diff --git a/doc/source/security/kubernetes/centralized-oidc-authentication-setup-for-distributed-cloud.rst b/doc/source/security/kubernetes/centralized-oidc-authentication-setup-for-distributed-cloud.rst
index d658003bb..2b227e8cc 100644
--- a/doc/source/security/kubernetes/centralized-oidc-authentication-setup-for-distributed-cloud.rst
+++ b/doc/source/security/kubernetes/centralized-oidc-authentication-setup-for-distributed-cloud.rst
@@ -68,11 +68,11 @@ For a centralized |OIDC| authentication setup, use the following procedure:
     each subcloud during bootstrapping, or by using the **system
     service-parameter-add kubernetes kube\_apiserver** command after
     bootstrapping the system, using the System Controller's floating OAM IP
-    address as the oidc\_issuer\_url for all clouds.
-    address as the oidc\_issuer\_url for all clouds.
+    address as the oidc-issuer-url for all clouds.
+    address as the oidc-issuer-url for all clouds.
 
     For example,
-    oidc\_issuer\_url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex
+    oidc-issuer-url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex
     -service-NodePort>/dex on the subcloud.
 
     For more information, see:
diff --git a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
index 2d218349c..36863434e 100644
--- a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
+++ b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
@@ -30,24 +30,24 @@ you can do so at any time using service parameters.
 
     .. code-block:: none
 
-        ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc_client_id=stx-oidc-client-app
+        ~(keystone_admin)]$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
 
 
-    -   oidc\_client\_id=<client>
+    -   oidc-client-id=<client>
 
         The value of this parameter may vary for different group
         configurations in your Windows Active Directory server.
 
-    -   oidc\_groups\_claim=<groups>
+    -   oidc-groups-claim=<groups>
 
-    -   oidc\_issuer\_url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex
+    -   oidc-issuer-url=https://<oam-floating-ip>:<oidc-auth-apps-dex-service-NodePort>/dex
 
         .. note::
             For IPv6 deployments, ensure that the IPv6 OAM floating address
             is, https://\[<oam-floating-ip>\]:30556/dex \(that is, in lower
             case, and wrapped in square brackets\).
 
-    -   oidc\_username\_claim=<email>
+    -   oidc-username-claim=<email>
 
         The values of this parameter may vary for different user
         configurations in your Windows Active Directory server.
@@ -58,10 +58,15 @@ you can do so at any time using service parameters.
 
     -   none of the parameters
 
-    -   oidc\_issuer\_url, oidc\_client\_id, and oidc\_username\_claim
+    -   oidc-issuer-url, oidc-client-id, and oidc-username-claim
 
-    -   oidc\_issuer\_url, oidc\_client\_id, oidc\_username\_claim, and oidc\_groups\_claim
+    -   oidc-issuer-url, oidc-client-id, oidc-username-claim, and oidc-groups-claim
 
+        .. note::
+            Historical service parameters for |OIDC| with underscores are still
+            accepted: oidc_client_id, oidc_issuer_url, oidc_username_claim and
+            oidc_groups_claim. These are equivalent to: oidc-client-id, oidc-issuer-url,
+            oidc-username-claim and oidc-groups-claim.
 
 #.  Apply the service parameters.
 
diff --git a/doc/source/security/kubernetes/deprovision-windows-active-directory-authentication.rst b/doc/source/security/kubernetes/deprovision-windows-active-directory-authentication.rst
index f0e30c599..3d2ffb02a 100644
--- a/doc/source/security/kubernetes/deprovision-windows-active-directory-authentication.rst
+++ b/doc/source/security/kubernetes/deprovision-windows-active-directory-authentication.rst
@@ -16,8 +16,8 @@ You can remove Windows Active Directory authentication from |prod-long|.
 
     #.  Determine the UUIDs of parameters used in the kubernetes **kube-apiserver** group.
 
-        These include oidc\_client\_id, oidc\_groups\_claim,
-        oidc\_issuer\_url and oidc\_username\_claim.
+        These include oidc-client-id, oidc-groups-claim,
+        oidc-issuer-url and oidc-username-claim.
 
         .. code-block:: none