Hello,
such dual authentication is supported.
We designed the RFID based certificate enrollment to run on a Kiosk PC system with a dedicated Windows Desktop user performing the (unattended) TLS or SPNego authentication to Secure Login Server.
But you can add an interactive JAAS login module to the security policy, e.g. SAP Authenticator or Active Directory/LDAP, to get one more user credential into the certificate enrollment procedure. Your policy may look like this:
Now Secure Login Client & Server are performing...
1. a silent SPNego authentication of the Windows Desktop user,
2. a prompted SAP Authenticator login of the real person in front of the Desktop,
3. an Active Directory identification of the RFID token UID,
and a fresh certificate for the person mapped to this RFID token is issued.
-- Stephan