diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index bc108c01..8c89ea37 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -307,7 +307,7 @@ func (o *OIDC) authorizeSSHSign(claims *openIDPayload) ([]SignOption, error) {
 	if o.IsAdmin(claims.Email) {
 		signOptions = append(signOptions, &sshCertificateOptionsValidator{})
 	} else {
-		name := SanitizeSSHPrincipal(claims.Email)
+		name := SanitizeSSHUserPrincipal(claims.Email)
 		if !sshUserRegex.MatchString(name) {
 			return nil, errors.Errorf("invalid principal '%s' from email address '%s'", name, claims.Email)
 		}
diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go
index bb59bbb9..96bec692 100644
--- a/authority/provisioner/provisioner.go
+++ b/authority/provisioner/provisioner.go
@@ -165,11 +165,11 @@ func (l *List) UnmarshalJSON(data []byte) error {
 
 var sshUserRegex = regexp.MustCompile("^[a-z][-a-z0-9_]*$")
 
-// SanitizeSSHPrincipal grabs an email or a string with the format local@domain
-// and returns a sanitized version of the local, valid to be used as a user
-// name. If the email starts with a letter between a and z, the resulting string
-// will match the regular expression `^[a-z][-a-z0-9_]*$`.
-func SanitizeSSHPrincipal(email string) string {
+// SanitizeSSHUserPrincipal grabs an email or a string with the format
+// local@domain and returns a sanitized version of the local, valid to be used
+// as a user name. If the email starts with a letter between a and z, the
+// resulting string will match the regular expression `^[a-z][-a-z0-9_]*$`.
+func SanitizeSSHUserPrincipal(email string) string {
 	if i := strings.LastIndex(email, "@"); i >= 0 {
 		email = email[:i]
 	}