diff --git a/http/mutual_tls.cpp b/http/mutual_tls.cpp
index 0074711..209c929 100644
--- a/http/mutual_tls.cpp
+++ b/http/mutual_tls.cpp
@@ -2,8 +2,13 @@
 // SPDX-FileCopyrightText: Copyright OpenBMC Authors
 #include "mutual_tls.hpp"
 
+#include "bmcweb_config.h"
+
+#include "identity.hpp"
+#include "mutual_tls_private.hpp"
 #include "sessions.hpp"
 
+#include <bit>
 #include <cstddef>
 #include <cstdint>
 #include <optional>
@@ -11,7 +16,9 @@
 
 extern "C"
 {
+#include <openssl/asn1.h>
 #include <openssl/obj_mac.h>
+#include <openssl/objects.h>
 #include <openssl/types.h>
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
@@ -27,7 +34,130 @@
 #include <memory>
 #include <string_view>
 
-std::string getUsernameFromCommonName(std::string_view commonName)
+std::string getCommonNameFromCert(X509* cert)
+{
+    std::string commonName;
+    // Extract username contained in CommonName
+    commonName.resize(256, '\0');
+    int length = X509_NAME_get_text_by_NID(
+        X509_get_subject_name(cert), NID_commonName, commonName.data(),
+        static_cast<int>(commonName.size()));
+    if (length <= 0)
+    {
+        BMCWEB_LOG_DEBUG("TLS cannot get common name to create session");
+        return "";
+    }
+    commonName.resize(static_cast<size_t>(length));
+    return commonName;
+}
+
+bool isUPNMatch(std::string_view upn, std::string_view hostname)
+{
+    // UPN format: <username>@<domain> (e.g. user@domain.com)
+    // https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname
+    size_t upnDomainPos = upn.find('@');
+    if (upnDomainPos == std::string_view::npos)
+    {
+        return false;
+    }
+
+    // The hostname should match the domain part of the UPN
+    std::string_view upnDomain = upn.substr(upnDomainPos + 1);
+    while (true)
+    {
+        std::string_view upnDomainMatching = upnDomain;
+        size_t dotUPNPos = upnDomain.find_last_of('.');
+        if (dotUPNPos != std::string_view::npos)
+        {
+            upnDomainMatching = upnDomain.substr(dotUPNPos + 1);
+        }
+
+        std::string_view hostDomainMatching = hostname;
+        size_t dotHostPos = hostname.find_last_of('.');
+        if (dotHostPos != std::string_view::npos)
+        {
+            hostDomainMatching = hostname.substr(dotHostPos + 1);
+        }
+
+        if (upnDomainMatching != hostDomainMatching)
+        {
+            return false;
+        }
+
+        if (dotUPNPos == std::string_view::npos)
+        {
+            return true;
+        }
+
+        upnDomain = upnDomain.substr(0, dotUPNPos);
+        hostname = hostname.substr(0, dotHostPos);
+    }
+}
+
+std::string getUPNFromCert(X509* peerCert, std::string_view hostname)
+{
+    GENERAL_NAMES* gs = static_cast<GENERAL_NAMES*>(
+        X509_get_ext_d2i(peerCert, NID_subject_alt_name, nullptr, nullptr));
+    if (gs == nullptr)
+    {
+        return "";
+    }
+
+    std::string ret;
+    for (int i = 0; i < sk_GENERAL_NAME_num(gs); i++)
+    {
