Skip to content

Multi-SAML for SSO

Multi-SAML allows you to configure more than one SAML identity provider (IdP) for the same Coralogix scope. Each SAML configuration represents one SSO option that users can select during sign-in.

This capability supports enterprises with multiple identity domains, MSPs and MSSPs accessing multiple customer environments, and organizations migrating between identity providers.

Multi-SAML also enables staged rollout. You can configure and validate additional SAML providers before making them available to users, allowing controlled migration between identity providers without downtime.

For general SAML configuration and setup instructions, see SSO with SAML.

Common use cases

Multi-SAML is commonly used in the following scenarios:

Identity provider migration

Organizations migrating from one IdP to another (for example, Okta to Microsoft Entra ID) can run both configurations in parallel while users transition gradually.

Multiple identity domains

Large enterprises may operate multiple identity providers across business units, subsidiaries, or regions. Multi-SAML allows these identity domains to authenticate within the same team.

MSP and MSSP access

Managed service providers (MSPs) and managed security service providers (MSSPs) may need to access multiple customer environments using their own SSO configuration.

Who manages Multi-SAML

Multi-SAML configurations are typically managed by:

  • Team administrators responsible for SSO configuration
  • Team and organization admins managing authentication policies
  • Identity and security teams responsible for IdP integrations

Key capabilities

Multi-SAML provides several capabilities for managing SSO authentication:

  • Configure multiple SAML identity providers for the same team
  • Activate or deactivate individual SSO providers
  • Allow users to select their SSO provider during sign-in
  • Support staged identity provider migrations without downtime
  • Control whether IdP-initiated login is allowed for each configuration

How Multi-SAML works

At the team level, you can define multiple SAML configurations under the same team.

Each configuration:

  • Represents one IdP integration
  • Has its own metadata and settings
  • Can be set to Active or Inactive

Only active configurations appear as SSO options during sign-in.

Sign-in behavior

If multiple SAML configurations are active for a team, users must select the SSO provider they use to sign in.

  • If one SAML configuration is active, users can be redirected directly to that IdP after selecting Log in with SSO.
  • If multiple configurations are active, users must select which SSO configuration to use during sign-in.
  • If a configuration is deactivated, it is removed from the available SSO options.

Organization-level configurations

SAML configurations exist at two scopes:

  • Team configurations are created for a single team and available only within it. This page covers team-level Multi-SAML.
  • Organization configurations are defined once at the organization level and assigned to one or more teams, so several teams can share the same identity provider.

The two scopes coexist: organization configurations do not replace team configurations, and there is no precedence or override between them. A team's available SSO options are the combination of the organization configurations assigned to it and any team configurations created for it.

To set up and manage organization-level SAML, see Configure organization-level SAML SSO.

SSO sign-in flows

Coralogix supports both SP-initiated and IdP-initiated sign-in flows.

Start sign-in from Coralogix

  1. Navigate to the Coralogix sign-in page.
  2. Select your team (if prompted).
  3. Select Log in with SSO.
  4. If more than one SSO provider is active, select your SSO provider.
  5. Complete authentication in the selected IdP.

If only one SSO provider is active, users may be redirected directly to that provider.

IdP-initiated sign-in (optional)

IdP-initiated sign-in can be enabled or disabled for each SAML configuration. When enabled, users can start the login process directly from their identity provider application tile (for example, Okta or Microsoft Entra ID).

Disabling IdP-initiated login prevents unsolicited SAML assertions and requires users to start authentication from the Coralogix login page.

In this flow:

  • The IdP sends a SAML assertion directly to Coralogix.
  • Coralogix validates that the IdP is configured and authorized for the selected team.
  • Access is granted only if the configuration is active and valid.

Additional authentication protections, such as multi-factor authentication, can be configured to further protect user access.

Manage SAML configurations

Use the SAML Configuration page to:

  • Add new configurations
  • Edit existing configurations
  • Activate or deactivate configurations
  • Delete configurations
  • Test configurations

A configuration represents one IdP integration and controls whether that IdP is available for SSO sign-in.

Visibility on the configuration list

The configuration list provides operational visibility into your SSO setup.

Depending on your permissions and scope, you may see:

  • Status (Active or Inactive)
  • Last modified timestamp
  • Last activated timestamp
  • Never activated state (if applicable)

These fields help administrators understand the current state of SSO configurations. They do not replace centralized audit logs.

Activate and deactivate configurations

Activating a configuration does not affect other active configurations. Multiple configurations can be active at the same time, and all active configurations are available as SSO options during sign-in.

  • Activate makes the configuration available as an SSO option during sign-in.
  • Deactivate removes it from the available SSO options.

Users cannot log in using a configuration while it is inactive.

Delete configurations

Deleting a configuration removes it permanently and makes it unavailable for sign-in.

If a configuration is active, it must be deactivated before it can be deleted.

Recommended blocker message:

Note

You can’t delete an active configuration. Deactivate it first, then delete it.

Create a SAML configuration

Adding a configuration opens the Create SAML Provider wizard, a guided flow that validates your metadata and surfaces the Coralogix service provider values you need. For provider-specific instructions, see the dedicated SSO integration guides.

  1. Select Add SAML configuration to open the Create SAML Provider wizard.
  2. Provider details — enter a Display name users recognize at sign-in (for example, Okta - Production) and an optional Description.
  3. Coralogix service provider details — copy the Coralogix service provider values (metadata URL, ACS URL, entity ID, binding, and relay state) into your identity provider.
  4. Identity provider metadata — upload your IdP's metadata.xml file by dragging it in or selecting Upload XML.
  5. Default groups on first sign-in — select the default groups assigned to users on their first sign-in.

    Note

    Default groups determine the initial roles assigned to users when they first sign in through SSO. For more information, see Groups.

  6. Save the configuration, then activate it when ready.

What users see when signing in

When more than one SSO provider is active for a team:

  • Users see a provider selection step after selecting Log in with SSO.
  • Each option displays the configuration’s display name.
  • An optional description may help distinguish providers (for example, “For contractors” or “For corporate users”).

Users select the appropriate provider and complete authentication in that IdP.

When only one provider is active, the selection step may be skipped.

Errors and edge cases

No active SSO providers

If no SAML configurations are active, users cannot complete SSO sign-in.

Use clear guidance such as:

Note

SSO is not available for this team. Contact your admin or sign in with email and password.

Administrators can review and update user access from the Team Members page. To learn more, see Manage Team Members.

Provider deactivated after prior use

If a previously available configuration is deactivated:

  • Users must select another active provider (if available).
  • If none exist, SSO is not available.

Invalid metadata upload

If the uploaded file is not valid SAML metadata XML:

  • Prevent saving the configuration.
  • Prompt the admin to upload a valid metadata XML file.

IdP mismatch

If a user attempts to authenticate with an IdP that is not authorized for the selected team:

  • Block access.
  • Instruct the user to select a valid SSO provider for that team.