As mentioned in Learn about security tokens, a CLIENT-PRINCIPAL object is a transformation of the Spring-generated security token that contains additional details for use in an ABL application.

CLIENT-PRINCIPAL objects:

  • Are generated by OpenEdge from the Spring-generated token
  • Add a domain and domain access code
  • Add ABL-specific details
  • Are required for assigning a connection identity for an OpenEdge multi-tenant database

When OpenEdge successfully authenticates a client identity, OpenEdge then seals the CLIENT-PRINCIPAL object. After the CLIENT-PRINCIPAL object is sealed, you cannot change the user identity (or any other settings) in the object, but you can use the sealed object in single sign-on (SSO) operations to validate and assign the identity it represents to any session or database connection in an ABL application. Therefore, your application can use a CLIENT-PRINCIPAL object to both authenticate a user identity for one application resource and assign that identity to other ABL sessions and database connections in the application.

For more information, see Client-principal objects.