Imprivata: How to Display SSO User in BGinfo on a Kiosk

BGinfo, in case you’re by some chance unfamiliar, is a Microsoft utility for displaying session information on the wallpaper. It is often used on both servers and desktops for the purpose of quickly identifying the current Windows user, the name of the machine, and any other handy information one might want to have at hand. However, in one of Imprivata’s most common use cases, a generic account is used to enter the Windows environment, while a type-2 (kiosk) OneSign agent acts as an authentication gateway for each SSO user who shares that machine.

In this scenario, displaying the currently logged-in Windows user in BGInfo is a bit of a moot point, as it will always be the same for everyone. It doesn’t give any actual indication as to who is presently using the device. The problem is that, by default, there is no environment variable or single point for BGinfo to reference in order to display the current SSO user–that is, the one who just authenticated to Imprivata. Thankfully though, it’s not hard to set this up.

The Extension Object

You’re going to need an extension object, set to run when a session is unlocked. While you have the option to use the setx command to set an environment variable, this is not necessarily the best way to go. In my experience, using this method tends to have some timing issues with respect to the first time BGinfo runs and attempts to reference it, and I have seen this fail in more ways than one. Sometimes it just reliably failed on BGinfo’s first execution of the session, while it worked every subsequent time. In other cases, it failed consistently no matter which attempt you were on.

The more reliable option is to store the SSO User in the registry. The location of the string can be completely arbitrary, but I would strongly encourage using the HKEY Current User hive so you can keep your generic Windows login as far away from admin privileges as possible. The extension object is quite simple — here’s an example:

reg add “HKEY_CURRENT_USER\Software\SSO” /v “SSOUser” /t REG_SZ /d “{var usr}”

This will store a string value called SSOUser (which will contain the username of the person who just authenticated to Imprivata) in the HKCU\Software\SSO key (which will not exist by default, as I just invented it for the sake of this post). You may also want to run BGinfo from this extension object as well. Doing so will ensure the timing of BGinfo’s forthcoming registry reference is consistent–that is, you can be certain that BGinfo will run only after the registry is changed. Which brings me to the next point:

The .bgi File

This part is simple. BGinfo allows you to set any custom fields you’d like using the “Custom” button on the right. Simply hit that button, then “New,” and choose an identifier for your field (Might I recommend SSOUser?)

“Replace identifier with” a registry value (you won’t need to tick the 64bit checkbox unless you made things weirdly hard on yourself in the last step), and enter the path to the value you set earlier–HKEY_CURRENT_USER\Software\SSO\SSOUser in my example. Click “OK” and then “OK” again, and add the field you just created to your configuration, either by clicking the identifier in the box on the right and choosing “Add” or simply by typing its name between < and >, or <SSOUSER> in my example.

Now just save your .bgi file, put it in a place everyone can access it, and use its path as a parameter when you run the BGInfo executable. Let me know if this was helpful!

4 thoughts on “Imprivata: How to Display SSO User in BGinfo on a Kiosk

  1. bhiller06

    Working with OneSign 4.9 and having issues with the XO adding the string to the registry. I have played with the quotes but still having issues. I followed the tutorial but it seems like the registry is not updating. I made sure the kiosk account has full control over the SSO key in the registry.

    reg add “HKEY_CURRENT_USER\Software\SSO” /v “SSOUser” /t REG_SZ /d “{var ssousr}”

    Reply
    1. Vince Post author

      That line is definitely correct, quotes and all. Are you finding that the registry is not getting updated at all, or that it is updated incorrectly?

      And to confirm: Did you ensure the EXO is triggered at Desktop Unlock and that your machine is in a Computer Policy that has the EXO enabled?

      Reply
      1. bhiller06@gmail.com

        It’s adding the string but the value data is empty for REG_SZ SSOUser. The Kiosk account has permissions on the registry. Everything looks good with the exo and the computer policy.

        Reply
  2. Carl

    Thanks for this, it needed some tweaking for my environement. I’m implementing Imprivata OneSign Agent 5.1 in Kiosk mode, and it wouldn’t work with {VAR USR }, I needed to use {VAR SSOUSR}

    My code is as follows…

    @ECHO OFF
    reg add “HKCU\SOFTWARE\SSO” /v SSOUser /t REG_SZ /d {VAR SSOUSR} /f
    “C:\Program Files\BGInfo\bginfo.exe” “C:\Program Files\BGInfo\bht.bgi” /timer=0 /NOLICPROMPT

    I also had to select the “Written to a file with an extension of .bat and then executed.” option for it to work. This does mean a dos box flashes onto the screen, but I can live with that.

    In addition I’ve used a logoff script on the machine to remove the BGInfo image file and cleans out the SSOUser registry entry, see code below:

    IF EXIST %TEMP%\BGInfo.bmp DEL %TEMP%\BGInfo.bmp /F /Q
    REG DELETE HKCU\SOFTWARE\SSO /v SSOUser /f

    Cheers
    Carl

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *