diff --git a/docs/reference/announcements-release-notes/850/850-release-notes.md b/docs/reference/announcements-release-notes/850/850-release-notes.md
index f611743cc74..de1d9daa194 100644
--- a/docs/reference/announcements-release-notes/850/850-release-notes.md
+++ b/docs/reference/announcements-release-notes/850/850-release-notes.md
@@ -40,7 +40,7 @@ Note that the actual values shown in this screenshot don't correspond to any act
 
 <!-- https://github.com/camunda/product-hub/issues/2162 -->
 
-You can now use Role-Based Access Control (RBAC) with your own OIDC Identity provider (such as Entra ID) and Web Modeler without relying on Keycloak. [This extends RBAC and role mapping support](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md#component-specific-configuration) that is available for other components to Web Modeler.
+You can now use Role-Based Access Control (RBAC) with your own OIDC Identity provider (such as Entra ID) and Web Modeler without relying on Keycloak. [This extends RBAC and role mapping support](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md#component-specific-configuration) that is available for other components to Web Modeler.
 
 ### Introductory UI header for processes page
 
diff --git a/docs/reference/announcements-release-notes/870/870-announcements.md b/docs/reference/announcements-release-notes/870/870-announcements.md
index b67f8ac5d71..3e5b1d10e9d 100644
--- a/docs/reference/announcements-release-notes/870/870-announcements.md
+++ b/docs/reference/announcements-release-notes/870/870-announcements.md
@@ -64,7 +64,7 @@ With this version, we ship a breaking change to how Web Modeler **Deploy diagram
 The following authentication methods for a [configured cluster in Web Modeler](/self-managed/components/modeler/web-modeler/configuration/configuration.md#clusters) are now being deprecated and will no longer be supported in version 8.8:
 
 - `OAUTH`: This method was replaced by `BEARER_TOKEN`.
-- `CLIENT_CREDENTIALS`: This method was introduced as a temporary solution to support deployments from Web Modeler when using [Microsoft Entra ID or a generic OIDC provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+- `CLIENT_CREDENTIALS`: This method was introduced as a temporary solution to support deployments from Web Modeler when using [Microsoft Entra ID or a generic OIDC provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
   It is marked for removal in 8.8 as the `BEARER_TOKEN` authentication will be supported for Entra ID and generic providers as well.
 
 ### Breaking changes in Camunda Process Test
diff --git a/docs/reference/announcements-release-notes/870/870-release-notes.md b/docs/reference/announcements-release-notes/870/870-release-notes.md
index b3efcddcbc1..be485e61bf8 100644
--- a/docs/reference/announcements-release-notes/870/870-release-notes.md
+++ b/docs/reference/announcements-release-notes/870/870-release-notes.md
@@ -596,7 +596,7 @@ The deployment experience is further simplified for Enterprise customers running
 - You no longer need to enter a client ID and secret in the deploy modal. Instead, simply choose a cluster (or stage for process applications) and deploy.
 
 :::note
-The simplified deployment experience is not supported when [Microsoft Entra ID is used as OIDC provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md?authPlatform=microsoftEntraId#configuration).
+The simplified deployment experience is not supported when [Microsoft Entra ID is used as OIDC provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md?authPlatform=microsoftEntraId#configuration).
 You still need to enter a client ID and secret in this case.
 Support is targeted for [Camunda 8.8](../870-announcements/#deprecated-web-modeler-cluster-authentication-oauth-and-client_credentials-self-managed).
 :::
diff --git a/docs/self-managed/components/console/configuration/configuration.md b/docs/self-managed/components/console/configuration/configuration.md
index 63edba02463..ec95a58131a 100644
--- a/docs/self-managed/components/console/configuration/configuration.md
+++ b/docs/self-managed/components/console/configuration/configuration.md
@@ -211,7 +211,7 @@ console:
 ## Using a different OpenID Connect (OIDC) authentication provider than Keycloak
 
 By default, Console uses Keycloak to provide authentication.
-You can use a different OIDC provider by following the steps described in the [OIDC connection guide](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+You can use a different OIDC provider by following the steps described in the [OIDC connection guide](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
 
