The open-source Himmelblau project has released version 3.0, introducing key enhancements for integrating Linux systems with Microsoft Entra ID. New features include full OpenID Connect support and time-based one-time password authentication via Linux Hello TOTP. These updates expand compatibility for both enterprise and personal use.
Himmelblau, an authentication framework licensed under GPLv3, began as a fork of the Kanidm OAuth2 Client. It is mainly developed by David Mulder, with contributions from SUSE, aiming to make Linux systems work seamlessly in Microsoft environments, similar to Windows, by supporting multi-factor authentication, device trust, and Intune compliance.
Version 3.0.0 marks a significant upgrade with comprehensive OpenID Connect (OIDC) support. Administrators can now connect any OIDC provider using the oidc_issuer_url option, including password and PIN flows, plus break-glass options for emergencies if the provider is unavailable. A standout addition is Domainless OIDC, allowing authentication without initial domain setup. This reduces reliance on Microsoft services, enabling use with alternatives like Keycloak, bolstered by an online check for provider availability introduced in version 2.0.
For two-factor authentication, Linux Hello TOTP enables time-based one-time passwords on Linux. Enrollment occurs through QR codes in the terminal or GNOME QR-Greeter, which requires GNOME 49 or later and mirrors Windows Hello. The QR-Greeter now handles OIDC Device Admin Grants and Microsoft Consumer DAG Flows, permitting personal Microsoft accounts for Linux logins and broadening appeal beyond business settings.
Enterprise features have grown with custom compliance processing, browser SSO policy packages, and a standalone himmelblau-broker service. Deployment simplifies as the daemon launches automatically without configuration on install or upgrade, with single-domain auto-setup and a password-only mode available.
Himmelblau 3.0 supports distributions including openSUSE Tumbleweed, SUSE Linux Enterprise, Fedora, Red Hat Enterprise Linux, Ubuntu, Debian, NixOS, plus new additions Amazon Linux 2023 and Gentoo. It now runs on ARM64/aarch64 architectures. NixOS users benefit from a modern Flake Shell, split modules for himmelblau and himmelblau-desktop, and typed options from XML definitions.
Downloads and details are on GitHub.