diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 0647d7cc32..d31fff744c 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1228,7 +1228,11 @@ pg_GSS_checkauth(Port *port)
 
 	/*
 	 * Copy the original name of the authenticated principal into our backend
-	 * memory for display later. This is also our authenticated identity.
+	 * memory for display later.
+	 *
+	 * This is also our authenticated identity. Set it now, rather than waiting
+	 * for check_usermap below, because authentication has already succeeded and
+	 * we want the log file to reflect that.
 	 */
 	port->gss->princ = MemoryContextStrdup(TopMemoryContext, gbuf.value);
 	set_authn_id(port, gbuf.value);
@@ -1573,7 +1577,9 @@ pg_SSPI_recvauth(Port *port)
 
 	/*
 	 * We have all of the information necessary to construct the authenticated
-	 * identity.
+	 * identity. Set it now, rather than waiting for check_usermap below,
+	 * because authentication has already succeeded and we want the log file to
+	 * reflect that.
 	 */
 	if (port->hba->compat_realm)
 	{
@@ -1977,7 +1983,11 @@ ident_inet_done:
 
 	if (ident_return)
 	{
-		/* Success! Store the identity and check the usermap */
+		/*
+		 * Success! Store the identity and check the usermap. (Setting the
+		 * authenticated identity is done before checking the usermap, because
+		 * at this point, authentication has succeeded.)
+		 */
 		set_authn_id(port, ident_user);
 		return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
 	}
@@ -2036,8 +2046,9 @@ auth_peer(hbaPort *port)
 	}
 
 	/*
-	 * Make a copy of static getpw*() result area. This is our authenticated
-	 * identity.
+	 * Make a copy of static getpw*() result area; this is our authenticated
+	 * identity. Set it before calling check_usermap, because authentication has
+	 * already succeeded and we want the log file to reflect that.
 	 */
 	set_authn_id(port, pw->pw_name);
 
@@ -2901,7 +2912,9 @@ CheckCertAuth(Port *port)
 	if (port->hba->auth_method == uaCert)
 	{
 		/*
-		 * The client's Subject DN is our authenticated identity.
+		 * The client's Subject DN is our authenticated identity. Set it now,
+		 * rather than waiting for check_usermap below, because authentication
+		 * has already succeeded and we want the log file to reflect that.
 		 */
 		if (!port->peer_dn)
 		{