This browser plugin uses a locally running Microsoft Identity Broker to authenticate the current user on Microsoft Entra ID on Linux devices. By that, also sites behind conditional access policies can be accessed. The plugin is written for Firefox but provides a limited support for Google Chrome (and Chromium).
This extension will only work on intune-enabled Linux devices. Please double
check this by running the intune-portal application and check if your user
is logged in (after clicking sign-in).
Also make sure to install the host components (see Installation below).
The extension requires pydbus as a runtime dependency. On a Debian system please install python3-pydbus:
sudo apt install python3-pydbusNote: If you are using a python version manager such as asdf you must install the python packages manually: pip install PyGObject pydbus
You can get a signed version of the browser extension from our Github releases. As this only covers the browser part, the host tooling still needs to be installed manually:
- clone this repository
- run
make local-install-firefox - Enable "Access your data for https://login.microsoftonline.com" under the extension's permissions
If you want to execute unsigned versions of the extension (e.g. test builds) on Firefox, you have to use either Firefox ESR, nightly or developer, as standard Firefox does not allow installing unsigned plugins since version 48.
To build the extension and install the host parts, perform the following steps:
- clone this repository
- run
make local-install-<firefox|chrome>to install the native messaging app in the user's.mozilla(or Chrome) folder - run
maketo build the extension (For Firefox,build/<platform>/linux-entra-sso-*.xpiis generated) - Firefox only: Permit unsigned extensions in Firefox by setting
xpinstall.signatures.requiredtofalse - Chrome only: In extension menu, enable
Developer mode. - Install the extension in the Browser from the local
linux-entra-sso-*.xpifile (Firefox). On Chrome, useload unpackedand point tobuild/chrome - Enable "Access your data for https://login.microsoftonline.com" under the extension's permissions
No configuration is required. However, you might need to clear all cookies on
login.microsoftonline.com, in case you are already logged. The extension
will automatically acquire a PRT SSO Cookie
from the locally running device identity broker and inject that into the OAuth2 login workflow for all Microsoft Entra ID enabled sites
(the ones you log in via login.microsoftonline.com).
This extension will not work on the snap version of Firefox.
The extension executes a script linux-entra-sso.py on the host that communicates via DBus with the microsoft-identity-broker service.
As the SNAP executes Firefox inside a container, the communication with DBus will not work. Please use the firefox-esr Debian package instead.
Due to not having the WebRequestsBlocking API on Chrome, the plugin needs to use a different mechanism to inject the token. While in Firefox the token is requested on-demand when hitting the SSO login URL, in Chrome the token is requested periodically. Then, a declarativeNetRequest API rule is setup to inject the token. As the lifetime of the tokens is limited and cannot be checked, outdated tokens might be injected. Further, a generic SSO URL must be used when requesting the token, instead of the actual one.
In case the extension is not working, check the following:
- run host component in interactive mode:
python3 ./linux-entra-sso.py --interactive acquirePrtSsoCookie - check if SSO is working in the Edge browser
This project is licensed according to the terms of the Mozilla Public
License, v. 2.0. A copy of the license is provided in LICENSES/MPL-2.0.txt.