cmake/FindSSO_MIB.cmake

# - Find sso-mib
# Find the sso-mib library

# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: Copyright 2025 Siemens

find_package(PkgConfig REQUIRED)
pkg_check_modules(PC_SSO_MIB sso-mib>=0.5.0)

if(PC_SSO_MIB_FOUND)
  find_path(SSO_MIB_INCLUDE_DIR NAMES sso-mib/sso-mib.h HINTS ${PC_SSO_MIB_INCLUDEDIR})
  find_library(SSO_MIB_LIBRARY NAMES sso-mib HINTS ${PC_SSO_MIB_LIBRARYDIR})

  find_package_handle_standard_args(SSO_MIB DEFAULT_MSG SSO_MIB_LIBRARY SSO_MIB_INCLUDE_DIR)

  if(SSO_MIB_FOUND)
    set(SSO_MIB_LIBRARIES ${SSO_MIB_LIBRARY} ${PC_SSO_MIB_LIBRARIES})
    set(SSO_MIB_INCLUDE_DIRS ${SSO_MIB_INCLUDE_DIR} ${PC_SSO_MIB_INCLUDE_DIRS})
  endif()
else()
  include(ExternalProject)
  set(SSO_MIB_EXTERNAL_DIR ${CMAKE_BINARY_DIR}/sso-mib-external)

  set(SSO_MIB_URL https://github.com/siemens/sso-mib.git)
  set(SSO_MIB_VERSION_MAJOR 0)
  set(SSO_MIB_VERSION_MINOR 5)
  set(SSO_MIB_VERSION_PATCH 0)
  set(SSO_MIB_VERSION v${SSO_MIB_VERSION_MAJOR}.${SSO_MIB_VERSION_MINOR}.${SSO_MIB_VERSION_PATCH})
  message(STATUS "Adding sso-mib as ExternalProject from ${SSO_MIB_URL}, version ${SSO_MIB_VERSION}")

  ExternalProject_Add(
    sso-mib-external GIT_REPOSITORY ${SSO_MIB_URL} GIT_TAG ${SSO_MIB_VERSION} PREFIX ${SSO_MIB_EXTERNAL_DIR}
    SOURCE_DIR ${SSO_MIB_EXTERNAL_DIR}/src BINARY_DIR ${SSO_MIB_EXTERNAL_DIR}/build TMP_DIR _deps/tmp
    STAMP_DIR _deps/stamp CONFIGURE_COMMAND meson setup --prefix=${SSO_MIB_EXTERNAL_DIR}/install --libdir=lib/
                                            ${SSO_MIB_EXTERNAL_DIR}/build ${SSO_MIB_EXTERNAL_DIR}/src
    BUILD_COMMAND meson compile -C ${SSO_MIB_EXTERNAL_DIR}/build INSTALL_COMMAND meson install -C
                                                                                 ${SSO_MIB_EXTERNAL_DIR}/build
    UPDATE_COMMAND "" BUILD_BYPRODUCTS ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so
  )

  # Dependencies
  pkg_check_modules(GLIB REQUIRED glib-2.0)
  pkg_check_modules(GIO REQUIRED gio-2.0)
  pkg_check_modules(JSON_GLIB REQUIRED json-glib-1.0)
  pkg_check_modules(UUID REQUIRED uuid)
  if(GLIB_FOUND AND GIO_FOUND AND JSON_GLIB_FOUND AND UUID_FOUND)
    set(PC_SSO_MIB_INCLUDE_DIRS ${GLIB_INCLUDE_DIRS} ${GIO_INCLUDE_DIRS} ${JSON_GLIB_INCLUDE_DIRS} ${UUID_INCLUDE_DIRS})
    set(PC_SSO_MIB_LIBRARIES ${GLIB_LIBRARIES} ${GIO_LIBRARIES} ${JSON_GLIB_LIBRARIES} ${UUID_LIBRARIES})
  endif()

