Allow smartcard use without requiring email address on certificate
Overview
Some customers using smartcards for authentication don't have emailAddress
in certs. Since our current implementation relies on this, this renders this authentication strategy unusable.
Proposal
- Allow configuration to match certificates on another unique identifier (CN or serialNumber) that isn't emailAddress.
- If emailAddress is not present on the certificate, ask for it in the application after we create the user.