** Description changed: DRAFT FOR CPC AZURE TEAM [Availability] - The package sso-mib is already in Ubuntu universe. - The package sso-mib builds for all the architectures it is designed to work on. + The binary package libsso-mib0 from the src:sso-mib is already in Ubuntu universe. + The package src:sso-mib builds for all the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/sso-mib [Rationale] - - The package sso-mib is required in Ubuntu main for freerdp3 (the - larger feature that pulls it in, e.g. enabling Microsoft Entra - Single-Sign-On with Conditional Access via the Himmelblau identity broker - for RDP/SMTP/Graph clients), to allow seamless and frictionless login - into Azure Virtual Desktops for all Entra users: - https://bugs.launchpad.net/ubuntu/+source/freerdp3/+bug/2147276 - - The package sso-mib will not generally be useful for a large part of - our user base, but is important/helpful still because it provides the - client-side library and CLI used by applications (e.g. RDP clients, - git send-email, mail clients, browsers) to obtain Primary Refresh - Tokens, Access Tokens and PRT SSO Cookies from a Microsoft Identity - Broker (Himmelblau on Linux), enabling Single-Sign-On to Microsoft - Entra ID protected resources, including Conditional Access scenarios. + - The binary package libsso-mib0 is required in Ubuntu main for freerdp3 (the + larger feature that pulls it in, e.g. enabling Microsoft Entra + Single-Sign-On with Conditional Access via the Himmelblau identity broker + for RDP/SMTP/Graph clients), to allow seamless and frictionless login + into Azure Virtual Desktops for all Entra users: + https://bugs.launchpad.net/ubuntu/+source/freerdp3/+bug/2147276 + - The binary package libsso-mib0 will not generally be useful for a large part of + our user base, but is important/helpful still because it provides the + client-side library and CLI used by applications (e.g. RDP clients, + git send-email, mail clients, browsers) to obtain Primary Refresh + Tokens, Access Tokens and PRT SSO Cookies from a Microsoft Identity + Broker (Himmelblau on Linux), enabling Single-Sign-On to Microsoft + Entra ID protected resources, including Conditional Access scenarios. - Additionally new use-cases enabled by this are: SSO to Entra-protected - Microsoft 365 services (Outlook/SMTP, Graph, OneDrive), authenticated - RDP sessions to Entra-joined hosts using Proof-of-Possession tokens - ([MS-RDPBCGR]), and integration of Linux desktops/servers into Entra - managed environments. + Microsoft 365 services (Outlook/SMTP, Graph, OneDrive), authenticated + RDP sessions to Entra-joined hosts using Proof-of-Possession tokens + ([MS-RDPBCGR]), and integration of Linux desktops/servers into Entra + managed environments. - There is no other/better way to solve this that is already in main or - should go universe->main instead of this. sso-mib is the sole open source - C/GLib client implementation of the [MS-OAPXBC] DBus interface exposed - by the Microsoft Identity Broker (or Himmelblau); other consumers of that - interface are language-specific (e.g. MSAL Python) and not suitable as - a system library for C/C++/GLib applications. + should go universe->main instead of this. sso-mib is the sole open source + C/GLib client implementation of the [MS-OAPXBC] DBus interface exposed + by the Microsoft Identity Broker (or Himmelblau); other consumers of that + interface are language-specific (e.g. MSAL Python) and not suitable as + a system library for C/C++/GLib applications. - This is the first time package will be in main. - The binary package libsso-mib0 needs to be in main to achieve the SSO - use case described above (libsso-mib0 can be linked by applications in main - such as freerdp3). + use case described above (libsso-mib0 can be linked by applications in main + such as freerdp3). - All other binary packages built by sso-mib (sso-mib-tool, libsso-mib-dev, - sso-mib-gch-smtp-o365) can remain in universe to reduce impact and - dependency requirements, as the sso-mib-tool depends on an additional - library that is in universe (libjwt2). The main purpose of this MIR is - to enable packages in main to link against libsso-mib0. + sso-mib-gch-smtp-o365) can remain in universe to reduce impact and + dependency requirements, as the sso-mib-tool depends on an additional + library that is in universe (libjwt2). The main purpose of this MIR is + to enable packages in main to link against libsso-mib0. - It would be great and useful to community/processes to have the - package sso-mib in Ubuntu main, but there is no definitive deadline. + pbinary package libsso-mib0 in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - - https://ubuntu.com/security/cve?package=sso-mib - - https://security-tracker.debian.org/tracker/source-package/sso-mib - - https://github.com/siemens/sso-mib/security - - No matches in NVD or oss-security archives at the time of writing. + - https://ubuntu.com/security/cve?package=sso-mib + - https://security-tracker.debian.org/tracker/source-package/sso-mib + - https://github.com/siemens/sso-mib/security + - No matches in NVD or oss-security archives at the time of writing. