💡 Add option to SSH CA to issue certs with UserPrincipal with full e-mail address
ajvpot opened this issue · comments
Describe the feature you'd like
I would like an option in the SSH Short-Lived Certificates CA settings to sign certs with the full e-mail address of the user as the User Principal
The SSH CA currently signs certificates with the User Principal being the part of the e-mail address before the @ sign. Therefore, an access organization with multiple domains (i.e. using pin based auth with external collaborators) can have namespace conflicts when deciding which user to log in as.
Example: These users map to the same unix username.
jdoe@mycorp.com -> jdoe
jdoe@external.com -> jdoe
Describe alternatives you've considered
Unknown, this is not mentioned in the docs.
Additional context
https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates/