Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 1.1
edited by Agnease
on 2026/05/12 13:05
Change comment: There is no comment for this version
To version 8.3
edited by Agnease
on 2026/05/22 14:12
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -xwiki-authentication-access-control
1 +XWiki Authentication and Access Control
Content
... ... @@ -1,0 +1,404 @@
1 +{{velocity}}
2 +#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 +{{html clean="false"}}
4 +
5 + ## PAGE HEADER
6 + <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 + <div class="container hero-inner">
8 + <div class="hero-kicker">
9 + <i class="fa fa-lock" aria-hidden="true"></i>
10 + XWiki authentication and access control
11 + </div>
12 +
13 + <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
14 +
15 + <p class="lead">
16 + Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
17 + group management and maintainable permission policies.
18 + </p>
19 +
20 + <div class="hero-actions">
21 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
22 + <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
23 + </div>
24 + </div>
25 + </section>
26 +
27 + ## WHY ACCESS CONTROL MATTERS
28 + <section aria-labelledby="why-access-title">
29 + <div class="container">
30 + <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
31 +
32 + <p class="section-intro">
33 + XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
34 + and business workflows. Authentication and permissions need to be configured carefully so users can access
35 + what they need without exposing sensitive information or making administration too complex.
36 + </p>
37 +
38 + <div class="pathways">
39 + <article class="pathway-card">
40 + <div class="pathway-icon">
41 + <i class="fa fa-sign-in" aria-hidden="true"></i>
42 + </div>
43 + <h3>Connect users securely</h3>
44 + <p>
45 + Integrate XWiki with your identity provider so users can access the platform with familiar credentials.
46 + </p>
47 + <ul>
48 + <li>LDAP and Active Directory</li>
49 + <li>OIDC, SAML and SSO</li>
50 + <li>MFA and authentication extensions</li>
51 + </ul>
52 + </article>
53 +
54 + <article class="pathway-card">
55 + <div class="pathway-icon">
56 + <i class="fa fa-users" aria-hidden="true"></i>
57 + </div>
58 + <h3>Manage groups clearly</h3>
59 + <p>
60 + Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.
61 + </p>
62 + <ul>
63 + <li>User synchronization</li>
64 + <li>Group mapping and filtering</li>
65 + <li>Large directory considerations</li>
66 + </ul>
67 + </article>
68 +
69 + <article class="pathway-card">
70 + <div class="pathway-icon">
71 + <i class="fa fa-key" aria-hidden="true"></i>
72 + </div>
73 + <h3>Control access safely</h3>
74 + <p>
75 + Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.
76 + </p>
77 + <ul>
78 + <li>Wiki and page permissions</li>
79 + <li>Admin and script rights awareness</li>
80 + <li>Rights model cleanup</li>
81 + </ul>
82 + </article>
83 + </div>
84 + </div>
85 + </section>
86 +
87 + ## COMMON NEEDS
88 + <section class="services" aria-labelledby="access-needs-title">
89 + <div class="container">
90 + <h2 id="access-needs-title">Common authentication and access control needs</h2>
91 +
92 + <p class="section-intro">
93 + Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
94 + identity provider, group structure, security expectations, user volume and internal administration model.