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs. - sso-mib is a client library plus a CLI tool; the actual broker daemon - it talks to over the session bus is provided by a separate packages - (himmelblau / microsoft-identity-broker). + sso-mib is a client library plus a CLI tool; the actual broker daemon + it talks to over the session bus is provided by a separate packages + (himmelblau / microsoft-identity-broker). - Security has been kept in mind and common isolation/risk-mitigation - patterns are in place utilizing the following features: - - Built with `DEB_BUILD_MAINT_OPTIONS = hardening=+all`, enabling all - dpkg-buildflags hardening (PIE, bindnow, fortify, stackprotector - strong, format security, relro). See debian/rules. - - The library does not run as a daemon and does not gain elevated - privileges; it executes entirely in the calling user's session and - only acts as a DBus client to the user's identity broker on the - session bus. - - All token material is obtained from and stored by the broker - daemon; sso-mib only marshals it to the calling application. + patterns are in place utilizing the following features: + - Built with `DEB_BUILD_MAINT_OPTIONS = hardening=+all`, enabling all + dpkg-buildflags hardening (PIE, bindnow, fortify, stackprotector + strong, format security, relro). See debian/rules. + - The library does not run as a daemon and does not gain elevated + privileges; it executes entirely in the calling user's session and + only acts as a DBus client to the user's identity broker on the + session bus. + - All token material is obtained from and stored by the broker + daemon; sso-mib only marshals it to the calling application. - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints. It only acts as a - DBus client on the user's session bus. + DBus client on the user's session bus. - Packages does not contain extensions to security-sensitive software - (filters, scanners, plugins, UI skins, ...). + (filters, scanners, plugins, UI skins, ...). - Packages do not use security algorithms. [Quality assurance - function/usage] - The package works well right after install. The library and CLI are - immediately usable once an identity broker (Himmelblau or MIB) is running - on the user's session bus; no post-install configuration of sso-mib - itself is required. + immediately usable once an identity broker (Himmelblau or MIB) is running + on the user's session bus; no post-install configuration of sso-mib + itself is required. [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does - not have too many, long-term & critical, open bugs - - Ubuntu https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug - - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sso-mib - - Upstream's bug tracker: https://github.com/siemens/sso-mib/issues + not have too many, long-term & critical, open bugs + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sso-mib + - Upstream's bug tracker: https://github.com/siemens/sso-mib/issues - The package does not deal with exotic hardware we cannot support. [Quality assurance - testing] - The package does not run a test suite at build time because upstream - does not currently ship a unit test suite. The package builds the library, - the CLI tool, and the example programs as a smoke test of the API. + does not currently ship a unit test suite. The package builds the library, + the CLI tool, and the example programs as a smoke test of the API. - The package at version 0.8.1+ds-2 gained an autopkgtest suite that builds and - runs the examples against the library under a local D-Bus session, checking - that they error out cleanly due to the absence of the identity broker, without - crashing or misbehaving in other ways. + runs the examples against the library under a local D-Bus session, checking + that they error out cleanly due to the absence of the identity broker, without + crashing or misbehaving in other ways. - The package does not have failing autopkgtests right now. - The package can not be well tested at build or autopkgtest time - because it requires a Microsoft Entra tenant