 ## Monitoring
 
diff --git a/docs/self-managed/components/modeler/web-modeler/configuration/identity.md b/docs/self-managed/components/modeler/web-modeler/configuration/identity.md
index 042a5bc869f..44376d1e6a3 100644
--- a/docs/self-managed/components/modeler/web-modeler/configuration/identity.md
+++ b/docs/self-managed/components/modeler/web-modeler/configuration/identity.md
@@ -7,4 +7,4 @@ description: "Read details on how to connect Web Modeler to a custom OIDC provid
 ## Using a different OpenID Connect (OIDC) authentication provider than Keycloak
 
 By default, Web Modeler uses Keycloak for providing authentication.
-You can use a different OIDC provider by following the steps described in the [OIDC connection guide](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+You can use a different OIDC provider by following the steps described in the [OIDC connection guide](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
diff --git a/docs/self-managed/components/orchestration-cluster/operate/operate-authentication.md b/docs/self-managed/components/orchestration-cluster/operate/operate-authentication.md
index 61d3231cd49..a1b8d62f0e4 100644
--- a/docs/self-managed/components/orchestration-cluster/operate/operate-authentication.md
+++ b/docs/self-managed/components/orchestration-cluster/operate/operate-authentication.md
@@ -152,7 +152,7 @@ export SPRING_PROFILES_ACTIVE=identity-auth
 Identity requires the following parameters:
 
 :::danger
-These configuration variables are deprecated. To connect using the updated values, see [connecting to an OpenID Connect provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+These configuration variables are deprecated. To connect using the updated values, see [connecting to an OpenID Connect provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
 :::
 
 | Property name                                       | Description                                                                                                                                   | Example value                                                                     |
diff --git a/docs/self-managed/components/orchestration-cluster/tasklist/tasklist-authentication.md b/docs/self-managed/components/orchestration-cluster/tasklist/tasklist-authentication.md
index 7aa6f19e4e0..d43f12ff89f 100644
--- a/docs/self-managed/components/orchestration-cluster/tasklist/tasklist-authentication.md
+++ b/docs/self-managed/components/orchestration-cluster/tasklist/tasklist-authentication.md
@@ -81,7 +81,7 @@ export SPRING_PROFILES_ACTIVE=identity-auth
 ## Configure Identity
 
 :::danger
-These configuration variables are deprecated. To connect using the updated values, see [Connecting to an OpenID Connect provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+These configuration variables are deprecated. To connect using the updated values, see [Connecting to an OpenID Connect provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
 :::
 
