Skip to Content

Using Netscaler as IdP for Identity Authentication Service


I'd like to set up the following:

I have several web applications (SAP JAM/Hybris Marketing Cloud/...) added to IAS.
Now I want to use my corporate IdP (AD) via Netscaler to authenticate my users and establish SSO.
So, the flow should be:
1) User accesses Hybris Sales
2) App redirects to IAS for authentication
3) IAS redirects to Netscaler
4) Netscaler checks AD
5) User is authenticated
6) Netscaler redirects back to IAS
7) IAS redirects back to Hybris Sales

Users are supposed to use their email address as login "name" - therefore I could differentiate users: My users authenticate against my AD - possible external users authenticate against IAS.

Is this configuration possible?
And if so: is there a guide how to set it up properly?

What I tried:
I already set up trust between Application and IAS. I also set up trust between Netscaler and IAS.
When trying to login to Hybris Sales for example, I'm getting redirected to Netscaler. Upon entering my credentials there, I'm getting redirected to Hybris Sales. So far so good. But - according to the error description I receive - then the authentication (against IAS) failed ("[urn:oasis:names:tc:SAML:2.0:status:Responder]" + "[Failed to authenticate user.]")



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Mar 08, 2018 at 04:23 PM


    yes this is possible to distinguish the forwarding to your IdP based on the email address.

    This feature is called Conditional Authentication. You can find more details about this in the documentation.

    About the issue that you describe:

    We did have a similar issue with a customer. There the issue was resolved with removing the trust and configure the trust again.

    Can you check if this will resolve the issue for you as well?

    Add comment
    10|10000 characters needed characters exceeded