You can use certificate mapping in Active Directory. Certificate and smart card log ins uses the user principal name (UPN) from Active Directory to validate user accounts. The Active Directory accounts of users attempting to authenticate in the Workspace ONE Access service must have a valid UPN that corresponds to the UPN in the certificate.
You can configure the Workspace ONE Access service to use an email address to validate the user account if the UPN does not exist in the certificate.
You can also enable an alternate UPN type to be used.