and a running identity - broker. To make up for that: - - We have engaged with the Debian community and they can test new - package builds as they actively use the library against real Entra - tenants. + because it requires a Microsoft Entra tenant and a running identity + broker. To make up for that: + - We have engaged with the Debian community and they can test new + package builds as they actively use the library against real Entra + tenants. - Consequences of a regression that might slip through most likely - would include: - - Inability to acquire SSO tokens, breaking login/SSO for - Entra-protected services (mail, RDP, Graph, OneDrive); - - Failure of dependent applications (RDP clients using PoP tokens, - git send-email via O365, etc.) to authenticate; - - No security impact on the system itself, as sso-mib is an - unprivileged session-scope client library. + would include: + - Inability to acquire SSO tokens, breaking login/SSO for + Entra-protected services (mail, RDP, Graph, OneDrive); + - Failure of dependent applications (RDP clients using PoP tokens, + git send-email via O365, etc.) to authenticate; + - No security impact on the system itself, as sso-mib is an + unprivileged session-scope client library. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and - works (debian/watch tracks https://github.com/siemens/sso-mib/tags - and debian/upstream/metadata is present). + works (debian/watch tracks https://github.com/siemens/sso-mib/tags + and debian/upstream/metadata is present). - debian/control defines a correct Maintainer field (Debian - maintainer; the package is kept in sync from Debian, so - update-maintainer is run by the Ubuntu sync tooling whenever an - Ubuntu delta is applied). + maintainer; the package is kept in sync from Debian, so + update-maintainer is run by the Ubuntu sync tooling whenever an + Ubuntu delta is applied). - This package does not yield massive lintian Warnings, Errors. - https://udd.debian.org/lintian/?packages=sso-mib + https://udd.debian.org/lintian/?packages=sso-mib - Lintian overrides are not present. - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package will not be installed by default. - Packaging and build is easy, link to debian/rules: - https://salsa.debian.org/debian/sso-mib/-/blob/debian/latest/debian/rules - (a trivial debhelper package). + https://salsa.debian.org/debian/sso-mib/-/blob/debian/latest/debian/rules + (a trivial debhelper package). [UI standards] - Application is not end-user facing (does not need translation). The - library has no UI; sso-mib-tool is a developer/admin CLI with English - output only. + library has no UI; sso-mib-tool is a developer/admin CLI with English + output only. - End-user applications without desktop file, not needed because - sso-mib is a library plus a CLI tool, not a graphical end-user - application. + sso-mib is a library plus a CLI tool, not a graphical end-user + application. [Dependencies] - Used check-mir from ubuntu-dev-tools to validate that all - dependencies of libsso-mib0 are in main: - libc6, libglib2.0-0t64, libjson-glib-1.0-0, libuuid1 - https://packages.ubuntu.com/resolute/libsso-mib0 - build dependencies such as meson, dh-package-notes and libjwt-dev - are in universe. + dependencies of libsso-mib0 are in main: + libc6, libglib2.0-0t64, libjson-glib-1.0-0, libuuid1 + https://packages.ubuntu.com/resolute/libsso-mib0 + build dependencies such as meson, dh-package-notes and libjwt-dev + are in universe. [Standards compliance] - This package correctly follows FHS and Debian Policy - (Standards-Version: 4.7.4). + (Standards-Version: 4.7.4). [Maintenance/Owner] - The owning team will be CPC Azure and I have their acknowledgment - for that commitment. + for that commitment. - The future owning team is not yet subscribed, but will subscribe - to the package before promotion. + to the package before promotion. - This does not use static builds. - This does not use vendored code. - This package is not rust based. - The package has been built within the last 3 months in the archive - (sso-mib 0.8.0+ds-1 was uploaded on 2026-03-17, see changelog). - https://launchpad.net/ubuntu/+source/sso-mib/0.8.0+ds-1 + (sso-mib 0.8.0+ds-1 was uploaded on 2026-03-17, see changelog). + https://launchpad.net/ubuntu/+source/sso-mib/0.8.0+ds-1 This change will not impact other teams directly. Promotion only adds a new client library to main; it does not modify any existing package or default configuration. [Background information] The Package description explains the package well. Upstream Name is sso-mib (Single-Sign-On using Microsoft Identity Broker). Link to upstream project https://github.com/siemens/sso-mib sso-mib is a small C/GLib library and CLI developed by Siemens that implements the client side of the Microsoft [MS-OAPXBC] DBus protocol exposed by the Microsoft Identity Broker (on Linux: Himmelblau). It allows native Linux applications to obtain Primary Refresh Tokens, Access Tokens and PRT SSO Cookies for Microsoft Entra ID, including Proof-of-Possession tokens for RDP ([MS-RDPBCGR]). The semantics follow the MSAL Python library. The library is licensed under LGPL-2.1, the CLI tool under GPL-2, and the example programs under MIT.
** Description changed: DRAFT FOR CPC AZURE TEAM [Availability] - The binary package libsso-mib0 from the src:sso-mib is already in Ubuntu universe. + The binary package libsso-mib0 from src:sso-mib is already in Ubuntu universe. The package src:sso-mib builds for all the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/sso-mib [Rationale] - The binary package libsso-mib0 is required in Ubuntu main for freerdp3 (the larger feature that pulls it in, e.g. enabling Microsoft Entra Single-Sign-On with Conditional Access via the Himmelblau identity broker for RDP/SMTP/Graph clients), to allow seamless and frictionless login into Azure Virtual Desktops for all Entra users: https://bugs.launchpad.net/ubuntu/+source/freerdp3/+bug/2147276 - The binary package libsso-mib0 will not generally be useful for a large part of our user base, but is important/helpful still because it provides the client-side library and CLI used by applications (e.g. RDP clients, git send-email, mail clients, browsers) to obtain Primary Refresh Tokens, Access Tokens and PRT SSO Cookies from a Microsoft Identity Broker (Himmelblau on Linux), enabling Single-Sign-On to Microsoft Entra ID protected resources, including Conditional Access scenarios. - Additionally new use-cases enabled by this are: SSO to Entra-protected Microsoft 365 services (Outlook/SMTP, Graph, OneDrive), authenticated RDP sessions to Entra-joined hosts using Proof-of-Possession tokens ([MS-RDPBCGR]), and integration of Linux desktops/servers into Entra managed environments. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. sso-mib is the sole open source C/GLib client implementation of the [MS-OAPXBC] DBus interface exposed by the Microsoft Identity Broker (or Himmelblau); other consumers of that interface are language-specific (e.g. MSAL Python) and not suitable as a system library for C/C++/GLib applications. - This is the first time package will be in main. - The binary package libsso-mib0 needs to be in main to achieve the SSO use case described above (libsso-mib0 can be linked by applications in main such as freerdp3). - All other binary packages built by sso-mib (sso-mib-tool, libsso-mib-dev, sso-mib-gch-smtp-o365) can remain in universe to reduce impact and dependency requirements, as the sso-mib-tool depends on an additional library that is in universe (libjwt2). The main purpose of this MIR is to enable packages in main to link against libsso-mib0. - It would be great and useful to community/processes to have the pbinary package libsso-mib0 in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - https://ubuntu.com/security/cve?package=sso-mib - https://security-tracker.debian.org/tracker/source-package/sso-mib - https://github.com/siemens/sso-mib/security - No matches in NVD or oss-security archives at the time of writing. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs. sso-mib is a client library plus a CLI tool; the actual broker daemon it talks to over the session bus is provided by a separate packages (himmelblau / microsoft-identity-broker). - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: - Built with `DEB_BUILD_MAINT_OPTIONS = hardening=+all`, enabling all dpkg-buildflags hardening (PIE, bindnow, fortify, stackprotector strong, format security, relro). See debian/rules. - The library does not run as a daemon and does not gain elevated privileges; it executes entirely in the calling user's session and only acts as a DBus client to the user's identity broker on the session bus. - All token material is obtained from and stored by the broker daemon; sso-mib only marshals it to the calling application. - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints. It only acts as a DBus client on the user's session bus. - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...). - Packages do not use security algorithms. [Quality assurance - function/usage] - The package works well right after install. The library and CLI are immediately usable once an identity broker (Himmelblau or MIB) is running on the user's