Skip to main content
The Himmelblau SSO broker enables browsers and desktop applications to acquire Microsoft Entra ID tokens silently — without prompting the user to log in again. Once a device is enrolled and the user is authenticated through the PAM stack, the broker makes the session’s Primary Refresh Token (PRT) available to other applications on the same desktop session.

Architecture

The broker consists of two components:
  • himmelblaud-broker — a per-session userspace daemon that holds the device’s Entra ID credentials and serves token requests. It communicates with himmelblaud to acquire and refresh tokens.
  • linux-entra-sso (in the himmelblau-sso package) — a native messaging host that browsers call to reach the broker. It implements the browser native messaging protocol and forwards requests to the broker over the broker socket.
Authentication flow: 
Browser / app  →  linux-entra-sso (native messaging)  →  broker socket  →  himmelblaud  →  Entra ID
The broker exposes the following operations over D-Bus / the broker socket:
  • getAccounts — list enrolled Entra ID accounts on this device
  • acquireTokenSilently — acquire a token for a given account and scope without user interaction
  • acquirePrtSsoCookie — acquire a PRT-based SSO cookie for a given URL
  • getLinuxBrokerVersion — return the broker version

Browser support

Both Firefox and Chrome/Chromium are supported. The himmelblau-sso package installs the native messaging manifests and, for Chrome, the required enterprise policy to force-install the MSAL browser extension.
BrowserHow it works
FirefoxNative messaging manifest is installed at the system level. Firefox calls linux-entra-sso automatically when it needs an Entra ID token.
Chrome / ChromiumThe MSAL browser extension (jlnfnnolkbjieggibinobhkjdfbpcohn) is force-installed via enterprise policy. The extension calls linux-entra-sso via native messaging.
Firefox and Chrome pick up the native messaging configuration automatically once himmelblau-sso is installed — no per-user configuration is needed. Other Chromium-based browsers may need manual native messaging configuration if they do not read system-level Chrome policies.

Installation

Install both the broker and the SSO package. Package names vary by distribution — check the platform guides for your distro. On distributions using RPM (Fedora, openSUSE, SUSE): 
sudo zypper install himmelblau-broker himmelblau-sso
# or, on Fedora/RHEL:
sudo dnf install himmelblau-broker himmelblau-sso
On distributions using DEB (Debian, Ubuntu): 
sudo apt install himmelblau-broker himmelblau-sso
The broker daemon is started automatically as part of the user session. No additional configuration is required for most setups.

Configuration

The broker listens on a Unix socket. The path can be customized if needed: 
[global]
# Default: /var/run/himmelblaud/broker_sock
broker_socket_path = /var/run/himmelblaud/broker_sock
OptionDefaultDescription
broker_socket_path/var/run/himmelblaud/broker_sockPath to the Unix socket used for communication with the broker D-Bus service.

O365 desktop integration

Himmelblau includes an optional o365 package that installs Teams for Linux together with O365 desktop shortcuts and URL handlers. These desktop entries are pre-configured to take advantage of the SSO broker, so Teams can acquire tokens silently without prompting for credentials after the initial login. On NixOS, add it to your system packages: 
environment.systemPackages = [
  himmelblau.packages."x86_64-linux".o365
];
For other distributions, check the Downloads page for the package name and availability on your distro.

Diagnosing broker issues

To check whether the broker is running and responding: 
linux-entra-sso --interactive getAccounts
This prints the list of accounts the broker knows about. If the command fails, check that himmelblaud-broker is running in your session: 
systemctl --user status himmelblaud-broker
Broker logs are written to the journal: 
journalctl --user -u himmelblaud-broker

Build docs developers (and LLMs) love

Get started for freeTalk to us