What ideally should happen next is that another component will look at the identity in the certificate, and then use that identity to make an authorization decision.