Hi Benedikt,

here my judgement:

- use SSO (since I authenticate against Identity Authentication Service and then AD, I guess I can?)Yes.

- have my own users (employees) stored in and authenticated against my user store (AD) and external users (customers/business partners/...) created in and authenticated against Cloud Platform Identity Authentication?
Yes, BUT: you usually establish an SP-initiated single sign-on and rely on one trust configuration. The IdP cannot differentiate the users – simply since the user is not known before he was authenticated.
That’s the reason why this scenario currently only works in case you let employees authenticate via SPNEGO/Kerberos – and the externals will receive a login screen for provide their credential in IAS.
We are currently working on a concept called ‘Conditional Authentication Flow’ that will allow more flexibility here.

- Login would be easy since internal users/employees are already authenticated (AD) and don't need to provide their credentials again when accessing SAP JAM/Success Factors/Hybris Sales/...?
That’s exactly the idea: with IAS we want to reuse an already established session at a corporate IdP.

- Employees can be authenticated even when working from home since cloud connector "tunnels them" to AD?
Yes.

As far as I can tell, the alternative would be using Identity Authentication Service as a proxy that is authenticating users against ADFS. Therefore Cloud Connectors is not needed.

Which configuration would you prefere and why?

Cloud Connector (‘corporate user store scenario) should be used in case there are users working outside of the corporate network.

SPNEGO/Kerberos is a good alternative, but it only works in case the user’s browser has access to the Kerberos token server.