+        GENERAL_NAME* g = sk_GENERAL_NAME_value(gs, i);
+        if (g->type != GEN_OTHERNAME)
+        {
+            continue;
+        }
+
+        // NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
+        int nid = OBJ_obj2nid(g->d.otherName->type_id);
+        if (nid != NID_ms_upn)
+        {
+            continue;
+        }
+
+        int type = g->d.otherName->value->type;
+        if (type != V_ASN1_UTF8STRING)
+        {
+            continue;
+        }
+
+        char* upnChar =
+            std::bit_cast<char*>(g->d.otherName->value->value.utf8string->data);
+        unsigned int upnLen = static_cast<unsigned int>(
+            g->d.otherName->value->value.utf8string->length);
+        // NOLINTEND(cppcoreguidelines-pro-type-union-access)
+
+        std::string upn = std::string(upnChar, upnLen);
+        if (!isUPNMatch(upn, hostname))
+        {
+            continue;
+        }
+
+        size_t upnDomainPos = upn.find('@');
+        ret = upn.substr(0, upnDomainPos);
+        break;
+    }
+    GENERAL_NAMES_free(gs);
+    return ret;
+}
+
+std::string getMetaUserNameFromCert(X509* cert)
+{
+    // Meta Inc. CommonName parsing
+    std::optional<std::string_view> sslUserMeta =
+        mtlsMetaParseSslUser(getCommonNameFromCert(cert));
+    if (!sslUserMeta)
+    {
+        return "";
+    }
+    return std::string{*sslUserMeta};
+}
+
+std::string getUsernameFromCert(X509* cert)
 {
     const persistent_data::AuthConfigMethods& authMethodsConfig =
         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
@@ -35,25 +165,30 @@
     {
         case persistent_data::MTLSCommonNameParseMode::Invalid:
         case persistent_data::MTLSCommonNameParseMode::Whole:
-        case persistent_data::MTLSCommonNameParseMode::UserPrincipalName:
         {
             // Not yet supported
             return "";
         }
+        case persistent_data::MTLSCommonNameParseMode::UserPrincipalName:
+        {
+            std::string hostname = getHostName();
+            if (hostname.empty())
+            {
+                BMCWEB_LOG_WARNING("Failed to get hostname");
+                return "";
+            }
+            return getUPNFromCert(cert, hostname);
+        }
         case persistent_data::MTLSCommonNameParseMode::CommonName:
         {
-            return std::string{commonName};
+            return getCommonNameFromCert(cert);
         }
         case persistent_data::MTLSCommonNameParseMode::Meta:
         {
-            // Meta Inc. CommonName parsing
-            std::optional<std::string_view> sslUserMeta =
-                mtlsMetaParseSslUser(commonName);
-            if (!sslUserMeta)
+            if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
             {
-                return "";
+                return getMetaUserNameFromCert(cert);
             }
-            return std::string{*sslUserMeta};
         }
         default:
         {
@@ -117,25 +252,10 @@
         return nullptr;
     }
 
