elastic · shainaraskas · May 11, 2026 · May 11, 2026
@@ -47,7 +47,6 @@ To learn more about the features that are supported by {{ecloud}}, check [{{eclo
 * File and LDAP realms cannot be used. The Native realm is enabled, but the realm configuration itself is fixed in {{ecloud}}. Alternatively, authentication protocols such as SAML, OpenID Connect, or Kerberos can be used.
 * Client certificates, such as PKI certificates, are not supported.
 * IPv6 is not supported.
-* Additional limitations apply when using SAML SSO at the organization level. Refer to [Configure {{ecloud}} SAML single sign-on](/deploy-manage/users-roles/cloud-organization/configure-saml-authentication.md#ec_risks_and_considerations) for more information.
 
 
 ## APIs [ec-restrictions-apis]

@@ -45,11 +45,11 @@
 * You must have a SAML 2.0 compatible identity provider.
 
 
-## Limitations, risks, and considerations [ec_risks_and_considerations]
+## Risks and considerations [ec_risks_and_considerations]
 
-Before you configure SAML SSO, familiarize yourself with the following limitations, risks, and considerations:
+Before you configure SAML SSO, familiarize yourself with the following risks and considerations:
 
-* You can claim a maximum of 10 domains for your organization, including subdomains.
+* You can claim up to 10 domains. Claiming a domain also enables SSO for all of its subdomains.
 * Actions taken on the IdP are not automatically reflected in {{ecloud}}. For example, if you remove a user from your IdP, they are not removed from the {{ecloud}} organization and their active sessions are not invalidated.
 
     To immediately revoke a user’s active sessions, an [Organization owner](/deploy-manage/users-roles/cloud-organization/user-roles.md#ec_organization_level_roles) must [remove the user from the {{ecloud}} organization](https://cloud.elastic.co/account/members) or remove their assigned roles.
@@ -73,7 +73,9 @@
 
 Before you can register and use your IdP with {{ecloud}}, you must claim one or more domains. Only users that have email addresses that match claimed domains can authenticate with your IdP.
 
-If the members of your {{ecloud}} organization have email addresses from multiple domains, you can claim multiple domains. You can claim up to 10 domains, including subdomains.
+You can claim up to 10 domains. Claiming a domain also enables SSO for all of its subdomains.
+
+For example, if you claim `example.com`, users with email addresses like `user@team.example.com` or `user@dev.team.example.com` can authenticate through your IdP. You don't need to claim subdomains separately, and they don't count toward the 10-domain limit.
 
 You must have authority to modify your domain’s DNS records and be a member of the **Organization owner** role in {{ecloud}} to complete this step.