  set(SSO_MIB_INCLUDE_DIRS ${SSO_MIB_EXTERNAL_DIR}/install/include ${PC_SSO_MIB_INCLUDE_DIRS})
  set(SSO_MIB_LIBRARIES ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so ${PC_SSO_MIB_LIBRARIES})
  if(BUILD_SHARED_LIBS)
    set(SSO_MIB_INSTALL_LIBRARIES
        ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so
        ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so.${SSO_MIB_VERSION_MAJOR}
        ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so.${SSO_MIB_VERSION_MAJOR}.${SSO_MIB_VERSION_MINOR}.${SSO_MIB_VERSION_PATCH}
    )
  endif()
endif()

mark_as_advanced(SSO_MIB_INCLUDE_DIR SSO_MIB_LIBRARY)
feat: add login through MS identity broker via sso-mib interface This change enables an alternative way of acquiring the necessary access tokens through a local identity broker. In the current implementation, we need to visit URLs twice and paste back the URLs we are redirected to in order to extract authorization codes and ultimately fetch the correct access tokens for RDP (described here: <0>). As an alternative, MS also provides the Microsoft Authentication Library (MSAL) through which authentication can be handled more or less in the background when we're using a trusted device. In particular, we can request access tokens with the same parameters as we're currently doing through the URL-based scheme. As the MSAL bindings are not available for C, we implemented a small wrapper library called sso-mib which is available at https://github.com/siemens/sso-mib. This library translates the high-level requests (such as acquire_token_interactive) to respective messages on the D-Bus messaging bus which is used to communicate with the identity broker service on Linux. The library can be built as a .deb package and subsequently be found through PkgConfig mechanisms in CMake. When sso-mib is not available through pkg-config, it can also be placed in external/, with the directory structure looking like the following. include/ is copied from the root of the sso-mib directory and lib/ populated with the built shared library files and symlinks. external/ ├── README └── sso-mib ├── include │ └── sso-mib │ ├── mib-account.h │ ├── mib-client-app.h │ ├── mib-exports.h │ ├── mib-pop-params.h │ ├── mib-prt.h │ ├── mib-prt-sso-cookie.h │ └── sso-mib.h └── lib ├── libsso-mib.so -> libsso-mib.so.0 ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0 └── libsso-mib.so.0.4.0 This feature is currently hidden behind a configuration switch and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection to the broker fails (for example, if no identity broker is installed or running on the system), we automatically fall back to the current scheme of copy-pasting URLs. <0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2 2025-05-16 09:59:59 +02:00			`# - Find sso-mib`
			`# Find the sso-mib library`

			`# SPDX-License-Identifier: Apache-2.0`
			`# SPDX-FileCopyrightText: Copyright 2025 Siemens`

