Using BeyondTrust PAM with IIQ + Entra ID SSO — Is This a Double Authentication Setup?

Hello everyone,

I have a requirement from a customer and would appreciate your guidance.

The customer wants users to sign in to SailPoint IdentityIQ (IIQ) using BeyondTrust PAM as a broker between the user accounts and IIQ.

At the same time, Single Sign-On (SSO) is already configured using Microsoft Entra ID.

So the flow would look something like:
User → BeyondTrust PAM → Entra ID (SSO) → SailPoint IIQ

My questions are:

1. Would this be considered a double authentication / redundant flow?

2. Is this architecture recommended or commonly used?

3. Are there any official documents or best practices describing this setup?

4. The customer already has existing accounts in BeyondTrust PAM — how should integration with IIQ be handled in this case?

Any insights, recommendations, or documentation references would be highly appreciated.

Thanks in advance!

@IslamElkhouly How are you login to PAM? Is it via SSO or a separate user login?

If it is already behind SSO, then SSO layer should auto skip once you access IIQ via PAM as session is already active. In case not, then it’ll go for secondary authentication via sso. I don’t remember any projects that i worked up having this architecture.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

the flow doesn’t look correct
User → BeyondTrust PAM → Entra ID (SSO) → SailPoint IIQ