 Identity requires the following parameters:
diff --git a/docs/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md b/docs/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md
deleted file mode 100644
index eb566d3fba4..00000000000
--- a/docs/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md
+++ /dev/null
@@ -1,273 +0,0 @@
----
-id: connect-to-an-oidc-provider
-sidebar_label: Setup OpenID Connect provider
-title: Helm chart OpenID Connect provider setup
-description: "To enable a smoother integration with your existing systems, connect to an OpenID Connect provider"
----
-
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
-
-To enable a smoother integration with your existing systems, Camunda supports connecting to an OpenID Connect (OIDC) authentication provider. To connect to a Keycloak authentication provider, see our guide on [using an existing Keycloak](/self-managed/installation-methods/helm/configure/using-existing-keycloak.md).
-
-In this guide, we step through the configuration required to connect Camunda to your authentication provider.
-
-## Prerequisites
-
-- Information about your OIDC provider's configuration, including the issuer URL.
-- Ability to create applications in your OIDC provider.
-- Ability to access the following information about the applications you have created in your OIDC provider:
-  - Client ID
-  - Client secrets
-  - Audience
-- A [claim name and value](/self-managed/components/management-identity/miscellaneous/configuration-variables.md#oidc-configuration) to use for initial access.
-
-:::note
-The steps below are a general approach for the Camunda components; it is important you reference the [component-specific
-configuration](#component-specific-configuration) to ensure the components are configured correctly.
-:::
-
-## Configuration
-
-<Tabs groupId="authPlatform" defaultValue="generic" queryString values={[{label: 'Generic', value: 'generic' },{label: 'Microsoft Entra ID', value: 'microsoftEntraId' }]} >
-<TabItem value="generic">
-
-<h3>Steps</h3>
-
-1. In your OIDC provider, create an application for each of the components you want to connect. The expected redirect URI of the component you are configuring an app for can be found in [component-specific configuration](#component-specific-configuration).
-   :::note
-   Redirect URIs serve as an approved list of destinations across identity providers. Only the URLs specified in the redirect URIs configuration will be permitted as valid redirection targets for authentication responses. This security measure ensures that tokens and authorization codes are only sent to pre-approved locations, preventing potential unauthorized access or token theft.
-   :::
-2. For all Components, ensure the appropriate application type is used:
-   - **Operate, Tasklist, Optimize, Identity, Web Modeler API:** Web applications requiring confidential access/a confidential client
-   - **Console, Web Modeler UI:** Single-page applications requiring public access/a public client
-3. Make a note of the following values for each application you create:
-   - Client ID
-   - Client secret
-   - Audience
-4. Set the following environment variables or Helm values for the component you are configuring an app for:
-
-:::note
-You can connect to your OIDC provider through either environment variables or Helm values. Ensure only one configuration option is used.
-:::
-
-<Tabs groupId="optionsType" defaultValue="env" queryString values={[{label: 'Environment variables', value: 'env' },{label: 'Helm values', value: 'helm' }]} >
-<TabItem value="env">
-
-```
-   CAMUNDA_IDENTITY_TYPE=GENERIC
-   CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
-   CAMUNDA_IDENTITY_ISSUER=<URL_OF_ISSUER>
-   CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=<URL_OF_ISSUER> // this is used for container to container communication
-   CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 3>
-   CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 3>
-   CAMUNDA_IDENTITY_AUDIENCE=<Audience from Step 3>
-   IDENTITY_INITIAL_CLAIM_NAME=<Initial claim name  if not using the default "oid">
-   IDENTITY_INITIAL_CLAIM_VALUE=<Initial claim value>
-   SPRING_PROFILES_ACTIVE=oidc
-```
-
-</TabItem>
-<TabItem value="helm">
-
-```yaml
-global:
-  identity:
-    auth:
-      issuer: <URL_OF_ISSUER>
-      # this is used for container to container communication
-      issuerBackendUrl: <URL_OF_ISSUER>
-      tokenUrl: <TOKEN_URL_ENDPOINT>
-      jwksUrl: <JWKS_URL>
-      type: "GENERIC"
-      identity:
-        clientId: <Client ID from Step 3>
-        existingSecret: <Client secret from Step 3>
-        audience: <Audience from Step 3>
-        initialClaimName: <Initial claim name if not using the default "oid">
-        initialClaimValue: <Initial claim value>
-      operate:
-        clientId: <Client ID from Step 3>
-        audience: <Audience from Step 3>
-        existingSecret: <Client secret from Step 3>
-      tasklist:
-        clientId: <Client ID from Step 3>
-        audience: <Audience from Step 3>
-        existingSecret: <Client secret from Step 3>
-      optimize:
-        clientId: <Client ID from Step 3>
-        audience: <Audience from Step 3>
-        existingSecret: <Client secret from Step 3>
-      zeebe:
-        clientId: <Client ID from Step 3>
-        audience: <Audience from Step 3>
-        existingSecret: <Client secret from Step 3>
-      webModeler:
-        clientId: <Client ID of Web Modeler's UI from Step 3>
-        clientApiAudience: <Audience of Web Modeler's UI from Step 3>
-        publicApiAudience: <Audience of Web Modeler's API from Step 3>
-      console:
-        clientId: <Client ID from Step 3>
-        audience: <Audience from Step 3>
-```
-
-You can also [store the client secrets in a Kubernetes secret](/self-managed/installation-methods/helm/install.md#create-identity-secrets) and reference this in the Helm values.
-
-</TabItem>
-</Tabs>
-
-:::note
-Once set, you cannot update your initial claim name and value using environment or Helm values. You must change these values directly in the database.
