Skip to main content

Frame Single Sign-On

Frame Single Sign-On\n\n## Introduction\n\nFrame Single Sign-On (SSO) allows users to access a domain-joined VM without requiring users to enter their domain user credentials every time they enter into a Frame session. This patented feature (US Patent #11,483,305) provides a more streamlined end user experience in terms of Windows domain user authentication.\n\nThe first time a user starts a session to a domain-joined workload VM, Frame Terminal (running within the user’s browser or Frame App) prompts the user to enter their Active Directory domain user credentials. Frame Terminal encrypts the user credentials using a user-specific public key certificate generated by Frame Platform. The encrypted domain user credentials are stored locally within the user’s browser, or Frame App cache, linked to the user’s identity within Frame (as provided by the identity provider) and specific Frame Account, and sent to the workload VM via Datagram Transport Layer Security (DTLS).\n\n## Requirements\n\n- A Frame account configured under Settings > Domain Settings so that test and production workload VMs are joined to Active Directory.\n- The Sandbox has been published at least once with at least one domain-joined test/production workload VMs for users.\n- Frame Guest Agent 1.9.4.0 and higher\n- Frame Server 8.6.8.0 and higher\n- Frame Remoting Protocol 8\n\n## Limitations\n\n- If a user wishes to login using a different domain user account to workloads in the same Frame account, they must clear their encrypted user credentials from the browser cache or completely clear the Frame App cache.\n- Frame SSO is dependent on the cache file persisting across device power cycles. Currently, Frame SSO will not work with thin clients that do not have a persistent store to save the user’s encrypted domain user credentials.\n\n## Enable Frame SSO\n\nYou enable Frame SSO, as an Admin, by going to Settings > Domain Settings in the Frame Account Dashboard and toggling on Frame SSO.\n\n

\n\nDashboard > Settings > Domain Settings\n\n

Dashboard > Settings > Domain Settings

\n\n

\n\n## Disable Frame SSO\n\nTo disable Frame SSO, turn off the Frame SSO feature in Domain Settings. Users will be required to authenticate to the Windows domain each time they start a Frame session, regardless of whether they used the Frame SSO feature in the past.\n\n

\nDisabling Frame SSO does not clear the users' encrypted domain user credentials in their browser or Frame App cache. Users will need to individually clear their browser/Frame App cache (see below).\n

\n\n## User Experience\n\nThis section discusses what your users will experience when Frame SSO is enabled on a domain-joined Frame account.\n\n### First login\n\nWhen Frame SSO is enabled and the user's browser (or Frame App) does not have the user's encrypted domain credentials in its cache, the user will be asked to enter their domain credentials.\n\n

\n\nFrame Terminal - First Login\n\n

Frame Terminal - First Login

\n

\n\n

\nThe user must specify their username as:\n\n- username without @domain\n- domain\\username\n

\n\n### Subsequent logins\n\nOnce the user's domain credentials are encrypted and stored in their browser or Frame App cache on the device, the user will see the following screen in subsequent logins when they start their sessions.\n\n

\n\nFrame Terminal - Subsequent Logins\n\n

Frame Terminal - Subsequent Logins

\n

\n\n## Encrypted User Credential Storage\n\nOnce a user successfully logs into a domain-joined Frame session, the encrypted domain user credentials are saved in the browser or Frame App cache. If there is more than one domain user using the browser, there will be more than one encrypted domain user credential record.\n\n### Clearing User Credentials\n\n#### Web browser\n\nTo clear the encrypted domain user credentials, the browser user must perform one of two operations:\n\n1. The user can go to Clear Browsing Data in their Chrome browser, they need only to clear Cookies and Other Site Data (Chrome).\n2. Alternatively, the user can go to the Developer Console and follow the path below to delete the user credential entry:\n\n dev.console > Application > Storage > IndexedDB > frame-player-user-preferences > keyvaluepairs > [user creds entry]\n\n

\n\n\n\n

\n\n#### Frame App\n\nFor Frame App, users must delete the cache folder by clearing the User Cache in Preferences.\n\n## Troubleshooting\n\n### Errors\n\n#### Incorrect Username or Password\n\nIf the user attempts to register a username or password that cannot be validated by their domain controller, Frame Terminal will display:\n\n

\n\nFrame Terminal - Incorrect Username or Password\n\n

Frame Terminal - Incorrect Username or Password

\n

\n\nThe user will need to ensure they are entering the correct domain credentials.\n\n#### Maximum number of login attempts exceeded\n\nIf the user exceeds the maximum number of login attempts as defined by their administrator's domain policies, then Frame Terminal will return an error.\n\n

\n\nFrame Terminal - Maximum Number of Login Attempts\n\n

Frame Terminal - Maximum Number of Login Attempts

\n

\n\nThe user should revalidate their domain user credentials outside of Frame and may need to contact their Windows administrator to reset their domain password.

Back to top