Hi Manuel,
I understood
1. SAP Username and AD name is the same.
2. You alread managed to get the SAP Username into the subject alt. name of the certificate
Fine.
So I have another idea. Using the rule based certificate mapping you can completely get rid of having one entry per user and certificate in table USREXTID.
I assume this would simplify your scenario.
So you would
1. Switch on the new mapping
2. Go to transaction certrule and create a rule derives the login username out of the subject alternative name.
The new rule based management also supports non-unique mappings (e.g. AD name does not equal SAP user name). In this case you would create an explicit mapping. This would be similar to USREXTID behavior. Migration from USREXTID entries to the new rule based mapping is also provided (transaction certrule_mig).
More help is available in the documentation: Rule-Based Certificate Mapping - User Authentication and Single Sign-On - SAP Library
Regards,
Mathias