A typical use case for exporting an unsealed security token is having a client log in by exporting an unsealed client-principal initialized with its asserted user identity to a remote authentication service over a secure connection. The authentication service then imports the client-principal and, after a successful user authentication, seals the client-principal, beginning a user login session. The service might then export and return the sealed client-principal to the requesting client, which imports the object to set its authenticated identity. The service might also cache the exported client-principal in secure storage for a future identity management request.
A typical use case for exporting a sealed security token is in a remote authentication service that responds to identity management requests from ABL sessions of an n-tier application. For each request, the authentication service retrieves and imports the sealed client-principal from secure storage that is associated with a given login session key and performs the requested action (such as invoking the LOGOUT( ) method to terminate the user login session). The service then exports the sealed (and changed) client-principal, replacing the previous copy in secure storage and possibly returning it to the requesting ABL session.