-:::
-
-<h3>Additional considerations</h3>
-
-For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, and `profile`.
-
-</TabItem>
-<TabItem value="microsoftEntraId">
-
-<h3>Steps</h3>
-
-:::note
-Ensure you register a new application for each component.
-:::
-
-1. Within the Entra ID admin center, [register a new application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) for **each** component you would like to connect. Web Modeler requires two applications: one for the UI, and one for the API.
-2. Navigate to the new application's **Overview** page, and make note of the **Client ID**. This will also be used as the audience ID.
-3. Within your new application, [configure a platform](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app#configure-platform-settings) for the appropriate component:
-   - **Web**: Operate, Tasklist, Optimize, Identity, Web Modeler API
-   - **Single-page application**: Console, Web Modeler UI
-4. Add your component's **Microsoft Entra ID** redirect URI, found under [Component-specific configuration](#component-specific-configuration).
-   :::note
-   Redirect URIs serve as an approved list of destinations across identity providers. Only the URLs specified in the redirect URIs configuration will be permitted as valid redirection targets for authentication responses. This security measure ensures that tokens and authorization codes are only sent to pre-approved locations, preventing potential unauthorized access or token theft.
-   :::
-5. [Create a new client secret](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials), and note the new secret's value for later use. The secret ID is not needed, only the secret value is required.
-6. Set the following environment variables or Helm values for the component you are configuring an app for:
-
-:::note
-You can connect to your OIDC provider through either environment variables or Helm values. Ensure only one configuration option is used.
-:::
-
-<Tabs groupId="optionsType" defaultValue="env" queryString values={[{label: 'Environment variables', value: 'env' },{label: 'Helm values', value: 'helm' }]} >
-<TabItem value="env">
-
-```
-    CAMUNDA_IDENTITY_TYPE=MICROSOFT
-    CAMUNDA_IDENTITY_BASE_URL=<IDENTITY_URL>
-    CAMUNDA_IDENTITY_ISSUER=https://login.microsoftonline.com/<Microsoft Entra tenant ID>/v2.0
-    CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=https://login.microsoftonline.com/<Microsoft Entra tenant ID>/v2.0
-    CAMUNDA_IDENTITY_CLIENT_ID=<Client ID from Step 2>
-    CAMUNDA_IDENTITY_CLIENT_SECRET=<Client secret from Step 5>
-    CAMUNDA_IDENTITY_AUDIENCE=<Client ID from Step 2>
-    IDENTITY_INITIAL_CLAIM_NAME=<Initial claim name if not using the default "oid">
-    IDENTITY_INITIAL_CLAIM_VALUE=<Initial claim value>
-    SPRING_PROFILES_ACTIVE=oidc
-```
-
-</TabItem>
-<TabItem value="helm">
-
-```yaml
-global:
-  identity:
-    auth:
-      issuer: https://login.microsoftonline.com/<Microsoft Entra tenant ID>/v2.0
-      # this is used for container to container communication
-      issuerBackendUrl: https://login.microsoftonline.com/<Microsoft Entra tenant ID>/v2.0
-      tokenUrl: https://login.microsoftonline.com/<Microsoft Entra tenant ID>/oauth2/v2.0/token
-      jwksUrl: https://login.microsoftonline.com/<Microsoft Entra tenant ID>/discovery/v2.0/keys
-      type: "MICROSOFT"
-      publicIssuerUrl: https://login.microsoftonline.com/<Microsoft Entra tenant ID>/v2.0
-      identity:
-        clientId: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-        audience: <Audience from Step 2>
-        # This is the object ID of the first user. A role mapping in Identity will automatically be generated for this user.
-        initialClaimValue: <Initial claim value>
-        redirectUrl: <See the Helm value in the table below>
-      operate:
-        clientId: <Client ID from Step 2>
-        audience: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-        redirectUrl: <See the Helm value in the table below>
-      tasklist:
-        clientId: <Client ID from Step 2>
-        audience: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-        redirectUrl: <See the Helm value in the table below>
-      optimize:
-        clientId: <Client ID from Step 2>
-        audience: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-        redirectUrl: <See the Helm value in the table below>
-      zeebe:
-        clientId: <Client ID from Step 2>
-        audience: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-        tokenScope: "<Client ID from Step 2>/.default"
-      webModeler:
-        clientId: <Client ID of Web Modeler's UI from Step 2>
-        clientApiAudience: <Client ID of Web Modeler's UI from Step 2>
-        publicApiAudience: <Client ID of Web Modeler's API from Step 2>
-        redirectUrl: <See the Helm value in the table below>
-      console:
-        clientId: <Client ID from Step 2>
-        audience: <Client ID from Step 2>
-        redirectUrl: <See the Helm value in the table below>
-        wellKnown: <Found in the "Endpoints" section of the app registrations page>
-      connectors:
-        clientId: <Client ID from Step 2>
-        existingSecret: <Client secret from Step 5>
-```
-
-</TabItem>
-</Tabs>
-
-:::danger
-Once set, your initial claim name and value cannot be updated using environment or Helm values, and must be changed directly in the database.
-:::
-
-<h3>Additional considerations</h3>
-
-Due to technical limitations regarding [third party content](https://openid.net/specs/openid-connect-frontchannel-1_0.html#ThirdPartyContent),
-front channel single sign out is not supported. This means that when a user logs out of one component, they will not be logged out of the other components.
-
-For authentication, the Camunda components use the scopes `email`, `openid`, `offline_access`, `profile`,
-and `<CLIENT_UUID>/.default`. To ensure your users are able to successfully authenticate with Entra ID, you must
-ensure that either there is
