From d583156b8db0350ed010b38c6f13276e73669306 Mon Sep 17 00:00:00 2001
From: Kuni Sen <30574753+kunisen@users.noreply.github.com>
Date: Mon, 28 Apr 2025 11:54:44 +0900
Subject: [PATCH 1/4] Clarify that ldap is not applicable on ECH

Make it clear that LDAP is not configurable for Elastic Cloud hosted environment.
---
 .../users-roles/cluster-or-deployment-auth/ldap.md          | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
index aa15dcf99..af80dc5dd 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
@@ -12,6 +12,10 @@ navigation_title: LDAP
 
 # LDAP user authentication [ldap-realm]
 
+:::{{warning}}
+LDAP user authentication is not configurable on Elastic Cloud Hosted environment.
+:::
+
 You can configure the {{stack}} {{security-features}} to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate users. See [Configuring an LDAP realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md#ldap-realm-configuration).
 
 To integrate with LDAP, you configure an `ldap` realm and map LDAP groups to user roles.
@@ -313,4 +317,4 @@ By default, when you configure {{es}} to connect to an LDAP server using SSL/TLS
 
 The LDAP security realm uses the {{kib}}-provided [basic authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#basic-authentication) login form. Basic authentication is enabled by default.
 
-You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.
\ No newline at end of file
+You can also use LDAP with [token authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-authentication.md#token-authentication) in {{kib}}.

From 5b3bcfb4b36a82ee6451060402ba7188a88cc0d6 Mon Sep 17 00:00:00 2001
From: Kuni Sen <kuniyasu.sen@elastic.co>
Date: Mon, 28 Apr 2025 12:02:50 +0900
Subject: [PATCH 2/4] clarify some types of user authentication are not
 applicable on ECH

clarify some types of user authentication are not applicable on ECH
---
 .../cluster-or-deployment-auth/active-directory.md           | 5 +++++
 .../cluster-or-deployment-auth/external-authentication.md    | 4 ++++
 deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md | 2 +-
 deploy-manage/users-roles/cluster-or-deployment-auth/pki.md  | 4 ++++
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
index f004e0894..cfb85da24 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
@@ -12,6 +12,11 @@ navigation_title: "Active Directory"
 
 # Active Directory user authentication [active-directory-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
+:::
+
+
 You can configure {{stack}} {{security-features}} to communicate with Active Directory to authenticate users.
 
 :::{{tip}}
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md b/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
index 4962efa7b..b7cb36a91 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
@@ -25,5 +25,9 @@ For many external realms, you need to perform extra steps to use the realm to lo
 
 {{es}} provides the following built-in external realms:
 
+:::{{note}}
+ldap, active_directory and pki user authentication cannot be configured on Elastic Cloud Hosted deployments.
+:::
+
 :::{include} ../_snippets/external-realms.md
 :::
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
index af80dc5dd..7482e6349 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
@@ -13,7 +13,7 @@ navigation_title: LDAP
 # LDAP user authentication [ldap-realm]
 
 :::{{warning}}
-LDAP user authentication is not configurable on Elastic Cloud Hosted environment.
+This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
 :::
 
 You can configure the {{stack}} {{security-features}} to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate users. See [Configuring an LDAP realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md#ldap-realm-configuration).
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
index dcde2f6a6..685b6b8be 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
@@ -10,6 +10,10 @@ applies_to:
 
 # PKI [pki-realm]
 
+:::{{warning}}
+This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
+:::
+
 You can configure {{es}} to use Public Key Infrastructure (PKI) certificates to authenticate users. In this scenario, clients connecting directly to {{es}} must present X.509 certificates. First, the certificates must be accepted for authentication on the SSL/TLS layer on {{es}}. Then they are optionally further validated by a PKI realm. See [PKI authentication for clients connecting directly to {{es}}](#pki-realm-for-direct-clients).
 
 You can also use PKI certificates to authenticate to {{kib}}, however this requires some additional configuration. On {{es}}, this configuration enables {{kib}} to act as a proxy for SSL/TLS authentication and to submit the client certificates to {{es}} for further validation by a PKI realm. See [PKI authentication for clients connecting to {{kib}}](#pki-realm-for-proxied-clients).

