Yes it is possible to do that as long as the external identity provider can provide a unique identifier to anchor the user to an object in AD DS. If you have a specific example (with the actual claim types and the logic for the mapping and the group lookup up) we can help you with the rules here.
By the way, why use an external provider if at the end you are authenticating AD DS user? Why not using the Active Directory claim provider directly?