Maybe I've missed it but in the first setup (without roles) where on the server is defined as which user someone can ssh into the machine now? There's only this global setting:
TrustedUserCAKeys /etc/ssh/ca.pub
Where can I define that a user can log in e.g. as "john" on a server? Is this the '-I USER_ID' part when creating the cert? If so that would mean that a certificate is bound to one username only and that every user needs his own account with exactly that name on every server he has access to, right?