-    std::string commonName;
-    // Extract username contained in CommonName
-    commonName.resize(256, '\0');
-
-    int length = X509_NAME_get_text_by_NID(
-        X509_get_subject_name(peerCert), NID_commonName, commonName.data(),
-        static_cast<int>(commonName.size()));
-    if (length <= 0)
-    {
-        BMCWEB_LOG_DEBUG("TLS cannot get common name to create session");
-        return nullptr;
-    }
-
-    commonName.resize(static_cast<size_t>(length));
-    std::string sslUser = getUsernameFromCommonName(commonName);
+    std::string sslUser = getUsernameFromCert(peerCert);
     if (sslUser.empty())
     {
-        BMCWEB_LOG_WARNING("Failed to get user from common name {}",
-                           commonName);
+        BMCWEB_LOG_WARNING("Failed to get user from peer certificate");
         return nullptr;
     }
 
diff --git a/http/mutual_tls.hpp b/http/mutual_tls.hpp
index d722a23..c59480a 100644
--- a/http/mutual_tls.hpp
+++ b/http/mutual_tls.hpp
@@ -8,10 +8,6 @@
 #include <boost/asio/ssl/verify_context.hpp>
 
 #include <memory>
-#include <string>
-#include <string_view>
-
-std::string getUsernameFromCommonName(std::string_view commonName);
 
 std::shared_ptr<persistent_data::UserSession> verifyMtlsUser(
     const boost::asio::ip::address& clientIp,
diff --git a/http/mutual_tls_private.hpp b/http/mutual_tls_private.hpp
new file mode 100644
index 0000000..c28a99e
--- /dev/null
+++ b/http/mutual_tls_private.hpp
@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: Copyright OpenBMC Authors
+#pragma once
+
+#include <openssl/crypto.h>
+
+#include <string>
+#include <string_view>
+
+std::string getCommonNameFromCert(X509* cert);
+
+std::string getUPNFromCert(X509* peerCert, std::string_view hostname);
+
+std::string getMetaUserNameFromCert(X509* cert);
+
+std::string getUsernameFromCert(X509* cert);
+
+bool isUPNMatch(std::string_view upn, std::string_view hostname);
diff --git a/include/identity.hpp b/include/identity.hpp
new file mode 100644
index 0000000..94c8f62
--- /dev/null
+++ b/include/identity.hpp
@@ -0,0 +1,17 @@
+#include <unistd.h>
+
+#include <array>
+#include <climits>
+#include <string>
+
+inline std::string getHostName()
+{
+    std::string hostName;
+
+    std::array<char, HOST_NAME_MAX> hostNameCStr{};
+    if (gethostname(hostNameCStr.data(), hostNameCStr.size()) == 0)
+    {
+        hostName = hostNameCStr.data();
+    }
+    return hostName;
+}
diff --git a/include/sessions.hpp b/include/sessions.hpp
index ba2bfa7..22aa3ad 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -177,8 +177,7 @@
     }
     if (name == "UserPrincipalName")
     {
-        // Not yet supported
-        // return MTLSCommonNameParseMode::UserPrincipalName;
+        return MTLSCommonNameParseMode::UserPrincipalName;
     }
     if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
     {
@@ -248,14 +247,18 @@
             {
                 if (element.first == "MTLSCommonNameParseMode")
                 {
-                    if (*intValue <= 2 || *intValue == 100)
+                    MTLSCommonNameParseMode tmpMTLSCommonNameParseMode =
+                        static_cast<MTLSCommonNameParseMode>(*intValue);
+                    if (tmpMTLSCommonNameParseMode <=
+                            MTLSCommonNameParseMode::UserPrincipalName ||
+                        tmpMTLSCommonNameParseMode ==
+                            MTLSCommonNameParseMode::Meta)
                     {
-                        mTLSCommonNameParsingMode =
-                            static_cast<MTLSCommonNameParseMode>(*intValue);
+                        mTLSCommonNameParsingMode = tmpMTLSCommonNameParseMode;
                     }
                     else
                     {
-                        BMCWEB_LOG_ERROR(
+                        BMCWEB_LOG_WARNING(
                             "Json value of {} was out of range of the enum.  Ignoring",
                             *intValue);
                     }
diff --git a/meson.build b/meson.build
index f6fb73b..06f5bee 100644
--- a/meson.build
+++ b/meson.build
@@ -449,6 +449,7 @@
     'test/include/multipart_test.cpp',
     'test/include/openbmc_dbus_rest_test.cpp',
     'test/include/ossl_random.cpp',
+    'test/include/sessions_test.cpp',
     'test/include/ssl_key_handler_test.cpp',
     'test/include/str_utility_test.cpp',
     'test/redfish-core/include/dbus_log_watcher_test.cpp',
diff --git a/redfish-core/lib/network_protocol.hpp b/redfish-core/lib/network_protocol.hpp
index da49b25..19f6639 100644
--- a/redfish-core/lib/network_protocol.hpp
+++ b/redfish-core/lib/network_protocol.hpp
@@ -12,6 +12,7 @@
 #include "error_messages.hpp"
 #include "generated/enums/resource.hpp"
 #include "http_request.hpp"
+#include "identity.hpp"
 #include "logging.hpp"
 #include "privileges.hpp"
 #include "query.hpp"
@@ -21,8 +22,6 @@
 #include "utils/json_utils.hpp"
 #include "utils/stl_utils.hpp"
 
