Api external authentication

Problem: External authentication using the api
In a freeipa/AD trust situation, the foreman host (joined to AD) can successfully authenticate AD users members of an external freeipa group in the web ui. But when using the api, we cannot log in.

In the production.log we see:
failed to authenticate user against EXTERNAL authentication source
invalid user
SSO failed

We are not using negotiate in the rest api.
Expected outcome:
We can log in using name/passwords of AD users in the api

Foreman and Proxy versions:
1.24
Foreman and Proxy plugin versions:

Distribution and version:
rhel 7.7
Other relevant data:

curl -u user@ad.trust https://foreman.sub.domain.tld/api/status -LI

Enter host password:
HTTP/1.1 401 Unauthorized

what is the value of Authorize login delegation API setting?