An OpenEdge authentication system ensures that user credentials are valid. If the credentials are valid, the authentication system creates a sealed security token that represents the user identity within a security domain. The AVM uses the sealed security token to authorize user access to ABL sessions, applications or database connections within that domain. The sealed security token remains available after initial authentication. This enables single sign-on (SSO), where the AVM uses the sealed security token for subsequent authentication rather than requiring the user to login again.

OpenEdge includes several built-in authentication systems, namely _oeusertable, _oslocal, and _extsso. You can extend the functionality of the built-in authentication systems by using ABL callbacks. In addition, you can use ABL callbacks to implement authentication in a security domain that you define.

See Authentication systems supported in ABL for more information on built-in and external authentication systems. Also see Specifying user IDs and passwords in ABL for information on callback procedures.