			`find_package(PkgConfig REQUIRED)`
chore: allow fetching sso-mib as ExternalProject 2025-05-20 12:56:51 +02:00			`pkg_check_modules(PC_SSO_MIB sso-mib>=0.5.0)`
feat: add login through MS identity broker via sso-mib interface This change enables an alternative way of acquiring the necessary access tokens through a local identity broker. In the current implementation, we need to visit URLs twice and paste back the URLs we are redirected to in order to extract authorization codes and ultimately fetch the correct access tokens for RDP (described here: <0>). As an alternative, MS also provides the Microsoft Authentication Library (MSAL) through which authentication can be handled more or less in the background when we're using a trusted device. In particular, we can request access tokens with the same parameters as we're currently doing through the URL-based scheme. As the MSAL bindings are not available for C, we implemented a small wrapper library called sso-mib which is available at https://github.com/siemens/sso-mib. This library translates the high-level requests (such as acquire_token_interactive) to respective messages on the D-Bus messaging bus which is used to communicate with the identity broker service on Linux. The library can be built as a .deb package and subsequently be found through PkgConfig mechanisms in CMake. When sso-mib is not available through pkg-config, it can also be placed in external/, with the directory structure looking like the following. include/ is copied from the root of the sso-mib directory and lib/ populated with the built shared library files and symlinks. external/ ├── README └── sso-mib ├── include │ └── sso-mib │ ├── mib-account.h │ ├── mib-client-app.h │ ├── mib-exports.h │ ├── mib-pop-params.h │ ├── mib-prt.h │ ├── mib-prt-sso-cookie.h │ └── sso-mib.h └── lib ├── libsso-mib.so -> libsso-mib.so.0 ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0 └── libsso-mib.so.0.4.0 This feature is currently hidden behind a configuration switch and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection to the broker fails (for example, if no identity broker is installed or running on the system), we automatically fall back to the current scheme of copy-pasting URLs. <0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2 2025-05-16 09:59:59 +02:00
			`if(PC_SSO_MIB_FOUND)`
			`find_path(SSO_MIB_INCLUDE_DIR NAMES sso-mib/sso-mib.h HINTS ${PC_SSO_MIB_INCLUDEDIR})`
			`find_library(SSO_MIB_LIBRARY NAMES sso-mib HINTS ${PC_SSO_MIB_LIBRARYDIR})`
chore: allow fetching sso-mib as ExternalProject 2025-05-20 12:56:51 +02:00
			`find_package_handle_standard_args(SSO_MIB DEFAULT_MSG SSO_MIB_LIBRARY SSO_MIB_INCLUDE_DIR)`

			`if(SSO_MIB_FOUND)`
			`set(SSO_MIB_LIBRARIES ${SSO_MIB_LIBRARY} ${PC_SSO_MIB_LIBRARIES})`
			`set(SSO_MIB_INCLUDE_DIRS ${SSO_MIB_INCLUDE_DIR} ${PC_SSO_MIB_INCLUDE_DIRS})`
			`endif()`
feat: add login through MS identity broker via sso-mib interface This change enables an alternative way of acquiring the necessary access tokens through a local identity broker. In the current implementation, we need to visit URLs twice and paste back the URLs we are redirected to in order to extract authorization codes and ultimately fetch the correct access tokens for RDP (described here: <0>). As an alternative, MS also provides the Microsoft Authentication Library (MSAL) through which authentication can be handled more or less in the background when we're using a trusted device. In particular, we can request access tokens with the same parameters as we're currently doing through the URL-based scheme. As the MSAL bindings are not available for C, we implemented a small wrapper library called sso-mib which is available at https://github.com/siemens/sso-mib. This library translates the high-level requests (such as acquire_token_interactive) to respective messages on the D-Bus messaging bus which is used to communicate with the identity broker service on Linux. The library can be built as a .deb package and subsequently be found through PkgConfig mechanisms in CMake. When sso-mib is not available through pkg-config, it can also be placed in external/, with the directory structure looking like the following. include/ is copied from the root of the sso-mib directory and lib/ populated with the built shared library files and symlinks. external/ ├── README └── sso-mib ├── include │ └── sso-mib │ ├── mib-account.h │ ├── mib-client-app.h │ ├── mib-exports.h │ ├── mib-pop-params.h │ ├── mib-prt.h │ ├── mib-prt-sso-cookie.h │ └── sso-mib.h └── lib ├── libsso-mib.so -> libsso-mib.so.0 ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0 └── libsso-mib.so.0.4.0 This feature is currently hidden behind a configuration switch and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection to the broker fails (for example, if no identity broker is installed or running on the system), we automatically fall back to the current scheme of copy-pasting URLs. <0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2 2025-05-16 09:59:59 +02:00			`else()`
chore: allow fetching sso-mib as ExternalProject 2025-05-20 12:56:51 +02:00			`include(ExternalProject)`
			`set(SSO_MIB_EXTERNAL_DIR ${CMAKE_BINARY_DIR}/sso-mib-external)`

