Entra ID for Linux: Himmelblau 3.0 extends enterprise features
The open-source framework Himmelblau brings extensive new features for the integration of Linux systems with Microsoft Entra ID.
(Image: heise medien)
The open-source project Himmelblau has released version 3.0.0, bringing extensive new features for the authentication of Linux systems against Microsoft Entra ID. Key features include first-class OIDC support, Linux Hello TOTP, and extended compliance functions for Intune.
Himmelblau is an authentication framework that enables seamless integration between Linux environments and Microsoft Entra ID. The project, licensed under GPLv3, originated as a fork of the Kanidm OAuth2 Client and is primarily developed by David Mulder with support from SUSE. The goal is to integrate Linux systems into Microsoft infrastructures as effectively as Windows machines – including multi-factor authentication, device trust, and Intune compliance.
OIDC Provider Without Domain Configuration
The biggest innovation in version 3.0.0 is comprehensive support for OpenID Connect. Administrators can now integrate any OIDC provider via the configuration option oidc_issuer_url. The implementation supports password and PIN flows as well as break-glass mechanisms for emergency scenarios when the OIDC provider is unreachable. Particularly noteworthy is the Domainless OIDC feature: thanks to it, users can authenticate even without prior domain configuration.
OIDC support makes Himmelblau more independent of Microsoft services. Administrators can now also use alternative identity providers such as Keycloak. For better Keycloak compatibility, an OIDC provider online check has been implemented since Himmelblau 2.0, which checks the provider's reachability.
Videos by heise
Two-Factor Authentication via TOTP
With Linux Hello TOTP, Himmelblau 3.0 introduces time-based one time password authentication for Linux systems. Setup is done via QR-code-based enrollment flows available both in the terminal and in the GNOME QR-Greeter. The QR-Greeter works from GNOME 49 onwards and is comparable to Windows Hello login.
The QR-Greeter itself has also been extended and now supports OIDC Device Admin Grants (DAG) as well as Microsoft Consumer DAG Flows. Personal Microsoft accounts can now also be used for logging into Linux systems. Until now, Himmelblau was exclusively tailored for businesses; this feature now expands its range of applications to private users as well.
Extended Compliance and Simpler Deployment
For enterprise environments, Himmelblau 3.0 has significantly expanded compliance and policy support. The new version offers default custom compliance processing and dedicated packages for browser SSO policy deployment. With himmelblau-broker, a standalone broker package is also available, running as a separate service.
Deployment has also been simplified: the daemon now starts configuration-free and automatically upon installation or upgrade. Single-domain auto-configuration allows systems to be put into operation without manual configuration. For environments without passwordless methods, there is a password-only local authentication mode.
Broad Distribution Support
Himmelblau 3.0 officially supports openSUSE Tumbleweed, SUSE Linux Enterprise, Fedora, Red Hat Enterprise Linux, Ubuntu, Debian, and NixOS. Amazon Linux 2023 and Gentoo have been newly added. Additionally, the software can now be used with ARM64/aarch64.
For NixOS users, the new version brings a modern Flake Shell, a split module structure for himmelblau and himmelblau-desktop, and typed NixOS options generated from XML configuration definitions.
Further information and downloads for Himmelblau are available on GitHub.
(fo)
