Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 1.1
edited by Agnease
on 2026/05/12 13:05
Change comment: There is no comment for this version
To version 8.8
edited by Agnease
on 2026/05/25 12:50
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -xwiki-authentication-access-control
1 +XWiki Authentication and Access Control
Content
... ... @@ -1,0 +1,360 @@
1 +{{velocity}}
2 +#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 +{{html clean="false"}}
4 + ## PAGE HEADER
5 + <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
6 + <div class="container hero-inner">
7 + <div class="hero-kicker">
8 + <i class="fa fa-lock" aria-hidden="true"></i>
9 + XWiki authentication and access control
10 + </div>
11 +
12 + <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
13 +
14 + <p class="lead">
15 + Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
16 + group management and maintainable permission policies.
17 + </p>
18 +
19 + <div class="hero-actions">
20 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
21 + <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
22 + </div>
23 + </div>
24 + </section>
25 + ## WHY ACCESS CONTROL CARDS
26 + #set ($accessControlItems = [{
27 + 'title': 'Connect users securely',
28 + 'icon': 'sign-in',
29 + 'content': 'Integrate XWiki with your identity provider so users can access the platform with familiar credentials.',
30 + 'items': [
31 + 'LDAP and Active Directory',
32 + 'OIDC, SAML and SSO',
33 + 'MFA and authentication extensions'
34 + ]
35 + },{
36 + 'title': 'Manage groups clearly',
37 + 'icon': 'users',
38 + 'content': 'Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.',
39 + 'items': [
40 + 'User synchronization',
41 + 'Group mapping and filtering',
42 + 'Large directory considerations'
43 + ]
44 + },{
45 + 'title': 'Control access safely',
46 + 'icon': 'key',
47 + 'content': 'Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.',
48 + 'items': [
49 + 'Wiki and page permissions',
50 + 'Admin and script rights awareness',
51 + 'Rights model cleanup'
52 + ]
53 + }])
54 +
55 + <section aria-labelledby="why-access-title">
56 + <div class="container">
57 + <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
58 + <p class="section-intro">
59 + XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
60 + and business workflows. Authentication and permissions need to be configured carefully so users can access
61 + what they need without exposing sensitive information or making administration too complex.
62 + </p>
63 + <div class="pathways">
64 + #foreach ($entry in $accessControlItems)
65 + <article class="pathway-card">
66 + <div class="card-heading">
67 + <div class="pathway-icon">
68 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
69 + </div>
70 + <h3>$entry.title</h3>
71 + </div>
72 + <p>$entry.content</p>
73 + <ul>
74 + #foreach ($item in $entry.items)
75 + <li>$item</li>
76 + #end
77 + </ul>
78 + </article>
79 + #end
80 + </div>
81 + </div>
82 + </section>
83 +
84 + ## COMMON NEEDS
85 + #set ($accessNeedsItems = [{
86 + 'title': 'LDAP and Active Directory integration',
87 + 'icon': 'address-book',
88 + 'content': 'Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.'
89 + },{
90 + 'title': 'SSO, OIDC and SAML',
91 + 'icon': 'sign-in',
92 + 'content': 'Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.'
93 + },{
94 + 'title': 'Multi-factor authentication',
95 + 'icon': 'shield',
96 + 'content': 'MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.'
97 + },{
98 + 'title': 'User and group synchronization',
99 + 'icon': 'users',
100 + 'content': 'Review of synchronization strategy, group mapping, large-directory behavior and performance implications.'
101 + },{
102 + 'title': 'Rights model review',
103 + 'icon': 'key',
104 + 'content': 'Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.'
105 + },{
106 + 'title': 'Access-related troubleshooting',
107 + 'icon': 'warning',
108 + 'content': 'Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.'
109 + }])
110 +
111 + <section class="services" aria-labelledby="access-needs-title">
112 + <div class="container">
113 + <h2 id="access-needs-title">Common authentication and access control needs</h2>
114 +
115 + <p class="section-intro">
116 + Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
117 + identity provider, group structure, security expectations, user volume and internal administration model.