			`set(SSO_MIB_URL https://github.com/siemens/sso-mib.git)`
[cmake] install SSO-MIB if build by ExternalProject * Install the library if we build it as part of FreeRDP * Format files with cmake-format 2025-06-02 19:18:42 +02:00			`set(SSO_MIB_VERSION_MAJOR 0)`
			`set(SSO_MIB_VERSION_MINOR 5)`
			`set(SSO_MIB_VERSION_PATCH 0)`
			`set(SSO_MIB_VERSION v${SSO_MIB_VERSION_MAJOR}.${SSO_MIB_VERSION_MINOR}.${SSO_MIB_VERSION_PATCH})`
chore: allow fetching sso-mib as ExternalProject 2025-05-20 12:56:51 +02:00			`message(STATUS "Adding sso-mib as ExternalProject from ${SSO_MIB_URL}, version ${SSO_MIB_VERSION}")`

			`ExternalProject_Add(`
			`sso-mib-external GIT_REPOSITORY ${SSO_MIB_URL} GIT_TAG ${SSO_MIB_VERSION} PREFIX ${SSO_MIB_EXTERNAL_DIR}`
			`SOURCE_DIR ${SSO_MIB_EXTERNAL_DIR}/src BINARY_DIR ${SSO_MIB_EXTERNAL_DIR}/build TMP_DIR _deps/tmp`
			`STAMP_DIR _deps/stamp CONFIGURE_COMMAND meson setup --prefix=${SSO_MIB_EXTERNAL_DIR}/install --libdir=lib/`
			`${SSO_MIB_EXTERNAL_DIR}/build ${SSO_MIB_EXTERNAL_DIR}/src`
			`BUILD_COMMAND meson compile -C ${SSO_MIB_EXTERNAL_DIR}/build INSTALL_COMMAND meson install -C`
			`${SSO_MIB_EXTERNAL_DIR}/build`
			`UPDATE_COMMAND "" BUILD_BYPRODUCTS ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so`
			`)`
feat: add login through MS identity broker via sso-mib interface This change enables an alternative way of acquiring the necessary access tokens through a local identity broker. In the current implementation, we need to visit URLs twice and paste back the URLs we are redirected to in order to extract authorization codes and ultimately fetch the correct access tokens for RDP (described here: <0>). As an alternative, MS also provides the Microsoft Authentication Library (MSAL) through which authentication can be handled more or less in the background when we're using a trusted device. In particular, we can request access tokens with the same parameters as we're currently doing through the URL-based scheme. As the MSAL bindings are not available for C, we implemented a small wrapper library called sso-mib which is available at https://github.com/siemens/sso-mib. This library translates the high-level requests (such as acquire_token_interactive) to respective messages on the D-Bus messaging bus which is used to communicate with the identity broker service on Linux. The library can be built as a .deb package and subsequently be found through PkgConfig mechanisms in CMake. When sso-mib is not available through pkg-config, it can also be placed in external/, with the directory structure looking like the following. include/ is copied from the root of the sso-mib directory and lib/ populated with the built shared library files and symlinks. external/ ├── README └── sso-mib ├── include │ └── sso-mib │ ├── mib-account.h │ ├── mib-client-app.h │ ├── mib-exports.h │ ├── mib-pop-params.h │ ├── mib-prt.h │ ├── mib-prt-sso-cookie.h │ └── sso-mib.h └── lib ├── libsso-mib.so -> libsso-mib.so.0 ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0 └── libsso-mib.so.0.4.0 This feature is currently hidden behind a configuration switch and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection to the broker fails (for example, if no identity broker is installed or running on the system), we automatically fall back to the current scheme of copy-pasting URLs. <0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2 2025-05-16 09:59:59 +02:00
			`# Dependencies`
			`pkg_check_modules(GLIB REQUIRED glib-2.0)`
			`pkg_check_modules(GIO REQUIRED gio-2.0)`
			`pkg_check_modules(JSON_GLIB REQUIRED json-glib-1.0)`
			`pkg_check_modules(UUID REQUIRED uuid)`
			`if(GLIB_FOUND AND GIO_FOUND AND JSON_GLIB_FOUND AND UUID_FOUND)`
			`set(PC_SSO_MIB_INCLUDE_DIRS ${GLIB_INCLUDE_DIRS} ${GIO_INCLUDE_DIRS} ${JSON_GLIB_INCLUDE_DIRS} ${UUID_INCLUDE_DIRS})`
			`set(PC_SSO_MIB_LIBRARIES ${GLIB_LIBRARIES} ${GIO_LIBRARIES} ${JSON_GLIB_LIBRARIES} ${UUID_LIBRARIES})`
			`endif()`

