Multi-SAML for SSO
Multi-SAML allows you to configure more than one SAML identity provider (IdP) for the same Coralogix scope. Each SAML configuration represents one SSO option that users can select during sign-in.
This capability supports enterprises with multiple identity domains, MSPs and MSSPs accessing multiple customer environments, and organizations migrating between identity providers.
Multi-SAML also enables staged rollout. You can configure and validate additional SAML providers before making them available to users, allowing controlled migration between identity providers without downtime.
For general SAML configuration and setup instructions, see SSO with SAML.
Common use cases
Multi-SAML is commonly used in the following scenarios:
Identity provider migration
Organizations migrating from one IdP to another (for example, Okta to Microsoft Entra ID) can run both configurations in parallel while users transition gradually.
Multiple identity domains
Large enterprises may operate multiple identity providers across business units, subsidiaries, or regions. Multi-SAML allows these identity domains to authenticate within the same team.
MSP and MSSP access
Managed service providers (MSPs) and managed security service providers (MSSPs) may need to access multiple customer environments using their own SSO configuration.
Who manages Multi-SAML
Multi-SAML configurations are typically managed by:
- Team administrators responsible for SSO configuration
- Team and organization admins managing authentication policies
- Identity and security teams responsible for IdP integrations
Key capabilities
Multi-SAML provides several capabilities for managing SSO authentication:
- Configure multiple SAML identity providers for the same team
- Activate or deactivate individual SSO providers
- Allow users to select their SSO provider during sign-in
- Support staged identity provider migrations without downtime
- Control whether IdP-initiated login is allowed for each configuration
How Multi-SAML works
At the team level, you can define multiple SAML configurations under the same team.
Each configuration:
- Represents one IdP integration
- Has its own metadata and settings
- Can be set to Active or Inactive
Only active configurations appear as SSO options during sign-in.
Sign-in behavior
If multiple SAML configurations are active for a team, users must select the SSO provider they use to sign in.
- If one SAML configuration is active, users can be redirected directly to that IdP after selecting Log in with SSO.
- If multiple configurations are active, users must select which SSO configuration to use during sign-in.
- If a configuration is deactivated, it is removed from the available SSO options.
Organization-level configurations
SAML configurations exist at two scopes:
- Team configurations are created for a single team and available only within it. This page covers team-level Multi-SAML.
- Organization configurations are defined once at the organization level and assigned to one or more teams, so several teams can share the same identity provider.
The two scopes coexist: organization configurations do not replace team configurations, and there is no precedence or override between them. A team's available SSO options are the combination of the organization configurations assigned to it and any team configurations created for it.
To set up and manage organization-level SAML, see Configure organization-level SAML SSO.
SSO sign-in flows
Coralogix supports both SP-initiated and IdP-initiated sign-in flows.
Start sign-in from Coralogix
- Navigate to the Coralogix sign-in page.
- Select your team (if prompted).
- Select Log in with SSO.
- If more than one SSO provider is active, select your SSO provider.
- Complete authentication in the selected IdP.
If only one SSO provider is active, users may be redirected directly to that provider.
IdP-initiated sign-in (optional)
IdP-initiated sign-in can be enabled or disabled for each SAML configuration. When enabled, users can start the login process directly from their identity provider application tile (for example, Okta or Microsoft Entra ID).
Disabling IdP-initiated login prevents unsolicited SAML assertions and requires users to start authentication from the Coralogix login page.
In this flow:
- The IdP sends a SAML assertion directly to Coralogix.
- Coralogix validates that the IdP is configured and authorized for the selected team.
- Access is granted only if the configuration is active and valid.
Additional authentication protections, such as multi-factor authentication, can be configured to further protect user access.
Manage SAML configurations
Use the SAML Configuration page to:
- Add new configurations
- Edit existing configurations
- Activate or deactivate configurations
- Delete configurations
- Test configurations
A configuration represents one IdP integration and controls whether that IdP is available for SSO sign-in.
Visibility on the configuration list
The configuration list provides operational visibility into your SSO setup.
Depending on your permissions and scope, you may see:
- Status (Active or Inactive)
- Last modified timestamp
- Last activated timestamp
- Never activated state (if applicable)
These fields help administrators understand the current state of SSO configurations. They do not replace centralized audit logs.
Activate and deactivate configurations
Activating a configuration does not affect other active configurations. Multiple configurations can be active at the same time, and all active configurations are available as SSO options during sign-in.
- Activate makes the configuration available as an SSO option during sign-in.
- Deactivate removes it from the available SSO options.
Users cannot log in using a configuration while it is inactive.
Delete configurations
Deleting a configuration removes it permanently and makes it unavailable for sign-in.
If a configuration is active, it must be deactivated before it can be deleted.
Recommended blocker message:
Note
You can’t delete an active configuration. Deactivate it first, then delete it.
Create a SAML configuration
Adding a configuration opens the Create SAML Provider wizard, a guided flow that validates your metadata and surfaces the Coralogix service provider values you need. For provider-specific instructions, see the dedicated SSO integration guides.
- Select Add SAML configuration to open the Create SAML Provider wizard.
- Provider details — enter a Display name users recognize at sign-in (for example, Okta - Production) and an optional Description.
- Coralogix service provider details — copy the Coralogix service provider values (metadata URL, ACS URL, entity ID, binding, and relay state) into your identity provider.
- Identity provider metadata — upload your IdP's metadata.xml file by dragging it in or selecting Upload XML.
Default groups on first sign-in — select the default groups assigned to users on their first sign-in.
Note
Default groups determine the initial roles assigned to users when they first sign in through SSO. For more information, see Groups.
Save the configuration, then activate it when ready.
What users see when signing in
When more than one SSO provider is active for a team:
- Users see a provider selection step after selecting Log in with SSO.
- Each option displays the configuration’s display name.
- An optional description may help distinguish providers (for example, “For contractors” or “For corporate users”).
Users select the appropriate provider and complete authentication in that IdP.
When only one provider is active, the selection step may be skipped.
Errors and edge cases
No active SSO providers
If no SAML configurations are active, users cannot complete SSO sign-in.
Use clear guidance such as:
Note
SSO is not available for this team. Contact your admin or sign in with email and password.
Administrators can review and update user access from the Team Members page. To learn more, see Manage Team Members.
Provider deactivated after prior use
If a previously available configuration is deactivated:
- Users must select another active provider (if available).
- If none exist, SSO is not available.
Invalid metadata upload
If the uploaded file is not valid SAML metadata XML:
- Prevent saving the configuration.
- Prompt the admin to upload a valid metadata XML file.
IdP mismatch
If a user attempts to authenticate with an IdP that is not authorized for the selected team:
- Block access.
- Instruct the user to select a valid SSO provider for that team.