-an [admin consent flow configured](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow)
-or grant consent on behalf of your users using
-the [admin consent](https://learn.microsoft.com/en-gb/entra/identity/enterprise-apps/user-admin-consent-overview#admin-consent)
-process.
-
-The client should be configured to support `grant_type`:
-
-- To **create** an M2M token, the `client_credentials` grant type is required. The response contains an access token.
-- To **renew** a token using a refresh token, the `refresh_token` grant type is required.
-- To **create** a token via authorization flow, the `authorization_code` grant type is required. The response contains both access and refresh tokens.
-
-To successfully authenticate with Entra ID, you should use the `v2.0` API. This means that
-the `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL` value should end with `/v2.0`.
-
-Follow the [Microsoft Entra instructions](https://learn.microsoft.com/en-us/entra/identity-platform/reference-microsoft-graph-app-manifest#configure-the-app-manifest-in-the-microsoft-entra-admin-center) to configure the app manifest, and set the [requestedAccessTokenVersion](https://learn.microsoft.com/en-us/entra/identity-platform/reference-microsoft-graph-app-manifest#api-attribute) under `Api:` to `2`:
-
-```json
-    "requestedAccessTokenVersion": 2,
-```
-
-</TabItem>
-</Tabs>
-
-### Component-specific configuration
-
-| Component   | Redirect URI                                                                                                                           | Notes/Limitations                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| ----------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Identity    | **Microsoft Entra ID:** <br/> `https://<IDENTITY_URL>/auth/login-callback` <br/><br/> **Helm:** <br/> `https://<IDENTITY_URL>`         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Operate     | **Microsoft Entra ID:** <br/> `https://<OPERATE_URL>/identity-callback` <br/><br/> **Helm:** <br/> `https://<OPERATE_URL>`             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Optimize    | **Microsoft Entra ID:** <br/> `https://<OPTIMIZE_URL>/api/authentication/callback` <br/><br/> **Helm:** <br/> `https://<OPTIMIZE_URL>` | There is a fallback if you use the existing ENV vars to configure your authentication provider, if you use a custom `yaml`, you need to update your properties to match the new values in this guide.<br/><br/>When using an OIDC provider, the following Optimize features are not currently available: <br/>- The user permissions tab in collections<br/>- The `Alerts` tab in collections<br/>- Digests<br/>- Accessible user names for Owners of resources (the `sub` claim value is displayed instead).                                                                                                                                                                                                                                                |
-| Tasklist    | **Microsoft Entra ID:** <br/> `https://<TASKLIST_URL>/identity-callback` <br/><br/> **Helm:** <br/> `https://<TASKLIST_URL>`           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Web Modeler | **Microsoft Entra ID:** <br/> `https://<WEB_MODELER_URL>/login-callback` <br/><br/> **Helm:** <br/> `https://<WEB_MODELER_URL>`        | Web Modeler requires two clients: one for the UI, and one for the API. <br/><br/> Required configuration variables for webapp:<br/> `OAUTH2_CLIENT_ID=[ui-client-id]`<br/> `OAUTH2_JWKS_URL=[provider-jwks-url]`<br/> `OAUTH2_TOKEN_AUDIENCE=[ui-audience]`<br/> `OAUTH2_TOKEN_ISSUER=[provider-issuer]`<br/> `OAUTH2_TYPE=[provider-type]`<br/><br/> Required configuration variables for restapi:<br/> `CAMUNDA_IDENTITY_BASEURL=[identity-base-url]`<br/> `CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/> `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_INTERNAL_API=[ui-audience]`<br/> `CAMUNDA_MODELER_SECURITY_JWT_AUDIENCE_PUBLIC_API=[api-audience]`<br/> `SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=[provider-issuer]`                            |
-| Console     | **Microsoft Entra ID:** <br/> `https://<CONSOLE_URL>` <br/><br/> **Helm:** <br/> `https://<CONSOLE_URL>`                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Zeebe       | no redirect URI                                                                                                                        | Instead, include `tokenScope:"<Azure-AppRegistration-ClientID> /.default "`. This refers to the Helm value `global.identity.auth.zeebe.tokenScope`, which should be set to the displayed value.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| Connectors  |                                                                                                                                        | Connectors act as a client in the OIDC flow. <br/><br/> For outbound-only mode (when `CAMUNDA_CONNECTOR_POLLING_ENABLED` is `false`), only Zeebe client properties are required: <br/> `ZEEBE_CLIENT_ID=[client-id]`<br/> `ZEEBE_CLIENT_SECRET=[client-secret]`<br/> `ZEEBE_AUTHORIZATION_SERVER_URL=[provider-issuer]`<br/> `ZEEBE_TOKEN_AUDIENCE=[Zeebe audience]`<br/> `ZEEBE_TOKEN_SCOPE=[Zeebe scope]` (optional)<br/><br/> For inbound mode, Operate client properties are required:<br/> `CAMUNDA_IDENTITY_TYPE=[provider-type]`<br/> `CAMUNDA_IDENTITY_AUDIENCE=[Operate audience]`<br/> `CAMUNDA_IDENTITY_CLIENT_ID=[client-id]`<br/> `CAMUNDA_IDENTITY_CLIENT_SECRET=[client-secret]`<br/> `CAMUNDA_IDENTITY_ISSUER_BACKEND_URL=[provider-issuer]` |
diff --git a/docs/self-managed/installation-methods/helm/upgrade/helm-830-840.md b/docs/self-managed/installation-methods/helm/upgrade/helm-830-840.md
index df69abc7a6f..186a9c79105 100644
--- a/docs/self-managed/installation-methods/helm/upgrade/helm-830-840.md
+++ b/docs/self-managed/installation-methods/helm/upgrade/helm-830-840.md
@@ -83,7 +83,7 @@ Cross-components Keycloak-specific configurations has been replaced for a more g
 