chore: allow fetching sso-mib as ExternalProject 2025-05-20 12:56:51 +02:00			`set(SSO_MIB_INCLUDE_DIRS ${SSO_MIB_EXTERNAL_DIR}/install/include ${PC_SSO_MIB_INCLUDE_DIRS})`
			`set(SSO_MIB_LIBRARIES ${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so ${PC_SSO_MIB_LIBRARIES})`
[cmake] install SSO-MIB if build by ExternalProject * Install the library if we build it as part of FreeRDP * Format files with cmake-format 2025-06-02 19:18:42 +02:00			`if(BUILD_SHARED_LIBS)`
			`set(SSO_MIB_INSTALL_LIBRARIES`
			`${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so`
			`${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so.${SSO_MIB_VERSION_MAJOR}`
			`${SSO_MIB_EXTERNAL_DIR}/install/lib/libsso-mib.so.${SSO_MIB_VERSION_MAJOR}.${SSO_MIB_VERSION_MINOR}.${SSO_MIB_VERSION_PATCH}`
			`)`
			`endif()`
feat: add login through MS identity broker via sso-mib interface This change enables an alternative way of acquiring the necessary access tokens through a local identity broker. In the current implementation, we need to visit URLs twice and paste back the URLs we are redirected to in order to extract authorization codes and ultimately fetch the correct access tokens for RDP (described here: <0>). As an alternative, MS also provides the Microsoft Authentication Library (MSAL) through which authentication can be handled more or less in the background when we're using a trusted device. In particular, we can request access tokens with the same parameters as we're currently doing through the URL-based scheme. As the MSAL bindings are not available for C, we implemented a small wrapper library called sso-mib which is available at https://github.com/siemens/sso-mib. This library translates the high-level requests (such as acquire_token_interactive) to respective messages on the D-Bus messaging bus which is used to communicate with the identity broker service on Linux. The library can be built as a .deb package and subsequently be found through PkgConfig mechanisms in CMake. When sso-mib is not available through pkg-config, it can also be placed in external/, with the directory structure looking like the following. include/ is copied from the root of the sso-mib directory and lib/ populated with the built shared library files and symlinks. external/ ├── README └── sso-mib ├── include │ └── sso-mib │ ├── mib-account.h │ ├── mib-client-app.h │ ├── mib-exports.h │ ├── mib-pop-params.h │ ├── mib-prt.h │ ├── mib-prt-sso-cookie.h │ └── sso-mib.h └── lib ├── libsso-mib.so -> libsso-mib.so.0 ├── libsso-mib.so.0 -> libsso-mib.so.0.4.0 └── libsso-mib.so.0.4.0 This feature is currently hidden behind a configuration switch and must be enabled via `-DWITH_SSO_MIB=ON`. If the connection to the broker fails (for example, if no identity broker is installed or running on the system), we automatically fall back to the current scheme of copy-pasting URLs. <0>: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e967ebeb-9e9f-443e-857a-5208802943c2 2025-05-16 09:59:59 +02:00			`endif()`

			`mark_as_advanced(SSO_MIB_INCLUDE_DIR SSO_MIB_LIBRARY)`