Can someone with TLS programming experience sort out how to extract the TLS negotiated authentication identity for use with SASL/EXTERNAL? Once extracted, it's one SASL call on the server side to get SASL/EXTERNAL working. Thanks! Kurt