-
-
Notifications
You must be signed in to change notification settings - Fork 245
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for InTune Single-Sign-On
This add support for communicating with the Microsoft Authentication Broker over its DBus interface in order to retrieve an authentication cookie, that can be used to automatically login the user currently logged-in via InTune. This also adds support for MFA and Conditional Access, which allows use of Teams outside of corporate network in case the organization has chosen to only allow access from registered devices. Behind the scene this uses the same mechanism as Microsoft Edge on Linux: upon loading a website from login.microsoftonline.com the URL is passed to the authentication broker in order to prepare a token based on the PRT (Primary Refresh Token). The returned refresh token is passed to the server via the 'X-Ms-Refreshtokencredential' HTTP header. With this token in place the server will skip any interactive prompts and generate a proper OAuth authentication token. Since the PRT is tied to the device credentials, the resulting refresh token carries the MFA attribute, which causes it to be accepted even if the Conditional Access policy mandates strong, device-based authentication. Signed-off-by: Krzysztof Nowicki <[email protected]>
- Loading branch information
Krzysztof Nowicki
committed
Jun 3, 2024
1 parent
221dafe
commit 5652a25
Showing
6 changed files
with
270 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
const dbus = require('dbus-native'); | ||
const { LucidLog } = require('lucid-log'); | ||
|
||
var sessionBus = dbus.sessionBus(); | ||
|
||
var intuneAccount = null; | ||
|
||
var brokerService = sessionBus.getService('com.microsoft.identity.broker1'); | ||
|
||
function processInTuneAccounts(logger, resp, ssoInTuneAuthUser) { | ||
response = JSON.parse(resp); | ||
if ('error' in response) { | ||
logger.warn('Failed to retrieve InTune account list: ' + response.error.context); | ||
return; | ||
}; | ||
|
||
if (ssoInTuneAuthUser == '') { | ||
intuneAccount = response.accounts[0]; | ||
logger.debug('Using first available InTune account (' + intuneAccount.username + ')'); | ||
} else { | ||
for (account in response.accounts) { | ||
if (account.username == ssoIntuneAuthUser) { | ||
intuneAccount = account; | ||
logger.debug('Found matching InTune account (' + intuneAccount.username + ')'); | ||
break; | ||
} | ||
} | ||
if (intuneAccount == null) { | ||
logger.warn('Failed to find matching InTune account for ' + ssoIntuneAuthUser + '.'); | ||
} | ||
} | ||
} | ||
|
||
exports.initSso = function initIntuneSso(logger, ssoInTuneAuthUser) { | ||
logger.debug("Initializing InTune SSO"); | ||
brokerService.getInterface( | ||
'/com/microsoft/identity/broker1', | ||
'com.microsoft.identity.Broker1', function(err, broker) { | ||
if (err) { | ||
logger.warn('Failed to find microsoft-identity-broker DBus interface'); | ||
return; | ||
} | ||
broker.getAccounts('0.0', '', JSON.stringify({'clientId': '88200948-af09-45a1-9c03-53cdcc75c183', 'redirectUri':'urn:ietf:oob'}), function(err, resp) { | ||
if (err) { | ||
logger.warn('Failed to communicate with microsoft-identity-broker'); | ||
return; | ||
} | ||
processInTuneAccounts(logger, resp, ssoInTuneAuthUser); | ||
}); | ||
}); | ||
} | ||
|
||
exports.setupUrlFilter = function setupUrlFilter(filter) { | ||
filter.urls.push('https://login.microsoftonline.com/*'); | ||
} | ||
|
||
exports.isSsoUrl = function isSsoUrl(url) { | ||
return intuneAccount != null && url.startsWith('https://login.microsoftonline.com/'); | ||
} | ||
|
||
function processPrtResponse(logger, resp, detail) { | ||
response = JSON.parse(resp); | ||
if ('error' in response) { | ||
logger.warn('Failed to retrieve Intune SSO cookie: ' + response.error.context); | ||
} else { | ||
logger.debug('Adding SSO credential'); | ||
detail.requestHeaders['X-Ms-Refreshtokencredential'] = response['cookieContent']; | ||
} | ||
} | ||
|
||
exports.addSsoCookie = function addIntuneSsoCookie(logger, detail, callback) { | ||
logger.debug('Retrieving InTune SSO cookie'); | ||
if (intuneAccount == null) { | ||
logger.info("InTune SSO not active"); | ||
callback({ | ||
requestHeaders: detail.requestHeaders | ||
}); | ||
return; | ||
} | ||
brokerService.getInterface( | ||
'/com/microsoft/identity/broker1', | ||
'com.microsoft.identity.Broker1', function(err, broker) { | ||
broker.acquirePrtSsoCookie('0.0', '', JSON.stringify({'ssoUrl':detail.url, 'account':intuneAccount, 'authParameters':{'authority':'https://login.microsoftonline.com/common/'}}), function(err, resp) { | ||
processPrtResponse(logger, resp, detail); | ||
callback({ | ||
requestHeaders: detail.requestHeaders | ||
}); | ||
}); | ||
}); | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.