-#include <unistd.h>
-
 #include <boost/beast/http/field.hpp>
 #include <boost/beast/http/status.hpp>
 #include <boost/beast/http/verb.hpp>
@@ -46,7 +45,6 @@
 {
 
 void getNTPProtocolEnabled(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp);
-std::string getHostName();
 
 static constexpr std::string_view sshServiceName = "dropbear";
 static constexpr std::string_view httpsServiceName = "bmcweb";
@@ -440,18 +438,6 @@
         });
 }
 
-inline std::string getHostName()
-{
-    std::string hostName;
-
-    std::array<char, HOST_NAME_MAX> hostNameCStr{};
-    if (gethostname(hostNameCStr.data(), hostNameCStr.size()) == 0)
-    {
-        hostName = hostNameCStr.data();
-    }
-    return hostName;
-}
-
 inline void getNTPProtocolEnabled(
     const std::shared_ptr<bmcweb::AsyncResp>& asyncResp)
 {
diff --git a/test/http/mutual_tls.cpp b/test/http/mutual_tls.cpp
index e77315a..e89a3cf 100644
--- a/test/http/mutual_tls.cpp
+++ b/test/http/mutual_tls.cpp
@@ -2,14 +2,19 @@
 // SPDX-FileCopyrightText: Copyright OpenBMC Authors
 #include "mutual_tls.hpp"
 
+#include "mutual_tls_private.hpp"
 #include "sessions.hpp"
 
