Frame Single Sign-On

Introduction

Frame Single Sign-On (SSO) allows users to access a domain-joined VM without requiring users to enter their domain user credentials every time they enter into a Frame session. This patented feature (US Patent #11,483,305) provides a more streamlined end-user experience in terms of Windows domain user authentication.

The first time a user starts a session to a domain-joined workload VM, Frame Terminal (running within the user’s browser or Frame App) prompts the user to enter their Active Directory domain user credentials. Frame Terminal encrypts the user credentials using a user-specific public key certificate generated by Frame Platform. The encrypted domain user credentials are stored locally within the user’s browser or Frame App cache, linked to the user’s identity within Frame (as provided by the identity provider) and specific Frame Account, and sent to the workload VM via Datagram Transport Layer Security (DTLS).

Requirements

A Frame account configured under Settings > Domain Settings so that test and production workload VMs are joined to Active Directory.
The Sandbox has been published at least once with at least one domain-joined test/production workload VM for users.
Frame Guest Agent 1.9.4.0 and higher
Frame Server 8.6.8.0 and higher
Frame Remoting Protocol 8

Limitations

If a user wishes to log in using a different domain user account to workloads in the same Frame account, they must clear their encrypted user credentials from the browser cache or completely clear the Frame App cache.
Frame SSO is dependent on the cache file persisting across device power cycles. Currently, Frame SSO will not work with thin clients that do not have a persistent store to save the user’s encrypted domain user credentials.

Enable Frame SSO

You enable Frame SSO, as an Admin, by going to Settings > Domain Settings in the Frame Account Dashboard and toggling on Frame SSO.

Dashboard > Settings > Domain Settings

Disable Frame SSO

To disable Frame SSO, turn off the Frame SSO feature in Domain Settings. Users will be required to authenticate to the Windows domain each time they start a Frame session, regardless of whether they used the Frame SSO feature in the past.

Disabling Frame SSO does not clear the users' encrypted domain user credentials in their browser or Frame App cache. Users will need to individually clear their browser/Frame App cache (see below).

User Experience

This section discusses what your users will experience when Frame SSO is enabled on a domain-joined Frame account.

When Frame SSO is enabled and the user's browser (or Frame App) does not have the user's encrypted domain credentials in its cache, the user will be asked to enter their domain credentials.

Frame Terminal - First Login

The user must specify their username as UPN: username@domain.com or domain\username

Subsequent logins

Once the user's domain credentials are encrypted and stored in their browser or Frame App cache on the device, the user will see the following screen in subsequent logins when they start their sessions.

Frame Terminal - Subsequent Logins

Encrypted User Credential Storage

Once a user successfully logs into a domain-joined Frame session, the encrypted domain user credentials are saved in the browser or Frame App cache. If more than one domain user is using the browser, there will be more than one encrypted domain user credential record.

Clearing User Credentials

Web browser

To clear the encrypted domain user credentials, the browser user must perform one of two operations:

The user can go to Clear Browsing Data in their Chrome browser and only clear Cookies and Other Site Data.
Alternatively, the user can go to the Developer Console and follow the path below to delete the user credential entry:
dev.console > Application > Storage > IndexedDB > frame-player-user-preferences > keyvaluepairs > [user creds entry]

Frame App

For Frame App, users must delete the cache folder by clearing the User Cache in Preferences.

Troubleshooting

Errors

Incorrect Username or Password

If the user attempts to register a username or password that cannot be validated by their domain controller, Frame Terminal will display:

Frame Terminal - Incorrect Username or Password

The user will need to ensure they are entering the correct domain credentials.

Maximum number of login attempts exceeded

If the user exceeds the maximum number of login attempts as defined by their administrator's domain policies, then Frame Terminal will return an error.

Frame Terminal - Maximum Number of Login Attempts

The user should revalidate their domain user credentials outside of Frame and may need to contact their Windows administrator to reset their domain password.

Hierarchy

Account Types

Deployment Planning

Operating Systems and Applications

Application Licensing

Microsoft Licensing Guide for Frame

Infrastructure

Cost Management

DaaS Supported Instance Types

Cloud Accounts

Bring Your Own

Amazon Web Services

Microsoft Azure

Google Cloud Platform

IBM Cloud

Nutanix AHV

Amazon Workspaces Core (WSC) Managed Instances (Early Access)

GCP Sole-Tenant Nodes - Windows 11 on GCP

Infrastructure

Cloud Accounts

Amazon Web Services (AWS) Workspaces Core

IBM Cloud VPC

Networking

Requirements

Public Networking (Public Cloud)

Private Networking (Public Cloud)

Private Networking with SGA (Public Cloud)

Private Networking (AHV)

Private Networking with SGA (AHV)

VPN Configurations

Streaming Gateway Appliance

SGA 4

SGA 4 Installation

SGA 4 Upgrade

SGA 4 Management

SGA 3

SGA 3 Installation

SGA 3 Upgrade

SGA 3 Management

Operating System

Bring Your Own

Linux

Windows

Frame Agent Setup Tool (FAST)

Frame Guest Agent Installer

BYO Images on Amazon Web Services

BYO Images on Microsoft Azure

BYO Images on Google Cloud Platform

BYO Images on IBM Cloud

BYO Images on Nutanix AHV

Available Roles

Identity Provider Integrations

Authentication

Basic Authentication

Authorization

Dizzion C3

General SAML2 Integration

Duo

Google Workspace

Microsoft Entra ID

ADFS

Okta

Mass User Creation

Secure Anonymous Tokens

Account Creation

Settings

Organizations

Support Authorization

Administration

Launchpads

Bring-Your-Own Workloads (Early Access)

Sandbox

Install and Onboard Apps

Publishing

Updates

Domain

Domain Controller Prep

AWS IAM Permissions

Azure DNS Configuration

Domain Join Setup