Maybe someone can help me with this - we changed our UPN to the e-mail address for all our users lately. In APM Policy I read the UPN from a users certificate like described in this article https://support.f5.com/csp/article/K17063, which was working perfectly. Because of the change of the UPN it now dependens, if the user has an updated or an old user certificate.
To make the authentication work for everyone (old or new certificate), I would need the e-mail value from the certificate rather than the UPN.
I can see the value in the certificate "Applicant" field after E = email@example.com