 Accordingly, some unused environment variables have been removed from Web Modeler because of the implementation of custom OIDC support. The naming has also been adjusted to use the newer scheme.
 
-For more details, check [Connect to an OpenID Connect provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md).
+For more details, check [Connect to an OpenID Connect provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md).
 
 #### Keycloak
 
diff --git a/docs/self-managed/reference-architecture/reference-architecture.md b/docs/self-managed/reference-architecture/reference-architecture.md
index b808ba0b4c3..81dbda57ae4 100644
--- a/docs/self-managed/reference-architecture/reference-architecture.md
+++ b/docs/self-managed/reference-architecture/reference-architecture.md
@@ -72,7 +72,7 @@ Additionally, Web Modeler and Console require the following:
 
 Unlike the Orchestration Cluster, Web Modeler and Console run a separate and dedicated Management Identity deployment. This is not the same as the embedded Identity in the Orchestration Cluster. Optimize also relies on Management Identity and will not function without it. It is not compatible with the embedded Orchestration Cluster Identity.
 
-For production environments, using an external [identity provider](/self-managed/installation-methods/helm/configure/connect-to-an-oidc-provider.md) is recommended to connect the two environments.
+For production environments, using an external [identity provider](/self-managed/components/management-identity/configuration/configure-external-identity-provider.md) is recommended to connect the two environments.
 
 ### Databases