Skip to main content

Frame Single Sign-On

Introduction

Frame Single Sign-On\n\n## Introduction\n\nFrame Single Sign-On (SSO) allows users to access a domain-joined VM without requiring users to enter their domain user credentials every time they enter into a Frame session. This patented feature (US Patent #11,483,305) provides a more streamlined end end-user experience in terms of Windows domain user authentication.\n\nThe

The first time a user starts a session to a domain-joined workload VM, Frame Terminal (running within the user’s browser or Frame App) prompts the user to enter their Active Directory domain user credentials. Frame Terminal encrypts the user credentials using a user-specific public key certificate generated by Frame Platform. The encrypted domain user credentials are stored locally within the user’s browser,browser or Frame App cache, linked to the user’s identity within Frame (as provided by the identity provider) and specific Frame Account, and sent to the workload VM via Datagram Transport Layer Security (DTLS).\n\n##

Requirements\n\n-

Requirements

  • A Frame account configured under Settings > Domain Settings so that test and production workload VMs are joined to Active Directory.\n-
  • The Sandbox has been published at least once with at least one domain-joined test/production workload VMsVM for users.\n-
  • Frame Guest Agent 1.9.4.0 and higher\n- higher
  • Frame Server 8.6.8.0 and higher\n- higher
  • Frame Remoting Protocol 8\n\n##8
Limitations\n\n-

Limitations

  • If a user wishes to loginlog in using a different domain user account to workloads in the same Frame account, they must clear their encrypted user credentials from the browser cache or completely clear the Frame App cache.\n-
  • Frame SSO is dependent on the cache file persisting across device power cycles. Currently, Frame SSO will not work with thin clients that do not have a persistent store to save the user’s encrypted domain user credentials.\n\n##

Enable Frame SSO\n\nYouSSO

You enable Frame SSO, as an Admin, by going to Settings > Domain Settings in the Frame Account Dashboard and toggling on Frame SSO.\n\n

\n\nDashboard > Settings > Domain Settings\n\n

Dashboard > Settings > Domain Settings

\n\n

\n\n##

Disable Frame SSO\n\nToSSO

To disable Frame SSO, turn off the Frame SSO feature in Domain Settings. Users will be required to authenticate to the Windows domain each time they start a Frame session, regardless of whether they used the Frame SSO feature in the past.\n\n

\nDisabling
Disabling Frame SSO does not clear the users' encrypted domain user credentials in their browser or Frame App cache. Users will need to individually clear their browser/Frame App cache (see below).\n

\n\n##

User Experience\n\nThisExperience

This section discusses what your users will experience when Frame SSO is enabled on a domain-joined Frame account.\n\n###

First login\n\nWhenlogin

When Frame SSO is enabled and the user's browser (or Frame App) does not have the user's encrypted domain credentials in its cache, the user will be asked to enter their domain credentials.\n\n

\n\nFrame Terminal - First Login\n\n

Frame Terminal - First Login

\n

\n\n

\nTheThe user must specify their username as:\n\n-

  • username without @domain\n-
  • domain\username
domain\\username\n

\n\n###

Subsequent logins\n\nOncelogins

Once the user's domain credentials are encrypted and stored in their browser or Frame App cache on the device, the user will see the following screen in subsequent logins when they start their sessions.\n\n

\n\nFrame Terminal - Subsequent Logins\n\n

Frame Terminal - Subsequent Logins

\n

\n\n##

Encrypted User Credential Storage\n\nOnceStorage

Once a user successfully logs into a domain-joined Frame session, the encrypted domain user credentials are saved in the browser or Frame App cache. If there is more than one domain user is using the browser, there will be more than one encrypted domain user credential record.\n\n###

Clearing User Credentials\n\n####Credentials

Web browser\n\nTobrowser

To clear the encrypted domain user credentials, the browser user must perform one of two operations:\n\n1.

  1. The user can go to Clear Browsing Data in their Chrome browser,browser they needand only to clear Cookies and Other Site Data.
  2.  (Chrome).\n2. Alternatively, the user can go to the Developer Console and follow the path below to delete the user credential entry:\n\n
    dev.console > Application > Storage > IndexedDB > frame-player-user-preferences > keyvaluepairs > [user creds entry]\n\n

Frame App

\n\n\n\n

\n\n#### Frame App\n\nForFor Frame App, users must delete the cache folder by clearing the User Cache in Preferences.\n\n##Preferences.

Troubleshooting\n\n###

Troubleshooting

Errors\n\n####

Errors

Incorrect Username or Password\n\nIfPassword

If the user attempts to register a username or password that cannot be validated by their domain controller, Frame Terminal will display:\n\n

\n\nFrame Terminal - Incorrect Username or Password\n\n

Frame Terminal - Incorrect Username or Password

\n

\n\nTheThe user will need to ensure they are entering the correct domain credentials.\n\n####

Maximum number of login attempts exceeded\n\nIfexceeded

If the user exceeds the maximum number of login attempts as defined by their administrator's domain policies, then Frame Terminal will return an error.\n\n

\n\nFrame Terminal - Maximum Number of Login Attempts\n\n

Frame Terminal - Maximum Number of Login Attempts

\n

\n\nTheThe user should revalidate their domain user credentials outside of Frame and may need to contact their Windows administrator to reset their domain password.

Back to top