diff --git a/app/controllers/identify_controller.rb b/app/controllers/identify_controller.rb
index 0619071c7..a6c61f433 100644
--- a/app/controllers/identify_controller.rb
+++ b/app/controllers/identify_controller.rb
@@ -121,6 +121,9 @@ def log_certificate(cert)
     }
 
     attributes.delete(:issuer) if validation_result == 'self-signed cert'
+    if valid
+      attributes[:matched_policy_oids] = cert.matched_policy_oids.map { |oid| [oid, true] }.to_h
+    end
 
     # Log certificate if it fails either OpenSSL validation, but passes our current validation or vice versa
     if valid != login_certs_openssl_result[:valid] || valid != ficam_certs_openssl_result[:valid]
diff --git a/app/models/certificate.rb b/app/models/certificate.rb
index e1384693a..5754c1590 100644
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@@ -14,7 +14,7 @@ def initialize(x509_cert)
   def_delegators :x509_cert, :not_before, :not_after, :subject, :issuer, :verify,
                  :public_key, :serial, :to_text
 
-  def_delegators :@cert_policies, :allowed_by_policy?, :critical_policies_recognized?
+  def_delegators :@cert_policies, :allowed_by_policy?, :critical_policies_recognized?, :matched_policy_oids
 
   def trusted_root?
     CertificateStore.trusted_ca_root_identifiers.include?(key_id)
diff --git a/app/policies/certificate_policies.rb b/app/policies/certificate_policies.rb
index 806253547..4bd50ccef 100644
--- a/app/policies/certificate_policies.rb
+++ b/app/policies/certificate_policies.rb
@@ -27,10 +27,14 @@ def allowed_by_policy?
     # otherwise, we want to allow it for now, but log the cert so we can see what policies are
     # coming up
     # This policy check is only on the leaf certificate - not used by CAs
+    matched_policy_oids.any?
+  end
+
+  def matched_policy_oids
     mapping = PolicyMappingService.new(@certificate).call
     expected_policies = required_policies
     cert_policies = policies.map { |policy| mapping[policy] }
-    (cert_policies & expected_policies).any?
+    (cert_policies & expected_policies)
   end
 
   def policies
diff --git a/spec/controllers/identify_controller_spec.rb b/spec/controllers/identify_controller_spec.rb
index 279593679..0a122df50 100644
--- a/spec/controllers/identify_controller_spec.rb
+++ b/spec/controllers/identify_controller_spec.rb
@@ -158,11 +158,11 @@
               openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
               ficam_openssl_valid: false,
               ficam_openssl_errors: 'error 20 at 0 depth lookup: unable to get local issuer certificate',
+              matched_policy_oids: { '2.16.840.1.101.2.1.11.9' => true },
             }.to_json).once
 
             @request.headers['X-Client-Cert'] = CGI.escape(client_cert_pem)
 
-
             get :create, params: { nonce: '123', redirect_uri: 'http://example.com/' }
             expect(response).to have_http_status(:found)
             expect(response.has_header?('Location')).to be_truthy