You can use certificate mapping in Active Directory. Certificate and smart card logins uses the user principal name (UPN) from Active Directory to validate user accounts. The Active Directory accounts of users attempting to authenticate in the VMware Identity Manager service must have a valid UPN that corresponds to the UPN in the certificate.
You can configure the VMware Identity Manager to use an email address to validate the user account if the UPN does not exist in the certificate.
You can also enable an alternate UPN type to be used.