Pritunl zero ssh - all users?

SERVER: domain
SSH_KEY: ~/.ssh/id_rsa.pub
OPEN: domain/ssh?ssh-token=REDACTED
CERTIFICATE: ~/.ssh/id_rsa-cert.pub
SSH_CONFIG: ~/.ssh/config
Successfully validated SSH key

ssh -i id_rsa.pub user@host.x.y

Any username works… user1, root, user2, etc…
How does the cert get bound to a single user, or is this a bug?

The SSH server will control access. There are multiple options available for matching in SSH configuration files. Below is example in /etc/ssh/sshd_config of matching different principals which are referred to as roles in Pritunl Zero for user example1 and example2. The /etc/ssh/principals_example1 and /etc/ssh/principals_example2 files can then contain a list of Pritunl Zero roles that will permit access to that user if the Pritunl Zero user has a matching role. The Match all line will close out the previous Match statement. There are multiple Match paremeters available including Match host to create rules for specific client IP addresses.

Match user example1
    TrustedUserCAKeys /etc/ssh/trusted
    AuthorizedPrincipalsFile /etc/ssh/principals_example1
Match user example2
    TrustedUserCAKeys /etc/ssh/trusted
    AuthorizedPrincipalsFile /etc/ssh/principals_example2
Match all

If I have 200 users who may need access, and I want attribution to each of the users – I would need 200 user matches configured across each system? Basically assigning a named role for each?

The system is designed around role based access with groups of users being assigned different roles. Each user would need to be assigned a unique role to control access for individual users.