In order to match a user to their SSO identity, the user's Unix username must match their email address prefix. For example, `jdoe` must be registered in your Okta or GSuite organization as `jdoe@example.com`.
You can create a user entry with duplicate `uid`, `gid`, and home directory to link an identity to an existing user with a different username. You will need to create a password for it separately and add it to the same groups to replicate permissions.
The simplest setup is one where a user's Unix username matches their email address prefix.
Issued short-lived certificates will be valid for the user's email address prefix.
For example, if user `jdoe@example.com` connects to `vm.example.com`, they would try to sign in as the user `jdoe`.
For testing purposes, you can run the following command to generate a Unix user on the machine:
(there's no way to tell sshd to allow any verified certificate, so this takes the certificate presented by the user and authorizes whatever principal is listed on it)
Or, to allow any Access user to log in as any user:
(the same options, but without the `Match` block above it)
This will put the security of your server entirely dependent on your Access configuration, so make extra sure your [access policies](/cloudflare-one/policies/access/policy-management/) are correctly configured.
For any of these configs you'll also need the `TrustedUserCAKeys` option, as documented below.