← Back to context

Comment by thyristan

3 days ago

That is probably just a setting missing from your Firefox profile that allows your company Kerberos realm/domain. If your institution hasn't locked down your Firefox config, you can fix this yourself: https://docs.redhat.com/en/documentation/red_hat_enterprise_...

9 comments

thyristan

Reply
maxdamantus  3 days ago

I suspect nowadays it's more likely a matter of integrating with Microsoft's "identity broker", part of Intune, aka "Company Portal".

You use Intune to log in and register your device against your Microsoft account, and microsoft-identity-broker is a DBus service that hands out tokens that can be passed to login.microsoft.com (either as a cookie or a special header) which identifies you (skipping the username/password login) and allows you to pass the company device test.

I was able to put together a working ad-hoc extension for Firefox to make the DBus call and pass the header, though I've since come across this extension (haven't tried it myself) which looks like it achieves the same thing (with a lot more features, based on the code size?):

https://github.com/siemens/linux-entra-sso

Edge on Linux seems to have this built in, so if you open any page on login.microsoft.com, you'll see it passing some "x-something" header with a token that it receieved from the identity broker (generated on each page load).

  • ptx  3 days ago

    How does this work if the conditional access policies require compliance with Microsoft's "security baseline" which involves e.g. checking that the latest Windows updates are installed?

    Presumably the Microsoft software running on the Linux machine will report it as non-compliant and prevent you from logging in?

    • maxdamantus  3 days ago

      Microsoft Intune is officially available for Linux. This mechanism doesn't involve making a Linux system pretend it's Windows. It's just about making non-Edge browsers able to authenticate as Edge does.

      Microsoft is aware that the authentication is coming from a Linux system, so presumably there are different policies involved.

      I don't know how these things are administrated, but the Linux Intune software has a notion of "Compliance" that might involve periodically running some program decided by the company. If Intune decides the system is non-compliant, authentication still works, but Microsoft login knows the compliance status, so it might prevent you from accessing certain applications, depending on what the company has configured.

      Also in my experience ability to sign in from Linux can be limited to certain groups, so regular Windows users can't just run Linux without some company approval.

rcarmo  3 days ago

It’s really not. Edge bundles a number of authentication libraries with the Linux version that enable things like remote passkey support.

  • vaylian  3 days ago

    What is "remote passkey support"? I am familiar with passkeys (both resident and non-resident). But I haven't heard of remote passkeys yet.

    • thyristan  3 days ago

      I guess maybe passkeys over some kind of USB/RDP redirection. But searching the internet doesn't yield any useful results. Or maybe something new and proprietary like all those incompatible passkey implementations out there...

    • rcarmo  3 days ago

      Bluetooth binding to your mobile device, which then handles MFA with biometrics.