The server administration guide notes that:

Using Certificate Serial Number and IssuerDN as an identity source requires two custom attributes for the serial number and the IssuerDN.

I am looking for a little bit more of a hint on how to actually set this up. Importantly, I also want to know if there is a sensible outcome when a user has more than one certificate, possibly from different issuers (i.e., that the IssuerDN and Serial Number of each entry are tied together in some way to form the overall mapping).

Ultimately I would like to match this information against the altSecurityIdentities attribute in Active Directory. Currently we're populating this attribute with the X509IssuerSerialNumber mapping format, because this is the strong mapping recommended by Microsoft. This attribute is a string of the form X509:<I>IssuerName<SR>1234567890 and can have multiple values. It seems very straightforward to import these attributes into Keycloak from LDAP, but not straightforward to match the user's certificate to them in the X.509 authentication flow.