A security token is an object that encapsulates a single user identity. In ABL, a security token is implemented as an instance of a handle-based client-principal object, which you can use with various statements, functions, and methods to manage a user identity.
You can initialize and assert the identity in an unsealed client-principal for user authentication. When OpenEdge performs a successful authentication, it then seals the client-principal. Once sealed, you cannot change the user identity (or any other settings) in a client-principal, but can use the sealed client-principal in a single sign-on (SSO) operation to validate and assign the identity it represents to any session or database connection in an ABL application. Thus, your application can use a client-principal to both authenticate a user identity for one application resource and assign that identity to other ABL sessions and database connections in the application.
Progress Software strongly recommends that you use client-principal objects as the basis of any authentication model that you design. This object provides full support for all authentication and identity management features in ABL and offers a security mechanism that OpenEdge supports from release to release. In addition, you must use client-principal objects to authenticate and assign the connection identity for an OpenEdge multi-tenant database.
