It does support multiple realms; unfortunately, as you have found out, it is moot because SAML takes priority
are you doing both connection types on the same connection (one for machine auth & one for user auth) against a realm designed for machine auth with urlA and a realm designed for SAML auth on urlB for the user auth?
when you say it is wiped out, how do you mean? if the initial config was pushed from the PCS & then you manually add a connection, yes, it should be removed when you connect as that connection is different than the bound connection

 looks like the above issue that I mentioned was wrong configuration on my end. I have a working connection with SSO for User based authentication and certificate for machine authentication.

 

I still have an issue regarding the workflow though - when the user cancels out of SSO authentication (say they don't want to use VPN in their user session). The connection is deemed as "Disconnected - Manual Override". Once the connection is in this state, machine authentication doesn't kick in when I log out of switch user. The next time machine authentication will kick in is when I reboot and the connection is setup to auto-connect again. 

 

Is there a way to not force the user to login to VPN but still have machine authentication prior to user login.

that sounds like there is a misbehavior in that, at least for logout. are the two forms on one connection or two different connections? If the latter, i am fairly certain that is not correct; the former? i am not sure
i would recommend reaching out to support and working with them for further investigation and validation.
have you tested with 9.1R1 or 9.0R4 and see the same behavior?