clean up tocs

Author: shainaraskas

deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md

@@ -175,7 +175,7 @@ $$$azure-integration-azure-user-management$$$Is the {{ecloud}} Azure Native ISV
     :alt: Error message displayed in the {{ecloud}} console: To access the resource {resource-name}
     :::
 
-    Share deployment resources directly with other Azure users by [configuring Active Directory single sign-on with the {{es}} cluster](../../users-roles/cluster-or-deployment-auth/openid-connect.md#ec-securing-oidc-azure).
+    Share deployment resources directly with other Azure users by [configuring Active Directory single sign-on with the {{es}} cluster](/deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md#ec-securing-oidc-azure).
 
 
 $$$azure-integration-azure-rbac$$$Does {{ecloud}} Azure Native ISV Service support recently introduced {{ecloud}} RBAC capability?

deploy-manage/toc.yml

@@ -636,7 +636,12 @@ toc:
                       - file: users-roles/cluster-or-deployment-auth/saml-entra.md
                   - file: users-roles/cluster-or-deployment-auth/pki.md
                   - file: users-roles/cluster-or-deployment-auth/custom.md
-              - file: users-roles/cluster-or-deployment-auth/built-in-users.md
+              - file: users-roles/cluster-or-deployment-auth/built-in-overview.md
+                children:
+                  - file: users-roles/cluster-or-deployment-auth/built-in-users.md
+                  - file: users-roles/cluster-or-deployment-auth/manage-elastic-user-cloud.md
+                  - file: users-roles/cluster-or-deployment-auth/built-in-eck.md
+                  - file: users-roles/cluster-or-deployment-auth/built-in-sm.md
               - file: users-roles/cluster-or-deployment-auth/kibana-authentication.md
               - file: users-roles/cluster-or-deployment-auth/access-agreement.md
               - file: users-roles/cluster-or-deployment-auth/anonymous-access.md

deploy-manage/users-roles/cloud-enterprise-orchestrator/saml.md

@@ -59,7 +59,7 @@ Begin the provider profile by adding the general settings:
 
 ## Map SAML attributes to user properties [ece-saml-attributes]
 
-The SAML assertion about a user usually includes attribute names and values that can be used for role mapping. The configuration in this section allows to configure a mapping between these SAML attribute values and [{{es}} user properties](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-elasticsearch-authentication).
+The SAML assertion about a user usually includes attribute names and values that can be used for role mapping. The configuration in this section allows to configure a mapping between these SAML attribute values and [{{es}} user properties](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-es-user-properties).
 
 When the attributes have been mapped to user properties such as `groups`, these can then be used to configure  [role mappings](#ece-saml-role-mapping). Mapping the `principal` user property is required and the `groups` property is recommended for a minimum configuration.
 

deploy-manage/users-roles/cluster-or-deployment-auth/oidc-examples.md

@@ -18,8 +18,7 @@ This page explains how to implement OIDC, from the OAuth client credentials gene
 * [Google](#ec-securing-oidc-google)
 * [Okta](#ec-securing-oidc-okta)
 
-For further detail about configuring OIDC, check our [list of references](#ec-summary-and-references) at the end of this article.
-
+For further detail about configuring OIDC, refer to [](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md)
 
 ## Setting up OpenID Connect with Azure [ec-securing-oidc-azure]
 

deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md

@@ -219,7 +219,7 @@ To configure claims mapping:
 
 4. Configure the OpenID Connect realm in {{es}} to associate the [{{es}} user properties](#oidc-user-properties) to the name of the claims that your OP will release. 
 
-   The [sample configuration](oidc-create-realm) configures the `principal` and `groups` user properties as follows:
+   The [sample configuration](#oidc-create-realm) configures the `principal` and `groups` user properties as follows:
 
    * `claims.principal: sub`: Instructs {{es}} to look for the OpenID Connect claim named `sub` in the ID Token that the OP issued for the user (or in the UserInfo response) and assign the value of this claim to the `principal` user property. 
 
@@ -401,7 +401,7 @@ PUT /_security/role_mapping/oidc-finance
 
 ### Delegating OIDC authorization to another realm
 
-If your users also exist in a repository that can be directly accessed by {{es}}, such as an LDAP directory, then you can use [authorization realms](/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation) instead of role mappings.
+If your users also exist in a repository that can be directly accessed by {{es}}, such as an LDAP directory, then you can use [authorization realms](/deploy-manage/users-roles/cluster-or-deployment-auth/authorization-delegation.md) instead of role mappings.
 
 In this case, you perform the following steps:
 

deploy-manage/users-roles/cluster-or-deployment-auth/saml.md

@@ -27,7 +27,7 @@ The {{security-features}} provide this support using the Web Browser SSO profile
 
 This means that the SAML realm is not suitable for use by standard REST clients. If you configure a SAML realm for use in {{kib}}, you should also configure another realm, such as the [native realm](/deploy-manage/users-roles/cluster-or-deployment-auth/native.md) in your authentication chain.
 
-Because this feature is designed with {{kib}} in mind, most sections of this guide assume {{kib}} is used. To learn how a custom web application could use the OpenID Connect REST APIs to authenticate the users to {{es}} with SAML, refer to [SAML without {{kib}}](#saml-without-kibana). 
+Because this feature is designed with {{kib}} in mind, most sections of this guide assume {{kib}} is used. To learn how a custom web application could use the OpenID Connect REST APIs to authenticate the users to {{es}} with SAML, refer to [SAML without {{kib}}](#saml-no-kibana). 
 
 The SAML support in {{kib}} is designed with the expectation that it will be the primary (or sole) authentication method for users of that {{kib}} instance. After you enable SAML authentication in {{kib}}, it will affect all users who try to login. The [Configuring {{kib}}](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-configure-kibana) section provides more detail about how this works.
 
@@ -746,7 +746,7 @@ Single sign-on realms such as OpenID Connect and SAML make use of the Token Serv
 
 ### SAML realm [saml-no-kibana-realm]
 
-You must create a SAML realm and configure it accordingly in {{es}}. See [Configure {{es}} for SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-elasticsearch-authentication)
+You must create a SAML realm and configure it accordingly in {{es}}. See [Configure {{es}} for SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md#saml-create-realm)
 
 
 ### Service Account user for accessing the APIs [saml-no-kibana-user]