Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 6.1
edited by Agnease
on 2026/05/22 06:12
Change comment: There is no comment for this version
To version 8.9
edited by Agnease
on 2026/05/25 12:52
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -xwiki-authentication-access-control
1 +XWiki Authentication and Access Control
Content
... ... @@ -1,7 +1,6 @@
1 1  {{velocity}}
2 2  #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 3  {{html clean="false"}}
4 -
5 5   ## PAGE HEADER
6 6   <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 7   <div class="container hero-inner">
... ... @@ -9,19 +9,11 @@
9 9   <i class="fa fa-lock" aria-hidden="true"></i>
10 10   XWiki authentication and access control
11 11   </div>
12 -
13 13   <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
14 -
15 15   <p class="lead">
16 - Configure and maintain XWiki authentication, user synchronization, group management and access rights
17 - for production environments.
13 + Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
14 + group management and maintainable permission policies.
18 18   </p>
19 -
20 - <p class="hero-support">
21 - We help organizations connect XWiki with LDAP, Active Directory, SSO, OIDC, SAML or MFA, while keeping
22 - permissions understandable, maintainable and aligned with internal access policies.
23 - </p>
24 -
25 25   <div class="hero-actions">
26 26   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
27 27   <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
... ... @@ -28,193 +28,155 @@
28 28   </div>
29 29   </div>
30 30   </section>
22 + ## WHY ACCESS CONTROL CARDS
23 + #set ($accessControlItems = [{
24 + 'title': 'Connect users securely',
25 + 'icon': 'sign-in',
26 + 'content': 'Integrate XWiki with your identity provider so users can access the platform with familiar credentials.',
27 + 'items': [
28 + 'LDAP and Active Directory',
29 + 'OIDC, SAML and SSO',
30 + 'MFA and authentication extensions'
31 + ]
32 + },{
33 + 'title': 'Manage groups clearly',
34 + 'icon': 'users',
35 + 'content': 'Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.',
36 + 'items': [
37 + 'User synchronization',
38 + 'Group mapping and filtering',
39 + 'Large directory considerations'
40 + ]
41 + },{
42 + 'title': 'Control access safely',
43 + 'icon': 'key',
44 + 'content': 'Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.',
45 + 'items': [
46 + 'Wiki and page permissions',
47 + 'Admin and script rights awareness',
48 + 'Rights model cleanup'
49 + ]
50 + }])
31 31  
32 - ## WHY ACCESS CONTROL MATTERS
33 33   <section aria-labelledby="why-access-title">
34 34   <div class="container">
35 35   <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
36 -
37 37   <p class="section-intro">
38 38   XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
39 39   and business workflows. Authentication and permissions need to be configured carefully so users can access
40 40   what they need without exposing sensitive information or making administration too complex.
41 41   </p>
42 -
43 43   <div class="pathways">
44 - <article class="pathway-card">
45 - <div class="pathway-icon">
46 - <i class="fa fa-sign-in" aria-hidden="true"></i>
47 - </div>
48 - <h3>Connect users securely</h3>
49 - <p>
50 - Integrate XWiki with your identity provider so users can access the platform with familiar credentials.
51 - </p>
52 - <ul>
53 - <li>LDAP and Active Directory</li>
54 - <li>OIDC, SAML and SSO</li>
55 - <li>MFA and authentication extensions</li>
56 - </ul>
57 - </article>
58 -
59 - <article class="pathway-card">
60 - <div class="pathway-icon">
61 - <i class="fa fa-users" aria-hidden="true"></i>
62 - </div>
63 - <h3>Manage groups clearly</h3>
64 - <p>
65 - Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.
66 - </p>
67 - <ul>
68 - <li>User synchronization</li>
69 - <li>Group mapping and filtering</li>
70 - <li>Large directory considerations</li>
71 - </ul>
72 - </article>
73 -
74 - <article class="pathway-card">
75 - <div class="pathway-icon">
76 - <i class="fa fa-key" aria-hidden="true"></i>
77 - </div>
78 - <h3>Control access safely</h3>
79 - <p>
80 - Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.
