An ABL authentication callback procedure contains the following internal procedures:

  • AuthenticateUser — performs user authentication for a user-defined authentication system, or extends the built-in authentication systems where OpenEdge performs user authentication (_oeusertable and _oslocal.

    User authentication includes locating the user account, verifying and validating the password, loading additional user account information into the client-principal object (roles, for example), verifying if the user account is enabled, checking any account usage restrictions, checking if a new password is required, and so on.

  • AfterSetIdentity — (optional) performs additional functions for an SSO operation invoked by the application, or as part of an OpenEdge-performed user authentication operation. For example, you could add or modify an application's context information with this procedure. However, the client-principal object is sealed when this procedure executes and you cannot make any changes to it.

In addition, note these restrictions to operations on the client-principal object during the execution of authentication callback procedures:

  • You cannot delete the client-principal object.
  • You cannot call the AUTHENTICATION-FAILED( ), EXPORT-PRINCIPAL( ), IMPORT-PRINCIPAL( ), INITIALIZE( ), LOGOUT( ), or SEAL( ) methods.
  • You cannot change the DOMAIN-NAME, DOMAIN-TYPE, PRIMARY-PASSPHRASE, QUALIFIED-USER-ID, SESSION-ID, or USER-ID attributes.
  • You cannot change the identity of any existing database connection with the SETUSERID function.