+#include <cstring>
+#include <string>
+
 extern "C"
 {
 #include <openssl/asn1.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
 #include <openssl/obj_mac.h>
+#include <openssl/objects.h>
 #include <openssl/types.h>
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
@@ -170,4 +175,169 @@
         verifyMtlsUser(ip, ctx);
     ASSERT_THAT(session, IsNull());
 }
+
+TEST(GetCommonNameFromCert, EmptyCommonName)
+{
+    OSSLX509 x509;
+    std::string commonName = getCommonNameFromCert(x509.get());
+    EXPECT_THAT(commonName, "");
+}
+
+TEST(GetCommonNameFromCert, ValidCommonName)
+{
+    OSSLX509 x509;
+    x509.setSubjectName();
+    std::string commonName = getCommonNameFromCert(x509.get());
+    EXPECT_THAT(commonName, "user");
+}
+
+TEST(GetUPNFromCert, EmptySubjectAlternativeName)
+{
+    OSSLX509 x509;
+    std::string upn = getUPNFromCert(x509.get(), "");
+    EXPECT_THAT(upn, "");
+}
+
+TEST(GetUPNFromCert, NonOthernameSubjectAlternativeName)
+{
+    OSSLX509 x509;
+
+    ASN1_IA5STRING* ia5 = ASN1_IA5STRING_new();
+    ASSERT_THAT(ia5, NotNull());
+
+    const char* user = "user@domain.com";
+    ASSERT_NE(ASN1_STRING_set(ia5, user, static_cast<int>(strlen(user))), 0);
+
+    GENERAL_NAMES* gens = sk_GENERAL_NAME_new_null();
+    ASSERT_THAT(gens, NotNull());
+
+    GENERAL_NAME* gen = GENERAL_NAME_new();
+    ASSERT_THAT(gen, NotNull());
+
+    GENERAL_NAME_set0_value(gen, GEN_EMAIL, ia5);
+    ASSERT_EQ(sk_GENERAL_NAME_push(gens, gen), 1);
+
+    ASSERT_EQ(X509_add1_ext_i2d(x509.get(), NID_subject_alt_name, gens, 0, 0),
+              1);
+
+    std::string upn = getUPNFromCert(x509.get(), "hostname.domain.com");
+    EXPECT_THAT(upn, "");
+
+    GENERAL_NAME_free(gen);
+    sk_GENERAL_NAME_free(gens);
+}
+
+TEST(GetUPNFromCert, NonUPNSubjectAlternativeName)
+{
+    OSSLX509 x509;
+
+    GENERAL_NAMES* gens = sk_GENERAL_NAME_new_null();
+    ASSERT_THAT(gens, NotNull());
+
+    GENERAL_NAME* gen = GENERAL_NAME_new();
+    ASSERT_THAT(gen, NotNull());
+
+    ASN1_OBJECT* othType = OBJ_nid2obj(NID_SRVName);
+
+    ASN1_TYPE* value = ASN1_TYPE_new();
+    ASSERT_THAT(value, NotNull());
+    value->type = V_ASN1_UTF8STRING;
+
+    // NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
+    value->value.utf8string = ASN1_UTF8STRING_new();
+    ASSERT_THAT(value->value.utf8string, NotNull());
+    const char* user = "user@domain.com";
+    ASN1_STRING_set(value->value.utf8string, user,
+                    static_cast<int>(strlen(user)));
+    // NOLINTEND(cppcoreguidelines-pro-type-union-access)
+
+    ASSERT_EQ(GENERAL_NAME_set0_othername(gen, othType, value), 1);
+    ASSERT_EQ(sk_GENERAL_NAME_push(gens, gen), 1);
+    ASSERT_EQ(X509_add1_ext_i2d(x509.get(), NID_subject_alt_name, gens, 0, 0),
+              1);
+
+    std::string upn = getUPNFromCert(x509.get(), "hostname.domain.com");
+    EXPECT_THAT(upn, "");
+
+    sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+}
+
+TEST(GetUPNFromCert, NonUTF8UPNSubjectAlternativeName)
+{
+    OSSLX509 x509;
+
+    GENERAL_NAMES* gens = sk_GENERAL_NAME_new_null();
+    ASSERT_THAT(gens, NotNull());
+
+    GENERAL_NAME* gen = GENERAL_NAME_new();
+    ASSERT_THAT(gen, NotNull());
+
+    ASN1_OBJECT* othType = OBJ_nid2obj(NID_ms_upn);
+
+    ASN1_TYPE* value = ASN1_TYPE_new();
+    ASSERT_THAT(value, NotNull());
+    value->type = V_ASN1_OCTET_STRING;
+
+    // NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
+    value->value.octet_string = ASN1_OCTET_STRING_new();
+    ASSERT_THAT(value->value.octet_string, NotNull());
+    const char* user = "0123456789";
+    ASN1_STRING_set(value->value.octet_string, user,
+                    static_cast<int>(strlen(user)));
+    // NOLINTEND(cppcoreguidelines-pro-type-union-access)
