The configuration of CA PAM as a SAML RP is relatively simple. There are just a few parameters that you need to sync up with the SSO site. You can see them on the screen below. You can enter them yourself or upload a metadata file that you downloaded from SSO.
After you've entered the data above or uploaded the metadata click Edit. The section below will open up. If it is not checked already, check the "Require Encrypted Assersions box. Save the configuration and you're done.
Next you can see the screen captures from the SSO side. Make sure that the fields that correspond to the CA PAM side are configured to match. Please notice the highlighted field, Key Algorithm. Initially it was set for rsa-1_5, which is not supported by CA PAM. It is an old algorithm and may even be deprecated. Once changed to rsa-oaep SAML worked right away.
With these configurations in place you can now click the Test button. If everything is good you will see a page open like the one below. If it is not successful you will see a similar page, with an error. If this is not sufficient for you to figure out what is wrong then please open a ticket with CA PAM Support. Make sure to attach the contents of the ticket, along with a downloaded Sysinfo.
Once the test is successful you can logof and click the SSO button that now appears on the Login page. When you do you will invoke SAML. If you haven't already logged in to SAML you will be prompted for your SAML userid and password. If correct you will be taken into CA PAM. If you have previously logged into SAML successfully you will be brought right into CA PAM.
This should be sufficient for you to complete the configuration of CA PAM and SSO for the use of SAML. If not, Support is ready to assist you.