I want to set up the following. Wondering if it is possible.

Currently have:

AG Cluster (Windows server located in DMZ, not domain joined)
IDP (Windows server located in DMZ, not domain joined)
AC (Windows server, Located internal network, domain joined)

The AG does not frontend/proxy the IDP

The AG is installed on windows and can in theory support Kerberos Constrained Delegation.
However there is an understandable reluctance in extending the AD domain to the DMZ.

I was thinking of introducing a second AG Cluster (not part of the same cluster as the DMZ based AG) on an internal network and joining this to the domain.

The question I had then is, I can't see any reason to prevent this second AG can't establish a standard NAM/Liberty trust relationship with the existing IDP?

Then I could configure the internal AG to be a domain member and with Kerberos Constrained Delegation for a specific internal web server.
This internal AG would be configured to reverse proxy the internal web server (and identity inject a kerberos ticket).
Contract configured as "satisified by equal or higher"
Then on the external AG, a reverse proxy would be configured with a username/password type contract and the destination web server as the reverse proxy on the internal AG.

Anyone got a better solution to handle the protocol transition from username/password to kerberos?