diff --git a/service/resolver.go b/service/resolver.go
index abad144..61e0874 100755
--- a/service/resolver.go
+++ b/service/resolver.go
@@ -240,8 +240,8 @@ func (r *resolve) GetNonResourceNamespace() string {
 
 // PrincipalFromUser maps K8s user to Athenz principal.
 // 1. service account: if has ServiceAccountPrefixes, remove prefix, map to AthenzServiceAccountPrefix
-// 1.1. if contains namespace, create domain by namespace and AthenzServiceAccountPrefix
-// 1.2. if no namespaces, prepend AthenzServiceAccountPrefix
+// 1.1. if contains namespace, create domain by the namespace and AthenzServiceAccountPrefix
+// 1.2. if no namespaces, create domain by EmptyNamespace and AthenzServiceAccountPrefix
 // 2. athenz user: if has AthenzUserPrefix, OR not contains ".", map to AthenzUserPrefix
 // 3. certificate: if not service account and athenz user, no mapping
 func (r *resolve) PrincipalFromUser(user string, groups []string) string {
@@ -271,7 +271,8 @@ func (r *resolve) PrincipalFromUser(user string, groups []string) string {
 			return strings.TrimPrefix(strings.TrimSuffix(strings.Join(
 				append(r.BuildServiceAccountPrefixFromNamespace(parts[0]), parts[1:]...), "."), ":"), ":")
 		}
-		return r.cfg.AthenzServiceAccountPrefix + strings.TrimSuffix(strings.TrimPrefix(strings.TrimPrefix(user, prefix), ":"), ":")
+		return strings.TrimPrefix(strings.TrimSuffix(strings.Join(
+			append(r.BuildServiceAccountPrefixFromNamespace(r.cfg.EmptyNamespace), parts[0]), "."), ":"), ":")
 	}
 
 	// athenz user
diff --git a/service/resolver_test.go b/service/resolver_test.go
index b27f3fe..0c4b38e 100644
--- a/service/resolver_test.go
+++ b/service/resolver_test.go
@@ -1060,13 +1060,15 @@ func Test_resolve_PrincipalFromUser(t *testing.T) {
 			fields: fields{
 				cfg: config.Platform{
 					ServiceAccountPrefixes: []string{"prefix-319:"},
+					EmptyNamespace: "empty",
 				},
+				athenzSAPrefix: "athenz._namespace_.",
 			},
 			args: args{
 				user:   "prefix-319:user-323",
 				groups: []string{"system:serviceaccounts"},
 			},
-			want: "user-323",
+			want: "athenz.empty.user-323",
 		},
 		{
 			name: "Check resolve PrincipalFromUser ServiceAccountPrefixes match user prefix, single part, no groups",
@@ -1087,13 +1089,15 @@ func Test_resolve_PrincipalFromUser(t *testing.T) {
 			fields: fields{
 				cfg: config.Platform{
 					ServiceAccountPrefixes: []string{"prefix-331"},
+					EmptyNamespace: "empty",
 				},
+				athenzSAPrefix: "athenz._namespace_.",
 			},
 			args: args{
 				user:   "prefix-331:user-335:",
 				groups: []string{"system:serviceaccounts"},
 			},
-			want: "user-335",
+			want: "athenz.empty.user-335",
 		},
 		{
 			name: "Check resolve PrincipalFromUser ServiceAccountPrefixes match user prefix, multiple parts, empty namespace",