EasySSO does authentication, not authorisation.
What does that mean?
It means that EasySSO tells your Atlassian Product who the user is, but the product then decides whether or not the user is allowed to use the application.
In plain English there are three possible outcomes:
- I know you and you are allowed in (this also includes users who have never logged in before but are allowed based on the configuration of the Atlassian application).
- I know you, but you are not allowed in.
- I can't figure out who you are, therefore you need to identify yourself via a login screen and then I will decide if you are allowed in.
What's the point of making this distinction?
We often get questions about how to configure EasySSO in very specific circumstances. This page is deliberately non-technical to give users a simple picture of how the authentication and subsequent authorisation process works. For a more technical description of the authentication process read this article.
Using the distinction between authentication and authorisation makes it easier to figure out where the solution for problems can be found.
Examples:
Does EasySSO work with existing AD groups? The answer is yes, but the question is not if EasySSO can authenticate a domain user as an application user, but if it can identify a user as a user with specific permissions, as set in the AD through group membership. This is not a question of authentication, but authorisation. As described in the link to use the power of AD groups you have to configure your Atlassian application to authorise users based on being members of a specific AD group. EasySSO will authenticate the user as User X, your Atlassian application will allow the user in based on the fact that User X is part of the AD group that is configured to allow users to use the application.
EasySSO IP filtering is useful when you have external users that are not part of your internal AD. Attempting authentication via EasySSO is then pointless, the answer will always be 'I can't figure out who you are'. Using IP filtering, as described in the link, you can then configure EasySSO to not attempt authentication. Instead, users from specific IP addresses or IP ranges will be offered the standard login screen instead. Since you may have allowed external users, like vendors, into your Atlassian application they may be able to use your application, i.e. be authorised by your application but not managed in your AD.