SET-CLIENT( ) method

Sets the identity, using an unsealed or a sealed client-principal object, for the current ABL session, and for all connected and unlocked OpenEdge database connections.

For an unsealed client-principal object (in the INITIAL state)—this method performs a user authentication operation on the user identity asserted by the object. If successful, the method seals the client-principal and assigns the user identity to the ABL session.

For a sealed client-principal object (in the LOGIN state)—this method performs a single sign-on (SSO) operation to validate the user identity represented by the object. If successful, the method assigns the user identity to the ABL session.

If the ABL session identity is set successfully, the method performs an SSO operation to validate and (if successful) set the user identity for each OpenEdge database connection in the ABL session that has not been previously set using the SET-DB-CLIENT function or the SETUSERID function.

Note:

Any subsequent calls to either the SETUSERID or SET-DB-CLIENT functions override the user identity for any database connections set by SET-CLIENT( ) and locks these connection identities from any further change by this method unless you unlock each connection. For more information on unlocking a database connection identity, see the SET-DB-CLIENT function reference entry.

Return type:

LOGICAL

Applies to:

SECURITY-POLICY system handle

 

Syntax 

SET-CLIENT ( client-principal-handle )

client-principal-handle

A handle to a client-principal object. If the client-principal object is unsealed, it must be initialized with the attribute values required by the SEAL( ) method in addition to any PRIMARY-PASSPHRASE attribute value required to authenticate the asserted user identity. If the object is sealed, it must be sealed with a domain access code that is the same as the access code configured for the user’s domain stored in the session domain registry and in the domain registry trusted by each database connection to validate the user’s identity. If the handle value is set to the Unknown value (?), the method raises a run-time error and the current session and database connection identities remain unchanged.

If the method returns TRUE, user authentication or validation is successful, the specified identity is set for the current ABL session, and OpenEdge attempts to set the identity using SSO for each unlocked OpenEdge database connection. If validation of the identity fails for any unlocked database connection, the method also returns TRUE, but the ERROR-STATUS system handle returns a message for each database connection that failed SSO validation.

If the method returns FALSE, the identity of the session remains unchanged, and OpenEdge does not set the identity for any existing database connections.

Within a transaction on a:

Multi-tenant database — Any attempt to set an identity for the connection that changes the current database tenancy raises a run-time error.

Non-multi-tenant database — As a best practice, Progress Software recommends that you not set a new identity for the connection.

To set a session identity through a user authentication operation:

The client-principal object must be unsealed (in the INITIAL state).

The required attributes must be properly set (see the SEAL( ) method entry).

The DOMAIN-NAME attribute must be set to the name of an authentication-enabled domain that is registered in the session domain registry. This can include a domain configured with a user-defined authentication system that has an ABL authentication plugin enabled. For information on OpenEdge support for domains and domain configuration, see OpenEdge Getting Started: Identity Management.

Note:

To set a session identity when the authentication system is your ABL application, you must manually authenticate the user credentials for the client-principal object, explicitly call the SEAL( ) method to seal the object, and perform an SSO operation using this method to set the session identity.

If the user authentication operation fails, for auditing purposes, this function implicitly executes the AUTHENTICATION-FAILED( ) method on the client-principal and leaves the previous session and any database connection identities unchanged.

To set a session identity through an SSO operation:

The client-principal object must be sealed and in the LOGIN state.

The object must be valid according to the session domain registry: the object must be sealed using the access code defined for a registry domain whose name matches the domain name stored in the object.

The domain in the registry must be configured with an authentication system that supports SSO.

If the LOGIN-STATE attribute for a sealed client-principal object is not set to "LOGIN", the AVM raises a run-time error and the current user identity remains unchanged.

This method also checks the value of the LOGIN-EXPIRATION-TIMESTAMP attribute on the client-principal object. If the timestamp has expired before the method can seal (during user authentication) or validate (during SSO) the object, the method sets the LOGIN-STATE attribute to "EXPIRED" and returns FALSE.

This method returns FALSE with messages returned in the ERROR-STATUS system handle when:

The client-principal object is sealed and the domain configuration is restricted to user authentication operations.

The client-principal object is sealed and SSO validation of its identity for the current ABL session fails.

The client-principal object is unsealed and the domain configuration is restricted to SSO operations.

The client-principal object is unsealed and user authentication of its asserted identity for the current ABL session fails.

Notes:

To rely on the SET-CLIENT( ) method for all identity settings, do not use the SETUSERID function, SET-DB-CLIENT function, or the CONNECT statement to set the connection identity or you must unlock every database connection whose identity has been set with these mechanisms. After a user identity is set for a database connection, the AVM uses that identity to determine if the user has permission to access tables and fields in that particular database. When a user identity is set for an application with at least one connected audit-enabled database, this method generates an audit event and creates an audit record for the event in every connected audit-enabled database on which the identity was set according to each database’s current audit policy settings. You can use this method, instead of the SETUSERID function, to set a database connection identity whether or not the user account is in the _User table. This method does not attempt set the connection identity for the foreign data source of a DataServer connection. However, it does attempt to set the connection identity for the OpenEdge schema holder database.

See also:

Client-principal object handle, GET-CLIENT( ) method, SEAL( ) method, SET-DB-CLIENT function, SETUSERID function