You are correct. The use case for the Siteminder integration is not authentication per say. It is "step-up" authentication and it was originally designed to be used on certain pages within the program and cannot replace the initial login. Assume you have an administrator user that is responsible for accessing target machines in the network but also responsible for configuring and maintaining CA PAM itself. These are effectively two distinct roles. You could provide 2 separate logins for this user but then this limits the user and requires different passwords and user accounts. With the Siteminder authentication feature you can protect the configuration pages or any distinct page inside CA PAM so a admin user can access targets with the normal login but force them to reauthenticate separately once they try to access these particular pages.. If you do use SAML Authentication you may be able to configure the SAML to handle the step up auth automatically but that would defeat the whole purpose of step up authentication. You do not need to use SAML as there is a Siteminder WebAgent built in the CA PAM product so you can configure any authentication method the standard Apache Webagent can be configured with in Siteminder. Since most PAM environments do not require such a separation of Roles I have not seen many customers using this feature.As for using Siteminder as the Single Sign on.... Simply configure CA PAM to use SAML authentication with your AD users and disable Siteminder Integration. You can configure Siteminder as the Identity Provider and it will authenticate your AD users and pass CA PAM the authentication token as the relying party . This is a common configuration with CA PAM and many use Siteminder as the IDP and will avoid your double authentication.