** Description changed: - DRAFT FOR CPC AZURE TEAM + DRAFT FOR debcrafters-packages TEAM [Availability] The binary package libsso-mib0 from src:sso-mib is already in Ubuntu universe. The package src:sso-mib builds for all the architectures it is designed to work on. It currently builds and works for architectures: amd64, amd64v3, arm64, armhf, ppc64el, riscv64, s390x Link to package https://launchpad.net/ubuntu/+source/sso-mib [Rationale] - The binary package libsso-mib0 is required in Ubuntu main for freerdp3 (the larger feature that pulls it in, e.g. enabling Microsoft Entra Single-Sign-On with Conditional Access via the Himmelblau identity broker for RDP/SMTP/Graph clients), to allow seamless and frictionless login into Azure Virtual Desktops for all Entra users: https://bugs.launchpad.net/ubuntu/+source/freerdp3/+bug/2147276 - The binary package libsso-mib0 will not generally be useful for a large part of our user base, but is important/helpful still because it provides the client-side library and CLI used by applications (e.g. RDP clients, git send-email, mail clients, browsers) to obtain Primary Refresh Tokens, Access Tokens and PRT SSO Cookies from a Microsoft Identity Broker (Himmelblau on Linux), enabling Single-Sign-On to Microsoft Entra ID protected resources, including Conditional Access scenarios. - Additionally new use-cases enabled by this are: SSO to Entra-protected Microsoft 365 services (Outlook/SMTP, Graph, OneDrive), authenticated RDP sessions to Entra-joined hosts using Proof-of-Possession tokens ([MS-RDPBCGR]), and integration of Linux desktops/servers into Entra managed environments. - There is no other/better way to solve this that is already in main or should go universe->main instead of this. sso-mib is the sole open source C/GLib client implementation of the [MS-OAPXBC] DBus interface exposed by the Microsoft Identity Broker (or Himmelblau); other consumers of that interface are language-specific (e.g. MSAL Python) and not suitable as a system library for C/C++/GLib applications. - This is the first time package will be in main. - The binary package libsso-mib0 needs to be in main to achieve the SSO use case described above (libsso-mib0 can be linked by applications in main such as freerdp3). - All other binary packages built by sso-mib (sso-mib-tool, libsso-mib-dev, sso-mib-gch-smtp-o365) can remain in universe to reduce impact and dependency requirements, as the sso-mib-tool depends on an additional library that is in universe (libjwt2). The main purpose of this MIR is to enable packages in main to link against libsso-mib0. - It would be great and useful to community/processes to have the pbinary package libsso-mib0 in Ubuntu main, but there is no definitive deadline. [Security] - No CVEs/security issues in this software in the past - https://ubuntu.com/security/cve?package=sso-mib - https://security-tracker.debian.org/tracker/source-package/sso-mib - https://github.com/siemens/sso-mib/security - No matches in NVD or oss-security archives at the time of writing. - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package does not install services, timers or recurring jobs. sso-mib is a client library plus a CLI tool; the actual broker daemon it talks to over the session bus is provided by a separate packages (himmelblau / microsoft-identity-broker). - Security has been kept in mind and common isolation/risk-mitigation patterns are in place utilizing the following features: - Built with `DEB_BUILD_MAINT_OPTIONS = hardening=+all`, enabling all dpkg-buildflags hardening (PIE, bindnow, fortify, stackprotector strong, format security, relro). See debian/rules. - The library does not run as a daemon and does not gain elevated privileges; it executes entirely in the calling user's session and only acts as a DBus client to the user's identity broker on the session bus. - All token material is obtained from and stored by the broker daemon; sso-mib only marshals it to the calling application. - Packages does not open privileged ports (ports < 1024). - Package does not expose any external endpoints. It only acts as a DBus client on the user's session bus. - Packages does not contain extensions to security-sensitive software (filters, scanners, plugins, UI skins, ...). - Packages do not use security algorithms. [Quality assurance - function/usage] - The package works well right after install. The library and CLI are immediately usable once an identity broker (Himmelblau or MIB) is running on the user's session bus; no post-install configuration of sso-mib itself is required. [Quality assurance - maintenance] - The package is maintained well in Debian/Ubuntu/Upstream and does not have too many, long-term & critical, open bugs - Ubuntu https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=sso-mib - Upstream's bug tracker: https://github.com/siemens/sso-mib/issues - The package does not deal with exotic hardware we cannot support. [Quality assurance - testing] - The package does not run a test suite at build time because upstream does not currently ship a unit test suite. The package builds the library, the CLI tool, and the example programs as a smoke test of the API. - The package at version 0.8.1+ds-2 gained an autopkgtest suite that builds and runs the examples against the library under a local D-Bus session, checking that they error out cleanly due to the absence of the identity broker, without crashing or misbehaving in other ways. - The package does not have failing autopkgtests right now. - The package can not be well tested at build or autopkgtest time because it requires a Microsoft Entra tenant and a running identity broker. To make up for that: - We have engaged with the Debian community and they can test new package builds as they actively use the library against real Entra tenants. - Consequences of a regression that might slip through most likely would include: - Inability to acquire SSO tokens, breaking login/SSO for Entra-protected services (mail, RDP, Graph, OneDrive); - Failure of dependent applications (RDP clients using PoP tokens, git send-email via O365, etc.) to authenticate; - No security impact on the system itself, as sso-mib is an unprivileged session-scope client library. [Quality assurance - packaging] - A mechanism to detect and fetch new upstream versions is present and works (debian/watch tracks https://github.com/siemens/sso-mib/tags and debian/upstream/metadata is present). - debian/control defines a correct Maintainer field (Debian maintainer; the package is kept in sync from Debian, so update-maintainer is run by the Ubuntu sync tooling whenever an Ubuntu delta is applied). - This package does not yield massive lintian Warnings, Errors. https://udd.debian.org/lintian/?packages=sso-mib - Lintian overrides are not present. - This package does not rely on obsolete or about to be demoted packages. - This package has no python2 or GTK2 dependencies. - The package will not be installed by default. - Packaging and build is easy, link to debian/rules: https://salsa.debian.org/debian/sso-mib/-/blob/debian/latest/debian/rules (a trivial debhelper package). [UI standards] - Application is not end-user facing (does not need translation). The library has no UI; sso-mib-tool is a developer/admin CLI with English output only. - End-user applications without desktop file, not needed because sso-mib is a library plus a CLI tool, not a graphical end-user application. [Dependencies] - Used check-mir from ubuntu-dev-tools to validate that all dependencies of libsso-mib0 are in main: libc6, libglib2.0-0t64, libjson-glib-1.0-0, libuuid1 https://packages.ubuntu.com/resolute/libsso-mib0 build dependencies such as meson, dh-package-notes and libjwt-dev are in universe. [Standards compliance] - This package correctly follows FHS and Debian Policy (Standards-Version: 4.7.4). [Maintenance/Owner] - - The owning team will be CPC Azure and I have their acknowledgment + - The owning team will be debcrafters-packages and I have their acknowledgment for that commitment. - The future owning team is not yet subscribed, but will subscribe to the package before promotion. - This does not use static builds. - This does not use vendored code. - This package is not rust based. - The package has been built within the last 3 months in the archive (sso-mib 0.8.0+ds-1 was uploaded on 2026-03-17, see changelog). https://launchpad.net/ubuntu/+source/sso-mib/0.8.0+ds-1 This change will not impact other teams directly. Promotion only adds a new client library to main; it does not modify any existing package or default configuration. [Background information] The Package description explains the package well. Upstream Name is sso-mib (Single-Sign-On using Microsoft Identity Broker). Link to upstream project https://github.com/siemens/sso-mib sso-mib is a small C/GLib library and CLI developed by Siemens that implements the client side of the Microsoft [MS-OAPXBC] DBus protocol exposed by the Microsoft Identity Broker (on Linux: Himmelblau). It allows native Linux applications to obtain Primary Refresh Tokens, Access Tokens and PRT SSO Cookies for Microsoft Entra ID, including Proof-of-Possession tokens for RDP ([MS-RDPBCGR]). The semantics follow the MSAL Python library. The library is licensed under LGPL-2.1, the CLI tool under GPL-2, and the example programs under MIT.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2150739 Title: [MIR] sso-mib To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sso-mib/+bug/2150739/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