+
+    ASSERT_EQ(GENERAL_NAME_set0_othername(gen, othType, value), 1);
+    ASSERT_EQ(sk_GENERAL_NAME_push(gens, gen), 1);
+    ASSERT_EQ(X509_add1_ext_i2d(x509.get(), NID_subject_alt_name, gens, 0, 0),
+              1);
+
+    std::string upn = getUPNFromCert(x509.get(), "hostname.domain.com");
+    EXPECT_THAT(upn, "");
+
+    sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+}
+
+TEST(GetUPNFromCert, ValidUPN)
+{
+    OSSLX509 x509;
+
+    GENERAL_NAMES* gens = sk_GENERAL_NAME_new_null();
+    ASSERT_THAT(gens, NotNull());
+
+    GENERAL_NAME* gen = GENERAL_NAME_new();
+    ASSERT_THAT(gen, NotNull());
+
+    ASN1_OBJECT* othType = OBJ_nid2obj(NID_ms_upn);
+
+    ASN1_TYPE* value = ASN1_TYPE_new();
+    ASSERT_THAT(value, NotNull());
+    value->type = V_ASN1_UTF8STRING;
+
+    // NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
+    value->value.utf8string = ASN1_UTF8STRING_new();
+    ASSERT_THAT(value->value.utf8string, NotNull());
+    const char* user = "user@domain.com";
+    ASN1_STRING_set(value->value.utf8string, user,
+                    static_cast<int>(strlen(user)));
+    // NOLINTEND(cppcoreguidelines-pro-type-union-access)
+
+    ASSERT_EQ(GENERAL_NAME_set0_othername(gen, othType, value), 1);
+    ASSERT_EQ(sk_GENERAL_NAME_push(gens, gen), 1);
+    ASSERT_EQ(X509_add1_ext_i2d(x509.get(), NID_subject_alt_name, gens, 0, 0),
+              1);
+
+    std::string upn = getUPNFromCert(x509.get(), "hostname.domain.com");
+    EXPECT_THAT(upn, "user");
+
+    sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+}
+
+TEST(IsUPNMatch, MultipleCases)
+{
+    EXPECT_FALSE(isUPNMatch("user", "hostname.domain.com"));
+    EXPECT_TRUE(isUPNMatch("user@domain.com", "hostname.domain.com"));
+    EXPECT_FALSE(isUPNMatch("user@domain.com", "hostname.domain.org"));
+    EXPECT_FALSE(isUPNMatch("user@region.com", "hostname.domain.com"));
+    EXPECT_TRUE(isUPNMatch("user@com", "hostname.region.domain.com"));
+}
 } // namespace
diff --git a/test/include/sessions_test.cpp b/test/include/sessions_test.cpp
new file mode 100644
index 0000000..2840ee9
--- /dev/null
+++ b/test/include/sessions_test.cpp
@@ -0,0 +1,45 @@
+#include "sessions.hpp"
+
+#include <nlohmann/json.hpp>
+
+#include <gtest/gtest.h>
+
+namespace
+{
+TEST(AuthConfigMethods, FromJsonHappyPath)
+{
+    persistent_data::AuthConfigMethods methods;
+
+    nlohmann::json jsonValue = nlohmann::json::parse(
+        R"({"BasicAuth":true,"Cookie":true,"SessionToken":true,"TLS":true,"MTLSCommonNameParseMode":2,"TLSStrict":false,"XToken":true})");
+    methods.fromJson(jsonValue);
+
+    EXPECT_EQ(methods.basic, true);
+    EXPECT_EQ(methods.cookie, true);
+    EXPECT_EQ(methods.sessionToken, true);
+    EXPECT_EQ(methods.tls, true);
+    EXPECT_EQ(methods.tlsStrict, false);
+    EXPECT_EQ(methods.xtoken, true);
+    EXPECT_EQ(methods.mTLSCommonNameParsingMode,
+              static_cast<persistent_data::MTLSCommonNameParseMode>(2));
+}
+
+TEST(AuthConfigMethods, FromJsonMTLSCommonNameParseModeOutOfRange)
+{
+    persistent_data::AuthConfigMethods methods;
+    persistent_data::MTLSCommonNameParseMode prevValue =
+        methods.mTLSCommonNameParsingMode;
+
+    nlohmann::json jsonValue = nlohmann::json::parse(
+        R"({"BasicAuth":true,"Cookie":true,"SessionToken":true,"TLS":true,"MTLSCommonNameParseMode":4,"TLSStrict":false,"XToken":true})");
+    methods.fromJson(jsonValue);
+
+    EXPECT_EQ(methods.basic, true);
+    EXPECT_EQ(methods.cookie, true);
+    EXPECT_EQ(methods.sessionToken, true);
+    EXPECT_EQ(methods.tls, true);
+    EXPECT_EQ(methods.tlsStrict, false);
+    EXPECT_EQ(methods.xtoken, true);
+    EXPECT_EQ(methods.mTLSCommonNameParsingMode, prevValue);
+}
+} // namespace