Skip to content

Multi-SAML for SSO

Multi-SAML allows you to configure more than one SAML identity provider (IdP) for the same Coralogix scope. Each SAML configuration represents one SSO option that users can select during sign-in.

This capability supports enterprises with multiple identity domains, MSPs and MSSPs accessing multiple customer environments, and organizations migrating between identity providers.

Multi-SAML also enables staged rollout. You can configure and validate additional SAML providers before making them available to users, allowing controlled migration between identity providers without downtime.

For general SAML configuration and setup instructions, see SSO with SAML.

Common use cases

Multi-SAML is commonly used in the following scenarios:

Identity provider migration

Organizations migrating from one IdP to another (for example, Okta to Microsoft Entra ID) can run both configurations in parallel while users transition gradually.

Multiple identity domains

Large enterprises may operate multiple identity providers across business units, subsidiaries, or regions. Multi-SAML allows these identity domains to authenticate within the same team.

MSP and MSSP access

Managed service providers (MSPs) and managed security service providers (MSSPs) may need to access multiple customer environments using their own SSO configuration.

Who manages Multi-SAML

Multi-SAML configurations are typically managed by:

  • Team administrators responsible for SSO configuration
  • Team and oganization admins managing authentication policies
  • Identity and security teams responsible for IdP integrations

Key capabilities

Multi-SAML provides several capabilities for managing SSO authentication:

  • Configure multiple SAML identity providers for the same team
  • Activate or deactivate individual SSO providers
  • Allow users to select their SSO provider during sign-in
  • Support staged identity provider migrations without downtime
  • Control whether IdP-initiated login is allowed for each configuration

How Multi-SAML works

At the team level, you can define multiple SAML configurations under the same team.

Each configuration:

  • Represents one IdP integration
  • Has its own metadata and settings
  • Can be set to Active or Inactive

Only active configurations appear as SSO options during sign-in.

Sign-in behavior

If multiple SAML configurations are active for a team, users must select the SSO provider they use to sign in.

  • If one SAML configuration is active, users can be redirected directly to that IdP after selecting Log in with SSO.
  • If multiple configurations are active, users must select which SSO configuration to use during sign-in.
  • If a configuration is deactivated, it is removed from the available SSO options.

SSO sign-in flows

Coralogix supports both SP-initiated and IdP-initiated sign-in flows.

Start sign-in from Coralogix

  1. Navigate to the Coralogix sign-in page.
  2. Select your team (if prompted).
  3. Select Log in with SSO.
  4. If more than one SSO provider is active, select your SSO provider.
  5. Complete authentication in the selected IdP.

If only one SSO provider is active, users may be redirected directly to that provider.

IdP-initiated sign-in (optional)

IdP-initiated sign-in can be enabled or disabled for each SAML configuration. When enabled, users can start the login process directly from their identity provider application tile (for example, Okta or Azure).

Disabling IdP-initiated login prevents unsolicited SAML assertions and requires users to start authentication from the Coralogix login page.

In this flow:

  • The IdP sends a SAML assertion directly to Coralogix.
  • Coralogix validates that the IdP is configured and authorized for the selected team.
  • Access is granted only if the configuration is active and valid.

Additional authentication protections, such as multi-factor authentication, can be configured to further protect user access.

Manage SAML configurations

Use the SAML Configuration page to:

  • Add new configurations
  • Edit existing configurations
  • Activate or deactivate configurations
  • Delete configurations
  • Test configurations

A configuration represents one IdP integration and controls whether that IdP is available for SSO sign-in.

Visibility on the configuration list

The configuration list provides operational visibility into your SSO setup.

Depending on your permissions and scope, you may see:

  • Status (Active or Inactive)
  • Last modified timestamp
  • Modified by (user who last changed the configuration)
  • Last activated timestamp
  • Never activated state (if applicable)

These fields help administrators understand the current state of SSO configurations. They do not replace centralized audit logs.

Activate and deactivate configurations

Activating a configuration does not affect other active configurations. Multiple configurations can be active at the same time, and all active configurations are available as SSO options during sign-in.

  • Activate makes the configuration available as an SSO option during sign-in.
  • Deactivate removes it from the available SSO options.

Users cannot log in using a configuration while it is inactive.

Delete configurations

Deleting a configuration removes it permanently and makes it unavailable for sign-in.

If a configuration is active, it must be deactivated before it can be deleted.

Recommended blocker message:

Note

You can’t delete an active configuration. Deactivate it first, then delete it.

Create a SAML configuration

Use this checklist to configure a new IdP. For provider-specific instructions, refer to the dedicated SSO integration guides.

Configuration is guided through a structured, multi-step flow that validates metadata and presents required service provider details in a clear format.

  1. Add a new SAML configuration.
  2. Enter a Display name that users will recognize during sign-in (for example, Okta - Production).
  3. Upload the IdP metadata.xml file.
  4. Review the Coralogix service provider details and copy the required values into your IdP configuration.
  5. Select default groups for first sign-in.

Note

Default groups determine the initial roles assigned to users when they first sign in through SSO. For more information, see Groups.

  1. Save the configuration.
  2. Activate the configuration when ready.

What users see when signing in

When more than one SSO provider is active for a team:

  • Users see a provider selection step after selecting Log in with SSO.
  • Each option displays the configuration’s display name.
  • An optional description may help distinguish providers (for example, “For contractors” or “For corporate users”).

Users select the appropriate provider and complete authentication in that IdP.

When only one provider is active, the selection step may be skipped.

Errors and edge cases

No active SSO providers

If no SAML configurations are active, users cannot complete SSO sign-in.

Use clear guidance such as:

Note

SSO is not available for this team. Contact your admin or sign in with email and password.

Administrators can review and update user access from the Team Members page. To learn more, see Manage Team Members.

Provider deactivated after prior use

If a previously available configuration is deactivated:

  • Users must select another active provider (if available).
  • If none exist, SSO is not available.

Invalid metadata upload

If the uploaded file is not valid SAML metadata XML:

  • Prevent saving the configuration.
  • Prompt the admin to upload a valid metadata XML file.

IdP mismatch

If a user attempts to authenticate with an IdP that is not authorized for the selected team:

  • Block access.
  • Instruct the user to select a valid SSO provider for that team.
Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous SCIM
Next Coralogix Audit