In addition to configuring a run-time domain registry, the primary component for performing authentication in an ABL application is the handle-based client-principal object, which is the security token for passing security information between the ABL application and the OpenEdge runtime (AVM). A client-principal object is involved with every user authentication or SSO operation in an ABL application. Either OpenEdge creates and seals the object in response to authenticating a user ID and password when creating a new database connection, or you create and initialize the object in order to authenticate and set a user identity for an existing ABL session or database connection. You can then use a client-principal previously authenticated and sealed by either your or another ABL session to set the user identity for an ABL session or database connection using SSO.

Note: A standard best practice is to have one and only one instance of a client-principal object for each login session.