Secure Anonymous Tokens

Secure Anonymous Tokens are used hand-in-hand with Frame’s Terminal (Application) API to start sessions. Frame provides administrators with many ways to customize and control user and administrative access to their accounts. Secure Anonymous tokens allow admins a way (via Frame’s APIs) to generate tokens for users on-demand, giving users the ability to launch Frame sessions without entering any credentials. There are many use-cases where this type of authentication may be required, such as software trials, demos, or kiosk-like experiences for example.

When generating a Secure Anonymous Token, users will receive a JSON Web Token (JWT) that can be used with Xi Frame’s Terminal API to launch sessions. Optionally, there are some additional parameters that can be specified when generating the tokens, allowing the customization of attributes that are present in the token and inherently environment variables within VM connected to the session.

Overview

../_images/sat-overview.png

Getting Started

Requirements

  • RESTful API access with necessary Administrative permissions
  • Create Secure Anonymous Token provider with Launchpad users.
  • Web server that will consume the Secure Anonymous Token API
  • Administrator access (Customer, Org, or Account level)

RESTful API Credentials

The Secure Anonymous Token API can be consumed over RESTful endpoints to retrieve tokens.This requires an API integration with the proper roles/permissions.

Creating a new API integration

To get started, be sure to login as an administrator to gain access to API settings.

  1. If you’re on the Dashboard of an account, go to “Users > Authentication”. If you’re on the Admin page for the account, org, or customer level, go to “Security > Authentication.”
  2. Enable the API toggle and save - a new API tab will appear.
../_images/add_api_0.png
  1. Click the API tab, then click “Add API”.
../_images/add_api_1.png
  1. Give this new API integration a name; for this example, we’ll use “API to create anonymous tokens”. Then, select a role and scope; it must be at least an administrator for the account/org/customer you’re configuring access for. The “Launchpad User” role does not have permissions generate tokens.
../_images/add_api_2.png
  1. Click Add. You’ll see the new API show up in the list. Click the options menu for the new API and select “Manage Credentials”.
../_images/add_api_3.png
  1. You’ll be prompted to create a new API key – start by giving it a name, then click the PLUS button on the right.
../_images/add_api_4.png
  1. You’ll now see your Client ID and Client Secret, copy these down, as you won’t be able to see the secret again after leavint this screen.
../_images/add_api_5.png
  1. That’s it! Now you’re ready to add a Secure Anonymous provider using the steps below.

Note

The API credentials need Administrator permissions for the account, org, or customer that the integration is configured for. Launchpad users cannot generate tokens.

Creating a Secure Anonymous Token provider

  1. If you’re on the Dashboard of an account, go to Users -> Authentication. If you’re on the admin page for the account, org, or customer level, go to Security -> Authentication.
  2. Enable the Secure Anonymous option under Authentication and save; a new Secure Anonymous tab will show up.
../_images/secure_anon_setup_1.png
  1. Click the Secure Anonymous tab, then click click “Add Provider”.
../_images/secure_anon_setup_2.png
  1. You’ll be prompted to describe and configure your new Secure Anonymous provider. You can specify the following:
Anonymous Provider Properties
Description A short description of what you plan to use the Anonymous Token provider for (e.g. public trials)
Token Duration how long until the token expires and is no longer valid.
Roles and Scope The role will typically be a launchpad user, and the scop is which account/Launchpad you’d like to provide access to via these tokens.

  1. Give it a description that makes sense for your use case, e.g. “Token provider for product trials”. Then, set the token duration you’d like. Finally, select a Role and scope – we recommend only configuring the role for Launchpad Users for security reasons.
../_images/secure_anon_setup_3.png
  1. You’ll then see your new Anonymous Provider show up – click the options menu and select Playground to test generating tokens using the new provider, as well as various syntax examples demonstrating how to make a request for tokens.
../_images/secure_anon_setup_4.png

Programmatically generating Secure Anonymous Tokens

Now that we have an API Client ID and Client Secret from the API setup steps above, we can use the dynamic code snippet examples provided in the Secure Anonymous Playground (#ref to above). You should be able to copy the code in your preferred language, then paste in your Client ID and Client Secret and be good to go.

Optional Anonymous Token Parameters

You can provide a few optional parameters when generating anonymous tokens. These parameters let you customize the information provided in the JWT, allowing you to set properties such as:
  • First Name
  • Last Name
  • Email Address
  • Email Domain
Optional Anonymous Token Parameters
Name Type Description
first_name string “John” for example.
last_name string “Smith” for example.
email string Example: john.smith@acme.com
email_domain string Example: acme.com. This will return xxxxxxx@acme.com.