A user authentication operation generally follows these steps to authenticate a user's identity:

  1. If an unsealed security token is provided without the necessary user account claims, provides a new security token initialized with the user's credentials, including their user name, domain name, passphrase, and a unique login session ID.
  2. If there is a login expiration time stamp set in the security token and it has expired, seals the security token in a state that indicates its time for authentication has expired and exits from the authentication operation with no further action.
  3. Verifies that the name of the user credential's domain is found and enabled in the domain registry of the ABL session or database connection.
  4. Verifies that the domain is configured with an authentication system that is enabled for user authentication.
  5. Authenticates the user credentials against the user accounts defined for the domain's authentication system:
    1. Validates that an account exists for the user name and that its passphrase matches the passphrase in the user credentials.
    2. Validates that the user ID account is in an enabled state and passes all account conditions.
    3. If the authentication is successful:
      • Deletes the passphrase from the user credentials and erases all trace of it.
      • Loads the name of the authentication system and other documentary information about the authentication into the security token.
      • Seals the security token using the domain's access code.
      • Passes the authenticated identity to the authorization system for future use.

      If the authentication is not successful, it seals the security token in a state that indicates the authentication failed, and leaves the existing user identity for the ABL session or database connection unchanged.