The product of all user authentication operations in ABL is a sealed security token that securely encapsulates the user's identity and establishes that identity for connection to an OpenEdge RDBMS, for access to application resources in an ABL session, or for access to an entire ABL application, including all the connected ABL sessions and databases of a multi-tier application. Thus, a single security token allows an ABL application to transport a user identity from one part of an application to another, whether for initial user authentication or to establish the user's identity for access to a possibly different database connection or ABL session.

In ABL, a security token is implemented as a client-principal object. This is a handle-based object that supports the mechanisms for authenticating a user identity, whether it is through user authentication or SSO. Depending on the context, either OpenEdge or the ABL application instantiates and seals a client-principal object for each authenticated user identity. ABL provides a number of built-in functions, statements, and handle methods that either consume or produce a client-principal object to manage a given user identity. For more information on these ABL elements, see ABLfor managing user identity.

For more information on features, methods, and attributes of client-principal objects, see Client-principalobjects .