As noted previously (see Elements of an application authentication model), a security token can be unsealed or sealed. An unsealed client-principal is the initial state of any client principal object that you create using the CREATE CLIENT-PRINCIPAL statement (see the table ABL elements for managing user identities). You can initialize and change the user identity (including all writeable attributes and data) of an unsealed client-principal. Sealing the client-principal puts the object in a state that prevents the identity it represents (or any of its attributes and data) from being changed, which allows the object to represent that identity with a high degree of reliability.

An unsealed client-principal object can be sealed:

  • As part of any OpenEdge-performed user authentication operation using the SET-DB-CLIENT function or the SET-CLIENT method on the SECURITY-POLICY system handle (see the table ABL elements for managing user identities)
  • As an explicit operation that your ABL application can perform by executing the SEAL( ) method on the object (see the table Client-principal object methods)
  • By the AVM after a callback has successfully completed authentication

A sealed client-principal can be in one of several different states, which corresponds to the state of the user identity it represents and is indicated by the LOGIN-STATE attribute (see the table Client-principal object attributes are read-only). This state determines how the object can be used to represent its identity in your application and can also be reflected in any audit trail for the identity.

When a sealed client principal is in the LOGIN state, the object can be used in an SSO operation, which attempts to assign the user identity it represents to a given ABL session or database connection. The SSO operation first validates that the object has been sealed using a domain access code found in the session's or connection's trusted domain registry. If the validation is successful, the session or connection is then assigned the object's user identity.