81 - </p>
82 - <ul>
83 - <li>Wiki and page permissions</li>
84 - <li>Admin and script rights awareness</li>
85 - <li>Rights model cleanup</li>
86 - </ul>
87 - </article>
61 + #foreach ($entry in $accessControlItems)
62 + <article class="pathway-card">
63 + <div class="card-heading">
64 + <div class="pathway-icon">
65 + <i class="fa fa-$entry.icon" aria-hidden="true"></i>
66 + </div>
67 + <h3>$entry.title</h3>
68 + </div>
69 + <p>$entry.content</p>
70 + <ul>
71 + #foreach ($item in $entry.items)
72 + <li>$item</li>
73 + #end
74 + </ul>
75 + </article>
76 + #end
88 88   </div>
89 89   </div>
90 90   </section>
91 91  
92 92   ## COMMON NEEDS
82 + #set ($accessNeedsItems = [{
83 + 'title': 'LDAP and Active Directory integration',
84 + 'icon': 'address-book',
85 + 'content': 'Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.'
86 + },{
87 + 'title': 'SSO, OIDC and SAML',
88 + 'icon': 'sign-in',
89 + 'content': 'Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.'
90 + },{
91 + 'title': 'Multi-factor authentication',
92 + 'icon': 'shield',
93 + 'content': 'MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.'
94 + },{
95 + 'title': 'User and group synchronization',
96 + 'icon': 'users',
97 + 'content': 'Review of synchronization strategy, group mapping, large-directory behavior and performance implications.'
98 + },{
99 + 'title': 'Rights model review',
100 + 'icon': 'key',
101 + 'content': 'Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.'
102 + },{
103 + 'title': 'Access-related troubleshooting',
104 + 'icon': 'warning',
105 + 'content': 'Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.'
106 + }])
107 +
93 93   <section class="services" aria-labelledby="access-needs-title">
94 94   <div class="container">
95 95   <h2 id="access-needs-title">Common authentication and access control needs</h2>
96 -
97 97   <p class="section-intro">
98 98   Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
99 99   identity provider, group structure, security expectations, user volume and internal administration model.
100 100   </p>
101 -
102 102   <div class="services-grid">
103 - <article class="service">
104 - <div class="service-icon" aria-hidden="true">
105 - <i class="fa fa-address-book"></i>
106 - </div>
107 - <div class="service-body">
108 - <h4>LDAP and Active Directory integration</h4>
109 - <p>
110 - Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
111 - </p>
112 - </div>
113 - </article>
114 -
115 - <article class="service">
116 - <div class="service-icon" aria-hidden="true">
117 - <i class="fa fa-sign-in"></i>
118 - </div>
119 - <div class="service-body">
120 - <h4>SSO, OIDC and SAML</h4>
121 - <p>
122 - Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
123 - </p>
124 - </div>
125 - </article>
126 -
127 - <article class="service">
128 - <div class="service-icon" aria-hidden="true">
129 - <i class="fa fa-shield"></i>
130 - </div>
131 - <div class="service-body">
132 - <h4>Multi-factor authentication</h4>
133 - <p>
134 - MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
135 - </p>
136 - </div>
137 - </article>
138 -
139 - <article class="service">
140 - <div class="service-icon" aria-hidden="true">
141 - <i class="fa fa-users"></i>
142 - </div>
143 - <div class="service-body">
144 - <h4>User and group synchronization</h4>
145 - <p>
146 - Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
147 - </p>
148 - </div>
149 - </article>
150 -
151 - <article class="service">
152 - <div class="service-icon" aria-hidden="true">
153 - <i class="fa fa-key"></i>
154 - </div>
155 - <div class="service-body">
156 - <h4>Rights model review</h4>
157 - <p>
158 - Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
159 - </p>
160 - </div>
161 - </article>
162 -
163 - <article class="service">
164 - <div class="service-icon" aria-hidden="true">
165 - <i class="fa fa-warning"></i>
166 - </div>
167 - <div class="service-body">
168 - <h4>Access-related troubleshooting</h4>
169 - <p>
170 - Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
171 - </p>
172 - </div>
173 - </article>
116 + #foreach ($entry in $accessNeedsItems)
117 + <article class="service">
118 + <div class="service-icon" aria-hidden="true">
119 + <i class="fa fa-$entry.icon"></i>
120 + </div>
121 + <div class="service-body">
122 + <h4>$entry.title</h4>
123 + <p>$entry.content</p>
124 + </div>
125 + </article>
126 + #end
174 174   </div>
175 175   </div>
176 176   </section>
177 177  
178 - ## APPROACH
131 + ## ACCESS CONTROL PROCESS
132 + #set ($accessProcessItems = [{
133 + 'title': 'Review the current access setup',
134 + 'content': 'Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.'
