Comment by skinkestek
4 days ago
I'm currently working at a large public institution in Norway.
Half the team runs Linux, and the only real constraint is using Edge for SSO. (Firefox works too - you just have to actually log in like it's 2008.)
Honestly, everything else runs smoother than what my Windows-using teammates are dealing with.
That is probably just a setting missing from your Firefox profile that allows your company Kerberos realm/domain. If your institution hasn't locked down your Firefox config, you can fix this yourself: https://docs.redhat.com/en/documentation/red_hat_enterprise_...
I suspect nowadays it's more likely a matter of integrating with Microsoft's "identity broker", part of Intune, aka "Company Portal".
You use Intune to log in and register your device against your Microsoft account, and microsoft-identity-broker is a DBus service that hands out tokens that can be passed to login.microsoft.com (either as a cookie or a special header) which identifies you (skipping the username/password login) and allows you to pass the company device test.
I was able to put together a working ad-hoc extension for Firefox to make the DBus call and pass the header, though I've since come across this extension (haven't tried it myself) which looks like it achieves the same thing (with a lot more features, based on the code size?):
https://github.com/siemens/linux-entra-sso
Edge on Linux seems to have this built in, so if you open any page on login.microsoft.com, you'll see it passing some "x-something" header with a token that it receieved from the identity broker (generated on each page load).
How does this work if the conditional access policies require compliance with Microsoft's "security baseline" which involves e.g. checking that the latest Windows updates are installed?
Presumably the Microsoft software running on the Linux machine will report it as non-compliant and prevent you from logging in?
1 reply →
It’s really not. Edge bundles a number of authentication libraries with the Linux version that enable things like remote passkey support.
What is "remote passkey support"? I am familiar with passkeys (both resident and non-resident). But I haven't heard of remote passkeys yet.
2 replies →
You can't use KeepassXC + Firefox? Might need to downgrade the KeepassXC browser plugin (because of a bug)
1 reply →
I feel reasonably confident that if the focus is on open tooling and sovereignty and not saving money then a shift to Linux can 100% work even at large and complex organizations.
This sounds really interesting. Are you able to share more about this (even in private) for inclusion in https://eu-os.eu/use-cases ?
>Half the team runs Linux, and the only real constraint is using Edge for SSO. (Firefox works too - you just have to actually log in like it's 2008.)
So everything in the backend is still MS? Office 365, Intune, the full stack? That is the point of the comment you are rerplying to.
The "terminals" dont matter that much if the goal is to get rid of MS dependancy and they run Office 365... whats the point.
Windows licensing cost. They are a pretty penny at large scale.
Sometimes, the goal isn’t actually to switch - it’s to have a credible threat of switching. That alone can bring Microsoft to the table with a whole new attitude toward pricing.
Munich pulled off a version of this around 2010: announce a bold move to Linux and open source, let Microsoft panic, enjoy the sudden price cuts, and quietly stay put.
Personally, I think cost is just one part of the equation. The real value is being in a position where you’re not locked in—and where Microsoft knows it. That leverage is worth more than any licensing discount.
For workstation or laptops?? Non-factor for a business.
It is included in Office 365 E3/E5 that also does Intune device management, apps, Defender, the whole shebang. Nobody cares about individual licence costs.
Windows Server? Yea, that costs for sure, but that's not running on laptops.
> using Edge for SSO
May I ask what that SSO solution is? Because it sounds like it might be a Microsoft product.
Yeah, probably is. I see the same HTTP Auth login when accessing my employers intranet (Sharepoint) from Firefox.
Honestly, I’m not entirely sure.
I’ve seen the name Forgerock pop up occasionally, but I don’t know if that’s just tied to the login component on the web pages. Also, they recommend Mac users stick with Safari, which is puzzling. I mean: if it was a Microsoft product, you’d think they’d lock it down to Edge on Mac too—so that makes me wonder.
Just my thoughts—could be totally off base.
My guess -- they support Safari because of iOS. And so might as well just support it on Mac too because it's the default... Heck MS even made Teams more officially supported on Safari than Firefox!
Forgerock would make sense, though the Edge requirement is a little strange.
kerberos is sort of magic when/if you finally get it working