In our environment, users log in to their workstations with a card that is similar to DOD CAC. Their authentication is done with an ADFS server. When they access Splunk, we are using SAML authentication to verify their identity. Is this what you're looking for? If so, there are a few options:
Your users are all in the same "user" role bucket and don't need a lot of specialized roles - in this case, you can use Splunk SAML authentication to pass UPN values.
Your users have different roles, and those roles can be maintained in your ADFS records - in this case, you can still use Splunk SAML authentication, and ADFS will pass UPN and role info.
Your users have different roles, and those roles need to be managed within Splunk, because you can't be bothering the ADFS team to manage those roles - in this case, you can wrap Splunk with Apache, acting as a reverse proxy, and shibboleth, which manages the SAML.
Do you mean you want them to use a CAC to log in without having some kind of SSO identity provider, such as ADFS? I don't know of any such way to do that. But if Splunk is running in a traditional enterprise environment where users a logging into their workstations with a CAC, then integration with ADFS is pretty straightforward.