Today, there are two plugins: the active-directory-plugin & the certificate-authentication-plugin
Both are great plugins.

But in big infrastructures, administrators need SSO/Client certificate authentication against an Active Directory server. This means, that some administrators manage their groups in active directory but needs their end user to be logged by using client certificates.

This pull request: https://github.com/jenkinsci/active-directory-plugin/pull/16 will enable a such request (see screenshot for more details)

The SSO can be:
-disabled, in this case the active directory will be the old one working alone
-SSO Enabled without check against Active directory. authenticated users will have a prefix set in their username and will be put in a default group
-SSO enabled with some matching rules (lower/upper case forcing/no change). In this case Bind DN username/password will be mandatory, the client certificate CN will be checked against the Active Directory username and its groups membership will be downloaded

This is a really must have feature which will be largely used by DevOps and in large companies.