When you provide user credentials as input to the function in an unsealed client-principal (in the INITIAL state), OpenEdge authenticates the user identity for the current ABL session. If OpenEdge successfully authenticates the identity, it seals the client-principal object in the LOGIN state and sets the session to the specified identity. Sealing the object with this method also generates an auditable event to start a user login session. It then uses the object in an SSO operation to validate and (if valid) set the same identity on each established OpenEdge database connection whose identity has not already been set using the SET-DB-CLIENT or SETUSERID function (which locks outSET-CLIENT( ) from setting the identity for this connection).
When you provide a sealed client principal (in the LOGIN state) as input to the function, OpenEdge then uses it in an SSO operation on the current ABL session to validate and (if valid) set the session identity. If the SSO operation on the ABL session is valid, OpenEdge then uses the object in an SSO operation to validate and (if valid) set the same identity on each established OpenEdge database connection that is not already locked out by using the SET-DB-CLIENT or SETUSERID function on the connection.
Note: You can unlock SET-CLIENT( ) access to a specified database connection, or all database connections, by executing SET-DB-CLIENT with its client-principal-handle parameter set to the Unknown value (?).
When the SET-CLIENT( ) method executes, OpenEdge authenticates and seals the identity specified in an unsealed client-principal, or performs an SSO operation on a sealed client-principal, first using the session domain registry to set the ABL session identity. Then, for each available database connection, OpenEdge performs the SSO operation using either the local database domain registry for the connection (by default) or the current session domain registry when a given database has its option set to use the application domain registry.
