saml cleanup

Author: shainaraskas

deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md

@@ -9,6 +9,10 @@ applies:
 
 You can configure {{ece}} to delegate authentication of users to a Security Assertion Markup Language (SAML) authentication provider. {{ece}} supports the SAML 2.0 Web Browser Single Sign On Profile only, and this requires the use of a web browser. Due to this, SAML profiles should not be used for standard API clients. The security deployment acts as a SAML 2.0 compliant *service provider*.
 
+:::{{tip}}
+This topic describes implementing SAML SSO at the {{ece}} installation level. If you want to control access to a specific deployment, then refer to [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
+:::
+
 To set up SAML authentication, perform the following steps:
 
 1. Specify the [general SAML settings](#ece-saml-general-settings).

deploy-manage/users-roles/cluster-or-deployment-auth/saml-entra.md

@@ -2,22 +2,28 @@
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-saml-azure.html
 navigation_title: With Microsoft Entra ID
+applies_to:
+  deployment:
+    self:
+    ess:
+    ece:
+    eck:
 ---
 # Set up SAML with Microsoft Entra ID [ec-securing-clusters-saml-azure]
 
-This guide provides a walk-through of how to configure Microsoft Entra ID (formerly Azure Active Directory) as an identity provider for SAML single sign-on (SSO) authentication, used for accessing Kibana in Elasticsearch Service.
+This guide provides a walk-through of how to configure Microsoft Entra ID, formerly known as Azure Active Directory, as an identity provider for SAML single sign-on (SSO) authentication, used for accessing {{kib}} in {{ech}}.
 
-For more information about SAML configuration, you can also refer to:
+For more information about SAML configuration, refer to:
 
-* [Secure your clusters with SAML](../../../deploy-manage/users-roles/cluster-or-deployment-auth/saml.md)
+* [Secure your clusters with SAML](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md)
 * [Single Sign-On SAML protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol)
 
 
-## Configure SAML with Azure AD to access Kibana [ec-securing-clusters-saml-azure-kibana]
+## Configure SAML with Microsoft Entra ID to access {{kib}} [ec-securing-clusters-saml-azure-kibana]
 
-Follow these steps to configure SAML with Microsoft Entra ID as an identity provider to access Kibana.
+Follow these steps to configure SAML with Microsoft Entra ID as an identity provider to access {{kib}}.
 
-1. Configure the Azure Identity Provider:
+1. Configure the Entra Identity Provider:
 
     1. Log in to the [Azure Portal](https://portal.azure.com/) and navigate to **Entra** (formerly Azure Active Directory).
     2. Click **Enterprise applications** and then **New application** to register a new application.
@@ -27,41 +33,41 @@ Follow these steps to configure SAML with Microsoft Entra ID as an identity prov
         :alt: The Azure Create your own application flyout
         :::
 
-    4. Navigate to the new application, click **Users and groups**, and add all necessary users and groups. Only the users and groups that you add here will have SSO access to the Elastic stack.
+    4. Navigate to the new application, click **Users and groups**, and add all necessary users and groups. Only the users and groups that you add here will have SSO access to the {{stack}}.
 
         :::{image} ../../../images/cloud-ec-saml-azuread-users-and-groups.png
-        :alt: The Azure User and groups page
+        :alt: The Entra User and groups page
         :::
 
     5. Navigate to **Single sign-on** and edit the basic SAML configuration, adding the following information:
 
-        * `Identifier (Entity ID)` - a string that uniquely identifies a SAML service provider. We recommend using your Kibana URL, but you can use any identifier.
+        * `Identifier (Entity ID)` - a string that uniquely identifies a SAML service provider. We recommend using your {{kib}} URL, but you can use any identifier.
 
             For example, `https://saml-azure.kb.northeurope.azure.elastic-cloud.com:443`.
 
-        * `Reply URL` - This is the Kibana URL with `/api/security/saml/callback` appended.
+        * `Reply URL` - This is the {{kib}} URL with `/api/security/saml/callback` appended.
 
             For example, `https://saml-azure.kb.northeurope.azure.elastic-cloud.com:443/api/security/saml/callback`.
 
-        * `Logout URL` - This is the Kibana URL with `/logout` appended.
+        * `Logout URL` - This is the {{kib}} URL with `/logout` appended.
 
             For example, `https://saml-azure.kb.northeurope.azure.elastic-cloud.com:443/logout`.
 
