Certain IdP providers, like for instance AD FS use different certificates for signing and encrypting the assertions.

As we know CA PAM has the possibility of using SAML for authentication, and for that one needs to provide the metadata coming from an IdP which- in this particular case- will include two different certificates

However if going to Configuration --> Security --> SAML and viewing the IdP metadata, only one certificate is present

Will such a setup work ?

CA PAM all versions

CA PAM will load whatever data is furnished as a metadata to it, but it only shows one certificate in the RDP GUI.

That does not mean it does not work. All tests conducted so far in such a configuration show that PAM is able to use the right certificate and it has been observed that the metadata loaded to PAM actually contains both certificates