local-install-<firefox|chrome>
to install the native messaging app in the user's.mozilla
(or Chrome) folder - run
make
to build the extension (For Firefox,build/<platform>/linux-entra-sso-*.xpi
is generated) - Firefox only: Permit unsigned extensions in Firefox by setting
xpinstall.signatures.required
tofalse
- Chrome only: In extension menu, enable
Developer mode
. - Install the extension in the Browser from the local
linux-entra-sso-*.xpi
file (Firefox). On Chrome, useload unpacked
and point tobuild/chrome
- Enable "Access your data for
https://login.microsoftonline.com
" under the extension's permissions
Linux distributions can ship the host components by packaging the output of make install
(DESTDIR
is supported).
This makes the host parts available to all users, but will only work with the signed versions of the extension.
On Chrome, the extension is registered to be auto-installed when starting the browser.
On Firefox and Chromium, the users still need to manually install the browser extension from the respective stores.
Note: The native messaging dirs vary across Linux distributions.
The variables (firefox|chrome|chromium)_nm_dir
and chrome_ext_dir
need to be set accordingly.
The provided defaults work on a Debian system. For details, have a look at the Makefile.
No configuration is required. The SSO is automatically enabled.
If you want to disable the SSO for this session, click on the tray icon and select the guest account.
In case you are already logged in, you might need to clear all cookies on login.microsoftonline.com
.
When enabled, the extension acquires a PRT SSO Cookie
from the locally running microsoft-identity-broker
service and inject that into the OAuth2 login flow on Microsoft Entra ID (login.microsoftonline.com
).
This extension will not work on the snap version of Firefox.
The extension executes a script linux-entra-sso.py
on the host that communicates via D-Bus with the microsoft-identity-broker
service.
As the SNAP executes Firefox inside a container, the communication with D-Bus will not work. Please use the firefox-esr
Debian package instead.
Due to not having the WebRequestsBlocking
API on Chrome, the extension needs to use a different mechanism to inject the token.
While in Firefox the token is requested on-demand when hitting the SSO login URL, in Chrome the token is requested periodically.
Then, a declarativeNetRequest
API rule is setup to inject the token. As the lifetime of the tokens is limited and cannot be checked,
outdated tokens might be injected. Further, a generic SSO URL must be used when requesting the token, instead of the actual one.
In case the extension is not working, check the following:
- run host component in interactive mode:
python3 ./linux-entra-sso.py --interactive acquirePrtSsoCookie
- check if SSO is working in the Edge browser
This project is licensed according to the terms of the Mozilla Public
License, v. 2.0. A copy of the license is provided in LICENSES/MPL-2.0.txt
.