118 + </p>
119 +
120 + <div class="services-grid">
121 + #foreach ($entry in $accessNeedsItems)
122 + <article class="service">
123 + <div class="service-icon" aria-hidden="true">
124 + <i class="fa fa-$entry.icon"></i>
125 + </div>
126 +
127 + <div class="service-body">
128 + <h4>$entry.title</h4>
129 + <p>$entry.content</p>
130 + </div>
131 + </article>
132 + #end
133 + </div>
134 + </div>
135 + </section>
136 +
137 + ## ACCESS CONTROL PROCESS
138 + #set ($accessProcessItems = [{
139 + 'title': 'Review the current access setup',
140 + 'content': 'Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.'
141 + },{
142 + 'title': 'Clarify the target model',
143 + 'content': 'Expected login flow, user provisioning, group mapping, administration model and permission boundaries.'
144 + },{
145 + 'title': 'Validate configuration safely',
146 + 'content': 'Test authentication, synchronization and rights behavior before applying changes to production when needed.'
147 + },{
148 + 'title': 'Apply controlled changes',
149 + 'content': 'Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.'
150 + },{
151 + 'title': 'Document the result',
152 + 'content': 'Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.'
153 + }])
154 +
155 + <section id="access-control-process" class="split-section" aria-labelledby="process-title">
156 + <div class="container">
157 + <div class="split-grid">
158 + <div class="split-copy">
159 + <h2 id="process-title">A practical access control approach</h2>
160 +
161 + <p>
162 + Authentication and permissions should be handled with care because small configuration mistakes can affect
163 + access to the entire platform. The goal is to understand the current setup, clarify the expected access
164 + model and apply changes in a controlled way.
165 + </p>
166 +
167 + <p>
168 + When possible, authentication and rights changes should first be validated in a staging or temporary clone
169 + of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
170 + </p>
171 + </div>
172 +
173 + <ol class="process-list">
174 + #foreach ($entry in $accessProcessItems)
175 + <li>
176 + <strong>$entry.title</strong>
177 + $entry.content
178 + </li>
179 + #end
180 + </ol>
181 + </div>
182 + </div>
183 + </section>
184 +
185 + ## SPECIFIC AREAS
186 + #set ($accessAreasItems = [{
187 + 'title': 'Directory configuration',
188 + 'icon': 'server',
189 + 'content': 'LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.'
190 + },{
191 + 'title': 'Group mapping',
192 + 'icon': 'random',
193 + 'content': 'Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.'
194 + },{
195 + 'title': 'Permission structure',
196 + 'icon': 'lock',
197 + 'content': 'Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.'
198 + },{
199 + 'title': 'Security-sensitive rights',
200 + 'icon': 'user-secret',
201 + 'content': 'Review of powerful rights such as admin, programming, script and edit rights where they affect security.'
202 + }])
203 +
204 + <section aria-labelledby="areas-title">
205 + <div class="container">
206 + <h2 id="areas-title">Specific areas we can review</h2>
207 +
208 + <p class="section-intro">
209 + Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
210 + to user synchronization, group membership, page permissions and application-level rules.