From 8ba56a0d5d609ee14a513f45d0d8ab20be55775e Mon Sep 17 00:00:00 2001
From: Florent Le Borgne <florent.leborgne@elastic.co>
Date: Wed, 30 Apr 2025 09:58:43 +0200
Subject: [PATCH 3/4] Slight changes to follow documentation guidelines

---
 .../users-roles/_snippets/external-realms.md       | 14 +++++++-------
 .../external-authentication.md                     |  4 ----
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/deploy-manage/users-roles/_snippets/external-realms.md b/deploy-manage/users-roles/_snippets/external-realms.md
index ab1876a1e..6302563a4 100644
--- a/deploy-manage/users-roles/_snippets/external-realms.md
+++ b/deploy-manage/users-roles/_snippets/external-realms.md
@@ -1,20 +1,20 @@
 ldap
-:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
+:   Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. LDAP is not available on {{ech}} deployments. For more information, refer to [LDAP user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md).
 
 active_directory
-:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
+:   Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. Active Directory is not available on {{ech}} deployments. For more information, refer to [Active Directory user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md).
 
 pki
-:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
+:   Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. PKI is not available on {{ech}} deployments. For more information, refer to [PKI user authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md).
 
 saml
-:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. See [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
+:   Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through {{kib}} and is not intended for use in the REST API. For more information, refer to [SAML authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/saml.md).
 
 kerberos
-:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
+:   Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. For more information, refer to [Kerberos authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/kerberos.md).
 
 oidc
-:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. See [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
+:   Facilitates authentication using OpenID Connect. It enables {{es}} to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in {{kib}}. For more information, refer to [Configuring single sign-on to the {{stack}} using OpenID Connect](/deploy-manage/users-roles/cluster-or-deployment-auth/openid-connect.md).
 
 jwt
-:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).
\ No newline at end of file
+:   Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. For more information, refer to [JWT authentication](/deploy-manage/users-roles/cluster-or-deployment-auth/jwt.md).
\ No newline at end of file
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md b/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
index b7cb36a91..4962efa7b 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/external-authentication.md
@@ -25,9 +25,5 @@ For many external realms, you need to perform extra steps to use the realm to lo
 
 {{es}} provides the following built-in external realms:
 
-:::{{note}}
-ldap, active_directory and pki user authentication cannot be configured on Elastic Cloud Hosted deployments.
-:::
-
 :::{include} ../_snippets/external-realms.md
 :::
\ No newline at end of file

From d292bfe14655089629796adaf0cd1301dc1d4957 Mon Sep 17 00:00:00 2001
From: florent-leborgne <florent.leborgne@elastic.co>
Date: Wed, 30 Apr 2025 10:01:17 +0200
Subject: [PATCH 4/4] Apply suggestions from code review

---
 .../users-roles/cluster-or-deployment-auth/active-directory.md  | 2 +-
 deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md    | 2 +-
 deploy-manage/users-roles/cluster-or-deployment-auth/pki.md     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
index cfb85da24..a2bfafce3 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md
@@ -13,7 +13,7 @@ navigation_title: "Active Directory"
 # Active Directory user authentication [active-directory-realm]
 
 :::{{warning}}
-This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
+This type of user authentication cannot be configured on {{ech}} deployments.
 :::
 
 
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
index 7482e6349..1756532c6 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md
@@ -13,7 +13,7 @@ navigation_title: LDAP
 # LDAP user authentication [ldap-realm]
 
 :::{{warning}}
-This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
+This type of user authentication cannot be configured on {{ech}} deployments.
 :::
 
 You can configure the {{stack}} {{security-features}} to communicate with a Lightweight Directory Access Protocol (LDAP) server to authenticate users. See [Configuring an LDAP realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md#ldap-realm-configuration).
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
index 685b6b8be..05372eabf 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md
@@ -11,7 +11,7 @@ applies_to:
 # PKI [pki-realm]
 
 :::{{warning}}
-This type of user authentication cannot be configured on Elastic Cloud Hosted deployments.
+This type of user authentication cannot be configured on {{ech}} deployments.
 :::
 
 You can configure {{es}} to use Public Key Infrastructure (PKI) certificates to authenticate users. In this scenario, clients connecting directly to {{es}} must present X.509 certificates. First, the certificates must be accepted for authentication on the SSL/TLS layer on {{es}}. Then they are optionally further validated by a PKI realm. See [PKI authentication for clients connecting directly to {{es}}](#pki-realm-for-direct-clients).