             :::{image} ../../../images/cloud-ec-saml-azuread-kibana-config.png
-            :alt: The Azure SAML configuration page with Kibana settings
+            :alt: The Entra SAML configuration page with {{kib}} settings
             :::
 
-    6. Navigate to **SAML-based Single sign-on**, open the **User Attributes & Claims** configuration, and update the fields to suit your needs. These settings control what information from Azure AD will be made available to the Elastic stack during SSO. This information can be used to identify a user in the Elastic stack and/or to assign different roles to users in the Elastic stack. We suggest that you configure a proper value for the `Unique User Identifier (Name ID)` claim that identifies the user uniquely and is not prone to changes.
+    6. Navigate to **SAML-based Single sign-on**, open the **User Attributes & Claims** configuration, and update the fields to suit your needs. These settings control what information from  will be made available to the {{stack}} during SSO. This information can be used to identify a user in the {{stack}} and/or to assign different roles to users in the {{stack}}. We suggest that you configure a proper value for the `Unique User Identifier (Name ID)` claim that identifies the user uniquely and is not prone to changes.
 
         :::{image} ../../../images/cloud-ec-saml-azuread-user-attributes.png
-        :alt: The Azure User Attributes & Claims page
+        :alt: The Entra ID User Attributes & Claims page
         :::
 
-    7. From the SAML configuration page in Azure, make a note of the `App Federation Metadata URL`.
+    7. From the SAML configuration page, make a note of the `App Federation Metadata URL`.
 
-2. Configure Elasticsearch and Kibana for SAML:
+2. Configure {{es}} and {{kib}} for SAML:
 
-    1. [Update your Elasticsearch user settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) with the following configuration:
+    1. [Update your {{es}} user settings](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) with the following configuration:
 
         ```sh
         xpack.security.authc.realms.saml.kibana-realm:
@@ -79,21 +85,21 @@ Follow these steps to configure SAML with Microsoft Entra ID as an identity prov
 
         * `<Application_ID>` is your Application ID, available in the application details in Azure.
         * `<Tenant_ID>` is your Tenant ID, available in the tenant overview page in Azure.
-        * `<Kibana_Endpoint_URL>` is your Kibana endpoint, available from the Elasticsearch Service console. Ensure this is the same value that you set for `Identifier (Entity ID)` in the earlier Azure AD configuration step.
+        * `<Kibana_Endpoint_URL>` is your {{kib}} endpoint, available from the {{ech}} console. Ensure this is the same value that you set for `Identifier (Entity ID)` in the earlier Microsoft Entra ID configuration step.
 
-            Note that for `idp.metadata.path` we’ve shown the format to construct the URL, but this should be identical to the `App Federation Metadata URL` setting that you made a note of in the previous step.
+            For `idp.metadata.path`, we’ve shown the format to construct the URL. This value should be identical to the `App Federation Metadata URL` setting that you made a note of in the previous step.
 
-            Remember to add this configuration for each node type in your [user settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) if you use several node types based on your deployment architecture (Dedicated Master, High IO, and/or High Storage).
+            If you're using {{ece}} or {{ech}}, and you're using machine learning or a deployment with hot-warm architecture, you must include this configuration in the user settings section for each node type.
 
-    2. Next, configure Kibana to enable SAML authentication:
-        1. [Update your Kibana user settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) with the following configuration:
+    2. Next, configure {{kib}} to enable SAML authentication:
+        1. [Update your {{kib}} user settings](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) with the following configuration:
 
             ```yaml
             xpack.security.authc.providers:
               saml.kibana-realm:
                 order: 0
                 realm: kibana-realm
-                description: "Log in with Azure AD"
+                description: "Log in with Microsoft Entra ID"
             ```
 
             The configuration values used in the example above are:
@@ -102,7 +108,7 @@ Follow these steps to configure SAML with Microsoft Entra ID as an identity prov
             :   Add `saml` provider to instruct {{kib}} to use SAML SSO as the authentication method.
 
             `xpack.security.authc.providers.saml.<provider-name>.realm`
-            :   Set this to the name of the SAML realm that you have used in your [Elasticsearch realm configuration](../../../deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-create-realm). For this example, use the realm name that you configured in the previous step: `kibana-realm`.
+            :   Set this to the name of the SAML realm that you have used in your [{{es}} realm configuration](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-create-realm). For this example, use the realm name that you configured in the previous step: `kibana-realm`.
 
         2. Create a role mapping.
 
@@ -133,7 +139,7 @@ Follow these steps to configure SAML with Microsoft Entra ID as an identity prov
             }
             ```
 
-            For more information, refer to [Configure role mapping](../../../deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-role-mapping) in the Elasticsearch SAML documentation.
+            For more information, refer to [Configure role mapping](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-role-mapping) in the {{es}} SAML documentation.
 
 
-You should now have successfully configured SSO access to Kibana with Azure AD as the identity provider.
+You should now have successfully configured SSO access to {{kib}} with Microsoft Entra ID as the identity provider.