diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go
index ec813b6c..b127ed13 100644
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@@ -56,6 +56,7 @@ type K8sSA struct {
 	ctl           *Controller
 	x509Policy    policy.X509Policy
 	sshHostPolicy policy.HostPolicy
+	sshUserPolicy policy.UserPolicy
 }
 
 // GetID returns the provisioner unique identifier. The name and credential id
@@ -148,6 +149,11 @@ func (p *K8sSA) Init(config Config) (err error) {
 		return err
 	}
 
+	// Initialize the SSH allow/deny policy engine for user certificates
+	if p.sshUserPolicy, err = policy.NewSSHUserPolicyEngine(p.Options.GetSSHOptions()); err != nil {
+		return err
+	}
+
 	// Initialize the SSH allow/deny policy engine for host certificates
 	if p.sshHostPolicy, err = policy.NewSSHHostPolicyEngine(p.Options.GetSSHOptions()); err != nil {
 		return err
@@ -298,7 +304,7 @@ func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOptio
 		// Require and validate all the default fields in the SSH certificate.
 		&sshCertDefaultValidator{},
 		// Ensure that all principal names are allowed
-		newSSHNamePolicyValidator(p.sshHostPolicy, nil),
+		newSSHNamePolicyValidator(p.sshHostPolicy, p.sshUserPolicy),
 	), nil
 }
 
diff --git a/policy/options_test.go b/policy/options_test.go
index b7390545..74982fd8 100644
--- a/policy/options_test.go
+++ b/policy/options_test.go
@@ -135,7 +135,7 @@ func Test_normalizeAndValidateEmailConstraint(t *testing.T) {
 		},
 		{
 			name:       "fail/idna-internationalized-domain",
-			constraint: `mail@xn--bla.local`,
+			constraint: "mail@xn--bla.local",
 			want:       "",
 			wantErr:    true,
 		},