As noted previously (see Elements of an application authentication model), a security token can be unsealed or sealed. An unsealed client-principal is the initial state of any client principal object that you create using the CREATE CLIENT-PRINCIPAL statement (see Table 10). You can initialize and change the user identity (including all writeable attributes and data) of an unsealed client-principal. Sealing the client-principal puts the object in a state that prevents the identity it represents (or any of its attributes and data) from being changed, which allows the object to represent that identity with a high degree of reliability.

An unsealed client-principal object can be sealed:

A sealed client-principal can be in one of several different states, which corresponds to the state of the user identity it represents and is indicated by the LOGIN-STATE attribute (see Table 12). This state determines how the object can be used to represent its identity in your application and can also be reflected in any audit trail for the identity.

When a sealed client principal is in the LOGIN state, the object can be used in an SSO operation, which attempts to assign the user identity it represents to a given ABL session or database connection. The SSO operation first validates that the object has been sealed using a domain access code found in the session's or connection's trusted domain registry. If the validation is successful, the session or connection is then assigned the object's user identity.