Hi,

I'd like to set up the following:

I have several web applications (SAP JAM/Hybris Marketing Cloud/...) added to IAS.
Now I want to use my corporate IdP (AD) via Netscaler to authenticate my users and establish SSO.
So, the flow should be:
1) User accesses Hybris Sales
2) App redirects to IAS for authentication
3) IAS redirects to Netscaler
4) Netscaler checks AD
5) User is authenticated
6) Netscaler redirects back to IAS
7) IAS redirects back to Hybris Sales

Users are supposed to use their email address as login "name" - therefore I could differentiate users: My users authenticate against my AD - possible external users authenticate against IAS.

Is this configuration possible?
And if so: is there a guide how to set it up properly?

What I tried:
I already set up trust between Application and IAS. I also set up trust between Netscaler and IAS.
When trying to login to Hybris Sales for example, I'm getting redirected to Netscaler. Upon entering my credentials there, I'm getting redirected to Hybris Sales. So far so good. But - according to the error description I receive - then the authentication (against IAS) failed ("[urn:oasis:names:tc:SAML:2.0:status:Responder]" + "[Failed to authenticate user.]")

Thanks

Benedikt