The L4 switch is listening in to the IPv6 Virtual IP addresses for Identity Server cluster. Let us call it as IDP-v6. The IPv4-Internal in the L4 switch is connected to the actual Identity Server cluster. IDP-v6 listens to IPv6 clients. The traffic to the IDP-v6 will be forwarded to Identity Servers with the source IP changed to IPv4-Internal.
Identity Servers listen on the IPv4 addresses only. These IPv4 addresses of Identity Servers must be configured as real server group, say IDP-Group in the L4 switch. This group must serve the requests coming to IDP-v6 address configured in the L4 switch. Incoming traffic to the IDP-v6 addresses will be redirected to the IDP-Group based on the load balancing algorithm configured in the L4 switch.
No traffic is initiated from the Identity Provider or Service Provider in federated SSO using Post binding, hence, Identity Servers must listen to only using IPv4 address.
The outgoing response traffic from Identity Servers to the IPv6 clients will be first routed to IPv4-Internal and forwarded back to the clients with source IP address as IDP-v6 address.
Because it is Post profile, incoming traffic will be only from IPv6 clients. The clients can be configured with IPv4 address, IPv6 address, or both (dual stack). If the client is configured to use IPv6 address only or dual stack, it must resolve the published DNS name of IDP to IDP-v6 address.