diff --git a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md index fafbd6b906..1774355f26 100644 --- a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md +++ b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md @@ -47,7 +47,6 @@ To learn more about the features that are supported by {{ecloud}}, check [{{eclo * File and LDAP realms cannot be used. The Native realm is enabled, but the realm configuration itself is fixed in {{ecloud}}. Alternatively, authentication protocols such as SAML, OpenID Connect, or Kerberos can be used. * Client certificates, such as PKI certificates, are not supported. * IPv6 is not supported. -* Additional limitations apply when using SAML SSO at the organization level. Refer to [Configure {{ecloud}} SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md#ec_risks_and_considerations) for more information. ## APIs [ec-restrictions-apis] diff --git a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md index fd3b91b18b..dcdd2050ce 100644 --- a/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md +++ b/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md @@ -45,11 +45,11 @@ For detailed examples of implementing SAML SSO using common identity providers, * You must have a SAML 2.0 compatible identity provider. -## Limitations, risks, and considerations [ec_risks_and_considerations] +## Risks and considerations [ec_risks_and_considerations] -Before you configure SAML SSO, familiarize yourself with the following limitations, risks, and considerations: +Before you configure SAML SSO, familiarize yourself with the following risks and considerations: -* You can claim a maximum of 10 domains for your organization, including subdomains. +* You can claim up to 10 domains. Claiming a domain also enables SSO for all of its subdomains. * Actions taken on the IdP are not automatically reflected in {{ecloud}}. For example, if you remove a user from your IdP, they are not removed from the {{ecloud}} organization and their active sessions are not invalidated. To immediately revoke a user’s active sessions, an [Organization owner](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_organization_level_roles) must [remove the user from the {{ecloud}} organization](https://cloud.elastic.co/account/members) or remove their assigned roles. @@ -73,7 +73,9 @@ Follow this procedure to set up SAML SSO with your IdP. Before you can register and use your IdP with {{ecloud}}, you must claim one or more domains. Only users that have email addresses that match claimed domains can authenticate with your IdP. -If the members of your {{ecloud}} organization have email addresses from multiple domains, you can claim multiple domains. You can claim up to 10 domains, including subdomains. +You can claim up to 10 domains. Claiming a domain also enables SSO for all of its subdomains. + +For example, if you claim `example.com`, users with email addresses like `user@team.example.com` or `user@dev.team.example.com` can authenticate through your IdP. You don't need to claim subdomains separately, and they don't count toward the 10-domain limit. You must have authority to modify your domain’s DNS records and be a member of the **Organization owner** role in {{ecloud}} to complete this step.