From dda00ae29994c649cdafb6babf2d09cb9c5aebf0 Mon Sep 17 00:00:00 2001
From: Bruno Oliveira <bruno@abstractj.org>
Date: Fri, 24 Nov 2017 10:23:43 -0200
Subject: [PATCH] [KEYCLOAK-5471] X.509 Auth - email mapping doesn't work when
 'Login with email' is disabled in the Realm

This change only documents the behavior of certificate authentication
when *Login with email* is disabled. In this way people don't get
confused about it.
---
 server_admin/topics/authentication/x509.adoc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server_admin/topics/authentication/x509.adoc b/server_admin/topics/authentication/x509.adoc
index aa3ceb199b..7f8019b488 100644
--- a/server_admin/topics/authentication/x509.adoc
+++ b/server_admin/topics/authentication/x509.adoc
@@ -38,7 +38,9 @@ The regular expression filtering is applicable only if the `Identity Source` is
 
 #### Mapping certificate identity to an existing user
 
-The certificate identity mapping can be configured to map the extracted user identity to an existing user's username or e-mail or to a custom attribute which value matches the certificate identity. For example, setting the `Identity source` to _Subject's e-mail_ and `User mapping method` to _Username or email_ will have the X.509 client certificate authenticator use the e-mail attribute in the certificate's Subject DN  as a search criteria to look up an existing user by username or by e-mail.
+The certificate identity mapping can be configured to map the extracted user identity to an existing user's username or e-mail or to a custom attribute which value matches the certificate identity. For example, setting the `Identity source` to _Subject's e-mail_ and `User mapping method` to _Username or email_ will have the X.509 client certificate authenticator use the e-mail attribute in the certificate's Subject DN  as a search criteria to look up an existing user by username or by e-mail. 
+
+IMPORTANT: Please notice that if we disable `Login with email` at realm settings, the same rules will be applied to certificate authentication. In other words, users won't be able to log in using e-mail attribute. 
 
 #### Other Features: Extended Certificate Validation
 - Revocation status checking using CRL