Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune.
The name of the project comes from a German word for Azure (sky blue).
Himmelblau supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules. The PAM and NSS modules communicate with Entra ID via the himmelblaud daemon. Himmelblau also supports Intune device enrollment, policy enforcement, and marking devices as compliant with Intune MDM policies.
We gratefully acknowledge SUSE as the primary sponsor of the Himmelblau project. Their support enables us to develop and maintain this open-source identity management solution.
You can reach out on the Himmelblau community matrix channel or on the Samba Technical community matrix channel.
Himmelblau is developed and maintained by SUSE Linux, but the project’s operating expenses—including hosting, domain registration, and tooling—are funded by the community.
These costs currently run about $30–$50 per month, and while we have a few months of runway, your support helps keep the project sustainable. Even small contributions go a long way toward ensuring Himmelblau continues to grow and support Entra ID on Linux.
👉 Become a backer or sponsor
Himmelblau is available for multiple Linux distributions, including openSUSE, SUSE Linux Enterprise (SLE), Fedora, Ubuntu, Debian, Red Hat Enterprise Linux (Rocky), and NixOS. Visit the Himmelblau Downloads Page to fetch the appropriate packages for your distribution.
For openSUSE Tumbleweed, refresh the repositories and install Himmelblau:
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau himmelblau-ssoAdd the appropriate repository for your version:
# For Leap 15.6 or SUSE Linux Enterprise 15 SP6:
sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.6/network:idm.repo
# For Leap 15.5 or SUSE Linux Enterprise 15 SP5:
sudo zypper ar https://download.opensuse.org/repositories/network:/idm/15.5/network:idm.repoThen refresh and install:
sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau himmelblau-ssoDownload the RPMs from the Downloads Page and install:
sudo dnf install ./himmelblau-<version>.rpm ./himmelblau-sshd-config-<version>.rpm ./himmelblau-sso-<version>.rpm ./nss-himmelblau-<version>.rpm ./pam-himmelblau-<version>.rpmDownload the DEB packages and install:
sudo apt install ./himmelblau_<version>.deb ./himmelblau-sshd-config_<version>.deb ./himmelblau-sso_<version>.deb ./nss-himmelblau_<version>.deb ./pam-himmelblau_<version>.debHimmelblau provides 2 packages and a module:
himmelblau.packages.<arch>.himmelblau: The core authentication daemon intended for server deployments. (default package)himmelblau.packages.<arch>.himmelblau-desktop: The daemon and GUI tools for 2FA signin within a (GTK) desktop environment.himmelblau.modules.himmelblau: A NixOS Module that provides the most common options and service definitions.
Himmelblau builds our packages in CI and uploads them to Cachix so you don't have to compile the software on every update. We sign these binaries before upload, and the cachix client will configure nix to trust our public signing key.
$ nix profile install 'nixpkgs#cachix'
$ cachix use himmelblauClassic NixOS configurations can use the builtins.getFlake function if they have enabled flakes compatability.
{lib, ...}:
let himmelblau = builtins.getFlake "github:himmelblau-idm/himmelblau/0.9.0";
in {
imports = [ himmelblau.nixosModules.himmelblau ];
services.himmelblau.enable = true;
services.himmelblau.settings = {
domains = ["my.domain.net"];
pam_allow_groups = [ "ENTRA-GROUP-GUID-HERE" ];
local_groups = [ "wheel" "docker" ];
};
}Flake based configurations add this repository to their inputs, enable the service, provide the minimal set of options.
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
himmelblau.url = "github:himmelblau-idm/himmelblau/main";
himmelblau.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, himmelblau }: {
nixosModules.azureEntraId = {
imports = [ himmelblau.nixosModules.himmelblau ];
services.himmelblau = {
enable = true;
settings = {
domains = ["my.domain.net"];
pam_allow_groups = [ "ENTRA-GROUP-GUID-HERE" ];
local_groups = [ "wheel" "docker" ];
};
};
};
nixosConfigurations."your-machine" = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
self.nixosModules.azureEntraId
./machines/your-machine/configuration.nix
];
};
};
}
Note: The packages you build here are from the current development branch and are intended for testing and evaluation. Do not deploy to production. Use a VM or a non-critical host.
This detects your distro and builds the matching packages (inside a container).
Artifacts land in ./packaging/.
makeThis installs whatever is already in ./packaging/.
sudo make installUnder the hood, make install uses your system package manager (apt, dnf/yum, or zypper) to install the locally built packages.
You can also target specific distros explicitly. Available targets (as of now):
- DEB:
ubuntu22.04ubuntu24.04debian12debian13 - RHEL family:
rocky8rocky9rocky10fedora41fedora42rawhide - SUSE:
sle15sp6sle15sp7sle16tumbleweed
Examples:
# Build Ubuntu 22.04 packages
make ubuntu22.04
# Build Rocky 9 packages
make rocky9
# Build openSUSE Tumbleweed packages
make tumbleweedPackages will be written to ./packaging/. You can then copy them to a target machine and install with the native package manager.
Note (SLE targets): For
sle15sp6,sle15sp7, orsle16builds, put your SCC email and regcode in${HOME}/.secrets/scc_regcode, formatted as follows:
email=SCC_REGISTRATION_EMAIL
regcode=SCC_REGISTRATION_CODE
sudo make uninstall # removes installed Himmelblau packagesvim /etc/himmelblau/himmelblau.conf
It's essential that you configure the domains option, otherwise
no users will be able to authenticate.
Run the daemon with:
sudo systemctl start himmelblaud himmelblaud-tasks
Check systemd journal for errors.
Disable nscd
systemctl stop nscd
systemctl disable nscd
systemctl mask nscd
Setup NSS
cp /usr/etc/nsswitch.conf /etc/nsswitch.conf
# vim /etc/nsswitch.conf
passwd: compat systemd himmelblau
group: compat systemd himmelblau
shadow: compat systemd himmelblau
Check that you can resolve a user with
getent passwd <name>
Setup PAM
WARNING only modify your PAM configuration if you are confident you understand the syntax. The following setup is meant as an example. Removing PAM modules from your stack may prevent you from authenticating to the host. Proceed with caution!
old /etc/pam.d/{common-account,common-auth,common-password,common-session}
cp /etc/pam.d/common-password-pc /etc/pam.d/common-password
cp /etc/pam.d/common-auth-pc /etc/pam.d/common-auth
cp /etc/pam.d/common-account-pc /etc/pam.d/common-account
cp /etc/pam.d/common-session-pc /etc/pam.d/common-session
# vim /etc/pam.d/common-auth
auth required pam_env.so
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_himmelblau.so
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_deny.so
# vim /etc/pam.d/common-account
account [default=1 ignore=ignore success=ok] pam_localuser.so
account sufficient pam_himmelblau.so ignore_unknown_user
account sufficient pam_unix.so
account required pam_deny.so
# vim /etc/pam.d/common-session
session optional pam_systemd.so
session required pam_limits.so
session optional pam_himmelblau.so
session optional pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so
# vim /etc/pam.d/common-password
password sufficient pam_himmelblau.so ignore_unknown_user
password optional pam_gnome_keyring.so use_authtok
password sufficient pam_unix.so use_authtok nullok shadow try_first_pass
password required pam_deny.so
If you need to generate a Himmelblau developer build (for advanced debugging with proxy traffic capture),
please see DEVELOPER-BUILDS.md in this repository.
🚨 Note: Developer builds enable sensitive authentication traffic to be proxied for debugging. They are never intended for production environments.