95 + </p>
96 +
97 + <div class="services-grid">
98 + <article class="service">
99 + <div class="service-icon" aria-hidden="true">
100 + <i class="fa fa-address-book"></i>
101 + </div>
102 + <div class="service-body">
103 + <h4>LDAP and Active Directory integration</h4>
104 + <p>
105 + Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
106 + </p>
107 + </div>
108 + </article>
109 +
110 + <article class="service">
111 + <div class="service-icon" aria-hidden="true">
112 + <i class="fa fa-sign-in"></i>
113 + </div>
114 + <div class="service-body">
115 + <h4>SSO, OIDC and SAML</h4>
116 + <p>
117 + Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
118 + </p>
119 + </div>
120 + </article>
121 +
122 + <article class="service">
123 + <div class="service-icon" aria-hidden="true">
124 + <i class="fa fa-shield"></i>
125 + </div>
126 + <div class="service-body">
127 + <h4>Multi-factor authentication</h4>
128 + <p>
129 + MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
130 + </p>
131 + </div>
132 + </article>
133 +
134 + <article class="service">
135 + <div class="service-icon" aria-hidden="true">
136 + <i class="fa fa-users"></i>
137 + </div>
138 + <div class="service-body">
139 + <h4>User and group synchronization</h4>
140 + <p>
141 + Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
142 + </p>
143 + </div>
144 + </article>
145 +
146 + <article class="service">
147 + <div class="service-icon" aria-hidden="true">
148 + <i class="fa fa-key"></i>
149 + </div>
150 + <div class="service-body">
151 + <h4>Rights model review</h4>
152 + <p>
153 + Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
154 + </p>
155 + </div>
156 + </article>
157 +
158 + <article class="service">
159 + <div class="service-icon" aria-hidden="true">
160 + <i class="fa fa-warning"></i>
161 + </div>
162 + <div class="service-body">
163 + <h4>Access-related troubleshooting</h4>
164 + <p>
165 + Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
166 + </p>
167 + </div>
168 + </article>
169 + </div>
170 + </div>
171 + </section>
172 +
173 + ## APPROACH
174 + <section id="access-control-process" class="split-section" aria-labelledby="process-title">
175 + <div class="container">
176 + <div class="split-grid">
177 + <div class="split-copy">
178 + <h2 id="process-title">A practical access control approach</h2>
179 +
180 + <p>
181 + Authentication and permissions should be handled with care because small configuration mistakes can affect
182 + access to the entire platform. The goal is to understand the current setup, clarify the expected access
183 + model and apply changes in a controlled way.
184 + </p>
185 +
186 + <p>
187 + When possible, authentication and rights changes should first be validated in a staging or temporary clone
188 + of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
189 + </p>
190 + </div>
191 +
192 + <ol class="process-list">
193 + <li>
194 + <strong>Review the current access setup</strong>
195 + Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
196 + </li>
197 + <li>
198 + <strong>Clarify the target model</strong>
199 + Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
200 + </li>
201 + <li>
202 + <strong>Validate configuration safely</strong>
203 + Test authentication, synchronization and rights behavior before applying changes to production when needed.
204 + </li>
205 + <li>
206 + <strong>Apply controlled changes</strong>
207 + Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
208 + </li>
209 + <li>
210 + <strong>Document the result</strong>
211 + Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
212 + </li>
213 + </ol>
214 + </div>
215 + </div>
216 + </section>
217 +
218 + ## SPECIFIC AREAS
219 + <section aria-labelledby="areas-title">
220 + <div class="container">
221 + <h2 id="areas-title">Specific areas we can review</h2>
222 +
223 + <p class="section-intro">
224 + Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
225 + to user synchronization, group membership, page permissions and application-level rules.
226 + </p>
227 +
228 + <div class="widgets">
229 + <article class="widget">
230 + <div class="icon" aria-hidden="true">
231 + <i class="fa fa-server"></i>
232 + <h4>Directory<br />configuration</h4>
233 + </div>
234 + <p>
235 + LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
236 + </p>
237 + </article>
238 +
239 + <article class="widget">
240 + <div class="icon" aria-hidden="true">
241 + <i class="fa fa-random"></i>
242 + <h4>Group<br />mapping</h4>
243 + </div>
244 + <p>
245 + Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
246 + </p>
247 + </article>
248 +
249 + <article class="widget">
250 + <div class="icon" aria-hidden="true">
251 + <i class="fa fa-lock"></i>
252 + <h4>Permission<br />structure</h4>
253 + </div>
254 + <p>
255 + Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
256 + </p>
257 + </article>
258 +
259 + <article class="widget">
260 + <div class="icon" aria-hidden="true">
261 + <i class="fa fa-user-secret"></i>
262 + <h4>Security<br />sensitive rights</h4>
263 + </div>
264 + <p>
265 + Review of powerful rights such as admin, programming, script and edit rights where they affect security.
