Credential Providers | Windows Single Sign On (SSO)

Logon to windows using Xecurify's credential providers

Credential Providers

Credential Providers allows user to logon to windows using credentials of different types(Password, OTP) as requested by provider. Xecurify provides Password and OTP credential providers . Credential providers which tell Windows which user they are associated with are referred to as v2 credential providers. Providers which don't provide that information are referred to as v1 credential providers. By default, any credential provider created in the Windows Vista or Windows 7 timeframe is a v1 credential provider.

Logon UI Overview

In Windows Vista and Windows 7, Logon UI was very much about choosing an authentication method first and foremost.Windows 8 is designed to be extremely personalized to each user on the PC. In Windows 8, user tiles are shown instead of multiple methods to authenticate a single user in the Deselected State screen (where credential tiles are enumerated in Windows Vista and Windows 7).

  • Windows 8 - Deselected State
    In Windows 8, the Deselected State screen of the Logon UI is where the different user accounts and v1 credential providers available are shown:

    The example above shows the breakdown of items drawn by Windows vs. items coming from a credential provider:

  • The items labeled "1" are called "user tiles".
    1. For each user with at least one associated v2 Credential Provider, the following is shown:
    i. The user name
    ii. The user tile
    iii. The signed-in status
    2. If no v2 Credential Providers are associated with a user, no Windows-drawn user tile is displayed.
  • The item labeled "2" is a v1 credential provider.
    1. In this example, the "Fabrikam Sign-in" provider is installed.
    2. This class of tile must have its image and text provided by the credential provider, as in Windows 7.
  • The tiles are drawn in the deselected state as follows (from left-to-right):
    1. User tiles for currently signed-in accounts
    2. User tiles for accounts not currently signed-in
    3. v1 credential providers (ordered as in Windows 7)

  • Windows 8 - Selected State Screen (User Tile)

    The example above shows the breakdown of items drawn by Windows:

  • The "back" button; pressing this will return the user to the Deselected State screen. This button appears only if there are multiple user accounts on the PC.
  • The user tile
  • The user name, email address, and signed-in status
    1. The email address appears only if the user has a Microsoft Account.
    2. The signed-in status appears only if the user is currently signed-in.
  • The "Sign-in options" link
    1. This link appears only if the user has multiple v2 credential providers associated with their account.

The example above shows the breakdown of items drawn by a credential provider.
  • The fields a credential provider requests to be drawn will appear between the user name area and the Sign-in options link.
    1. In the example above, the provider requested only a password entry box and the "submit" button. 2. The same fields are available for v2 credential providers as were available in Windows 7, and they are specified for display in the same manner. 3. This area will grow based on the number of requested fields and will scroll when necessary.
  • 2.The currently selected credential provider's icon
    1. Any v2 credential provider associated with the selected user will have its icon displayed in this area.
    2. Windows draws a border around the currently-selected credential provider's icon( PIN provider,OTP provider)

  • Implementing a v2 Credential Provider

    v2 credential provider is one which tells Windows which user account the provider is associated with. This information is used to group these providers under a user tile.The key differences between a v2 credential provider and a v1 credential provider are:-

  • v2 credential providers do not provide the tile used to represent the user account; Windows draws the user tile for the provider.
  • v2 credential providers do not render the name, the signed-in status, or (in the case of a connected account) the email address of the user account for which they're signing in; Windows draws this for the provider.
  • v2 credential providers do not need to specify a default credential; Windows automatically selects the last-used v2 credential provider for the selected user.
  • v2 credential providers need to provide an image to represent their provider under the "Sign-in options" link
  • v2 credential providers must implement the ICredentialProviderCredential2 interface and return a valid SID on the GetUserSID function. This tells Windows which user(s) the provider should be associated with.