Does EasySSO work with existing AD groups?

The short answer is: Yes, EasySSO works with existing AD groups.

The long answer is: To use the AD groups during the authorization process you will need to configure your Atlassian applications, EasySSO is not part of this picture. Read this article on How does EasySSO work with User Directories backed up by Active Directory. 

There are two options for the configuration of EasySSO to work with the existing AD groups. 

The recommended configuration is:

1. All users are pulled in via the AD Connector or are pulled in as needed via Delegated authentication. 
2. In the case of AD Connector, configure Group and Membership LDAP schema to pull group membership in during regular synchronisation. In the Delegated authentication case configure your Atlassian application to "Copy User on Login" and "Synchronise Group Memberships", i.e. pull all attributes and group membership on successful login. 
3. In the Global Permissions for the application (e.g. Confluence) or Applications Access (i.e. in Jira) specify that only those who are members of jira-users (the local group) or jira-users-AD (or the relevant group you use in AD to mark these application users) can actually log in, i.e. have Use Confluence permission or have access to JIRA Software application.

We recommend this configuration since any AD administrator will be able to check individual users' group permissions easily. If you have Jira Service Desk(s) for internal users the above configuration is useful to distinguish between Service Desk agents and users. Please be aware that in a large organisation with a small number of Jira users, the recommended configuration may appear to pull too many users unnecessarily.

Another option is to use LDAP filtering in your Atlassian application

1. As a Jira Administrator with global permissions, go to Administration > Users > User Directories.
2. Add your filters to the User Object Filter or the Group Object Filter fields. We recommend using this cheat sheet.
3. Depending on how your AD is setup you can use the following in the "User Object Filter":

• "All direct members of specified group" e.g. "(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=jira-users-AD,dc=Domain,dc=com))"
• "All members of specified group, including due to group nesting" e.g. "(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=jira-users-AD,dc=Domain,dc=com))"

Any user who shouldn't have access to the application will not be able to log in and will be presented with a regular login screen.