Performing Runtime Authentication

Once the trust relationship has been established, runtime authentication can be carried out.

1. A user logs in to the client application, which verifies their username and password against the corporate LDAP directory.
2. An API call to a BPM service on behalf of that user must include an X.509 certificate and/or SAML token, that:
   1. is signed using the appropriate private key.
   2. identifies the user as the subject of the certificate or token (either by their username or LDAP Distinguished Name).
      Note: If an LDAP DN is used, the DN must match the DN of the primary LDAP source of the LDAP container from which the user was derived.
3. The TIBCO ActiveMatrix BPM Web Service Security authentication provider resource template (amx.bpm.auth.wss.asp), on the BPM runtime:
   1. verifies the signature on the incoming message, using the appropriate public certificate.
   2. validates the user identified in the subject of the certificate/token against the BPM organization model.