211 + </p>
212 +
213 + <div class="widgets">
214 + #foreach ($entry in $accessAreasItems)
215 + <article class="widget">
216 + <div class="icon" aria-hidden="true">
217 + <i class="fa fa-$entry.icon"></i>
218 + <h4>$entry.title</h4>
219 + </div>
220 +
221 + <p>$entry.content</p>
222 + </article>
223 + #end
224 + </div>
225 + </div>
226 + </section>
227 +
228 + ## IMPORTANT CONSIDERATIONS
229 + <section class="services" aria-labelledby="considerations-title">
230 + <div class="container">
231 + <h2 id="considerations-title">Important considerations</h2>
232 +
233 + <p class="section-intro">
234 + Authentication and access control should be designed for both security and usability. A setup that is too
235 + permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
236 + </p>
237 +
238 + <div class="services-grid">
239 + <article class="service">
240 + <div class="service-icon" aria-hidden="true">
241 + <i class="fa fa-tachometer"></i>
242 + </div>
243 + <div class="service-body">
244 + <h4>Large directory performance</h4>
245 + <p>
246 + Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
247 + </p>
248 + </div>
249 + </article>
250 +
251 + <article class="service">
252 + <div class="service-icon" aria-hidden="true">
253 + <i class="fa fa-eye"></i>
254 + </div>
255 + <div class="service-body">
256 + <h4>Visibility of groups and users</h4>
257 + <p>
258 + Group display, permission screens and administration workflows should remain usable even with many directory groups.
259 + </p>
260 + </div>
261 + </article>
262 +
263 + <article class="service">
264 + <div class="service-icon" aria-hidden="true">
265 + <i class="fa fa-user-plus"></i>
266 + </div>
267 + <div class="service-body">
268 + <h4>User provisioning strategy</h4>
269 + <p>
270 + Decide when users are created, how profiles are updated and how synchronization behaves after first login.
271 + </p>
272 + </div>
273 + </article>
274 +
275 + <article class="service">
276 + <div class="service-icon" aria-hidden="true">
277 + <i class="fa fa-unlock-alt"></i>
278 + </div>
279 + <div class="service-body">
280 + <h4>Administrator access safety</h4>
281 + <p>
282 + Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
283 + </p>
284 + </div>
285 + </article>
286 +
287 + <article class="service">
288 + <div class="service-icon" aria-hidden="true">
289 + <i class="fa fa-refresh"></i>
290 + </div>
291 + <div class="service-body">
292 + <h4>Upgrade compatibility</h4>
293 + <p>
294 + Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
295 + </p>
296 + </div>
297 + </article>
298 +
299 + <article class="service">
300 + <div class="service-icon" aria-hidden="true">
301 + <i class="fa fa-file-text-o"></i>
302 + </div>
303 + <div class="service-body">
304 + <h4>Documentation and handover</h4>
305 + <p>
306 + Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
307 + </p>
308 + </div>
309 + </article>
310 + </div>
311 + </div>
312 + </section>
313 +
314 + ## RELATED SERVICES
315 + <section class="resource-strip" aria-labelledby="related-title">
316 + <div class="container">
317 + <h2 id="related-title">Related XWiki services</h2>
318 +
319 + <p class="section-intro">
320 + Authentication and access control often connect with maintenance, upgrades and security review.
321 + </p>
322 +
323 + <div class="resource-grid">
324 + <article class="resource-card">
325 + <h4>XWiki Support &amp; Maintenance</h4>
326 + <p>
327 + Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
328 + </p>
329 + <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
330 + </article>
331 +
332 + <article class="resource-card">
333 + <h4>XWiki Security Review</h4>
334 + <p>
335 + Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
336 + </p>
337 + <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
338 + </article>
339 + </div>
340 + </div>
341 + </section>
342 +
343 + ## CTA
344 + <section class="cta-section" aria-labelledby="cta-title">
345 + <div class="container">
346 + <div class="cta-panel">
347 + <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
348 +
349 + <p>
350 + Send a short description of your authentication setup, identity provider, current XWiki version,
351 + user/group volume and the access control issue or improvement you want to address.
352 + </p>
353 +
354 + <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
355 + </div>
356 + </div>
357 + </section>
358 +
359 +{{/html}}
360 +{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,0 +1,1 @@
1 +XWiki authentication and access control services for SSO, LDAP, OIDC, SAML, MFA, user groups, permissions and secure enterprise access management.
metaTitle
... ... @@ -1,0 +1,1 @@
1 +XWiki Authentication and Access Control Services | Agnease