SSSD should be configured to verify the certificate of the user or group. To set this up
ensure that section like certmap/testing.test/rule_name is setup in
/etc/sssd/sssd.conf. For example
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test