266 + </p>
267 + </article>
268 + </div>
269 + </div>
270 + </section>
271 +
272 + ## IMPORTANT CONSIDERATIONS
273 + <section class="services" aria-labelledby="considerations-title">
274 + <div class="container">
275 + <h2 id="considerations-title">Important considerations</h2>
276 +
277 + <p class="section-intro">
278 + Authentication and access control should be designed for both security and usability. A setup that is too
279 + permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
280 + </p>
281 +
282 + <div class="services-grid">
283 + <article class="service">
284 + <div class="service-icon" aria-hidden="true">
285 + <i class="fa fa-tachometer"></i>
286 + </div>
287 + <div class="service-body">
288 + <h4>Large directory performance</h4>
289 + <p>
290 + Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
291 + </p>
292 + </div>
293 + </article>
294 +
295 + <article class="service">
296 + <div class="service-icon" aria-hidden="true">
297 + <i class="fa fa-eye"></i>
298 + </div>
299 + <div class="service-body">
300 + <h4>Visibility of groups and users</h4>
301 + <p>
302 + Group display, permission screens and administration workflows should remain usable even with many directory groups.
303 + </p>
304 + </div>
305 + </article>
306 +
307 + <article class="service">
308 + <div class="service-icon" aria-hidden="true">
309 + <i class="fa fa-user-plus"></i>
310 + </div>
311 + <div class="service-body">
312 + <h4>User provisioning strategy</h4>
313 + <p>
314 + Decide when users are created, how profiles are updated and how synchronization behaves after first login.
315 + </p>
316 + </div>
317 + </article>
318 +
319 + <article class="service">
320 + <div class="service-icon" aria-hidden="true">
321 + <i class="fa fa-unlock-alt"></i>
322 + </div>
323 + <div class="service-body">
324 + <h4>Administrator access safety</h4>
325 + <p>
326 + Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
327 + </p>
328 + </div>
329 + </article>
330 +
331 + <article class="service">
332 + <div class="service-icon" aria-hidden="true">
333 + <i class="fa fa-refresh"></i>
334 + </div>
335 + <div class="service-body">
336 + <h4>Upgrade compatibility</h4>
337 + <p>
338 + Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
339 + </p>
340 + </div>
341 + </article>
342 +
343 + <article class="service">
344 + <div class="service-icon" aria-hidden="true">
345 + <i class="fa fa-file-text-o"></i>
346 + </div>
347 + <div class="service-body">
348 + <h4>Documentation and handover</h4>
349 + <p>
350 + Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
351 + </p>
352 + </div>
353 + </article>
354 + </div>
355 + </div>
356 + </section>
357 +
358 + ## RELATED SERVICES
359 + <section class="resource-strip" aria-labelledby="related-title">
360 + <div class="container">
361 + <h2 id="related-title">Related XWiki services</h2>
362 +
363 + <p class="section-intro">
364 + Authentication and access control often connect with maintenance, upgrades and security review.
365 + </p>
366 +
367 + <div class="resource-grid">
368 + <article class="resource-card">
369 + <h4>XWiki Support &amp; Maintenance</h4>
370 + <p>
371 + Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
372 + </p>
373 + <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
374 + </article>
375 +
376 + <article class="resource-card">
377 + <h4>XWiki Security Review</h4>
378 + <p>
379 + Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
380 + </p>
381 + <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
382 + </article>
383 + </div>
384 + </div>
385 + </section>
386 +
387 + ## CTA
388 + <section class="cta-section" aria-labelledby="cta-title">
389 + <div class="container">
390 + <div class="cta-panel">
391 + <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
392 +
393 + <p>
394 + Send a short description of your authentication setup, identity provider, current XWiki version,
395 + user/group volume and the access control issue or improvement you want to address.
396 + </p>
397 +
398 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
399 + </div>
400 + </div>
401 + </section>
402 +
403 +{{/html}}
404 +{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,0 +1,1 @@
1 +XWiki authentication and access control services for SSO, LDAP, OIDC, SAML, MFA, user groups, permissions and secure enterprise access management.
metaTitle
... ... @@ -1,0 +1,1 @@
1 +XWiki Authentication and Access Control Services | Agnease