session bus; no post-install configuration of sso-mib itself is required. [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sso-mib - Upstream's bug tracker: https://github.com/siemens/sso-mib/issues - The package does not deal with exotic hardware we cannot support. [Quality assurance - testing] - The package does not run a test suite at build time because upstream does not currently ship a unit test suite. The package builds the library, the CLI tool, and the example programs as a smoke test of the API. - The package at version 0.8.1+ds-2 gained an autopkgtest suite that builds and runs the examples against the library under a local D-Bus session, checking that they error out cleanly due to the absence of the identity broker, without crashing or misbehaving in other ways. - The package does not have failing autopkgtests right now. - The package can not be well tested at build or autopkgtest time because it requires a Microsoft Entra tenant and a running identity broker. To make up for that: - We have engaged with the Debian community and they can test new package builds as they actively use the library against real Entra tenants. - Consequences of a regression that might slip through most likely would include: - Inability to acquire SSO tokens, breaking login/SSO for Entra-protected services (mail, RDP, Graph, OneDrive); - Failure of dependent applications (RDP clients using PoP tokens, git send-email via O365, etc.) to authenticate; - No security impact on the system itself, as sso-mib is an unprivileged session-scope client library. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works (debian/watch tracks https://github.com/siemens/sso-mib/tags and debian/upstream/metadata is present). - debian/control defines a correct Maintainer field (Debian maintainer; the package is kept in sync from Debian, so update-maintainer is run by the Ubuntu sync tooling whenever an Ubuntu delta is applied). - This package does not yield massive lintian Warnings, Errors. https://udd.debian.org/lintian/?packages=sso-mib - Lintian overrides are not present. - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package will not be installed by default. - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/sso-mib/-/blob/debian/latest/debian/rules (a trivial debhelper package). [UI standards] - Application is not end-user facing (does not need translation). The library has no UI; sso-mib-tool is a developer/admin CLI with English output only. - End-user applications without desktop file, not needed because sso-mib is a library plus a CLI tool, not a graphical end-user application. [Dependencies] - Used check-mir from ubuntu-dev-tools to validate that all dependencies of libsso-mib0 are in main: libc6, libglib2.0-0t64, libjson-glib-1.0-0, libuuid1 https://packages.ubuntu.com/resolute/libsso-mib0 build dependencies such as meson, dh-package-notes and libjwt-dev are in universe. [Standards compliance] - This package correctly follows FHS and Debian Policy (Standards-Version: 4.7.4). [Maintenance/Owner] - The owning team will be CPC Azure and I have their acknowledgment for that commitment. - The future owning team is not yet subscribed, but will subscribe to the package before promotion. - This does not use static builds. - This does not use vendored code. - This package is not rust based. - The package has been built within the last 3 months in the archive (sso-mib 0.8.0+ds-1 was uploaded on 2026-03-17, see changelog). https://launchpad.net/ubuntu/+source/sso-mib/0.8.0+ds-1 This change will not impact other teams directly. Promotion only adds a new client library to main; it does not modify any existing package or default configuration. [Background information] The Package description explains the package well. Upstream Name is sso-mib (Single-Sign-On using Microsoft Identity Broker). Link to upstream project https://github.com/siemens/sso-mib sso-mib is a small C/GLib library and CLI developed by Siemens that implements the client side of the Microsoft [MS-OAPXBC] DBus protocol exposed by the Microsoft Identity Broker (on Linux: Himmelblau). It allows native Linux applications to obtain Primary Refresh Tokens, Access Tokens and PRT SSO Cookies for Microsoft Entra ID, including Proof-of-Possession tokens for RDP ([MS-RDPBCGR]). The semantics follow the MSAL Python library. The library is licensed under LGPL-2.1, the CLI tool under GPL-2, and the example programs under MIT. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2150739 Title: [MIR] sso-mib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug/2150739/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