135 + },{
136 + 'title': 'Clarify the target model',
137 + 'content': 'Expected login flow, user provisioning, group mapping, administration model and permission boundaries.'
138 + },{
139 + 'title': 'Validate configuration safely',
140 + 'content': 'Test authentication, synchronization and rights behavior before applying changes to production when needed.'
141 + },{
142 + 'title': 'Apply controlled changes',
143 + 'content': 'Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.'
144 + },{
145 + 'title': 'Document the result',
146 + 'content': 'Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.'
147 + }])
148 +
179 179   <section id="access-control-process" class="split-section" aria-labelledby="process-title">
180 180   <div class="container">
181 181   <div class="split-grid">
182 182   <div class="split-copy">
183 183   <h2 id="process-title">A practical access control approach</h2>
184 -
185 185   <p>
186 186   Authentication and permissions should be handled with care because small configuration mistakes can affect
187 187   access to the entire platform. The goal is to understand the current setup, clarify the expected access
188 188   model and apply changes in a controlled way.
189 189   </p>
190 -
191 191   <p>
192 192   When possible, authentication and rights changes should first be validated in a staging or temporary clone
193 193   of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
194 194   </p>
195 195   </div>
196 -
197 197   <ol class="process-list">
198 - <li>
199 - <strong>Review the current access setup</strong>
200 - Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
201 - </li>
202 - <li>
203 - <strong>Clarify the target model</strong>
204 - Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
205 - </li>
206 - <li>
207 - <strong>Validate configuration safely</strong>
208 - Test authentication, synchronization and rights behavior before applying changes to production when needed.
209 - </li>
210 - <li>
211 - <strong>Apply controlled changes</strong>
212 - Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
213 - </li>
214 - <li>
215 - <strong>Document the result</strong>
216 - Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
217 - </li>
165 + #foreach ($entry in $accessProcessItems)
166 + <li>
167 + <strong>$entry.title</strong>
168 + $entry.content
169 + </li>
170 + #end
218 218   </ol>
219 219   </div>
220 220   </div>
... ... @@ -221,146 +221,108 @@
221 221   </section>
222 222  
223 223   ## SPECIFIC AREAS
177 + #set ($accessAreasItems = [{
178 + 'title': 'Directory configuration',
179 + 'icon': 'server',
180 + 'content': 'LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.'
181 + },{
182 + 'title': 'Group mapping',
183 + 'icon': 'random',
184 + 'content': 'Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.'
185 + },{
186 + 'title': 'Permission structure',
187 + 'icon': 'lock',
188 + 'content': 'Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.'
189 + },{
190 + 'title': 'Security-sensitive rights',
191 + 'icon': 'user-secret',
192 + 'content': 'Review of powerful rights such as admin, programming, script and edit rights where they affect security.'
193 + }])
194 +
224 224   <section aria-labelledby="areas-title">
225 225   <div class="container">
226 226   <h2 id="areas-title">Specific areas we can review</h2>
227 -
228 228   <p class="section-intro">
229 229   Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
230 230   to user synchronization, group membership, page permissions and application-level rules.
231 231   </p>
232 -
233 233   <div class="widgets">
234 - <article class="widget">
235 - <div class="icon" aria-hidden="true">
236 - <i class="fa fa-server"></i>
237 - <h4>Directory<br />configuration</h4>
238 - </div>
239 - <p>
240 - LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
241 - </p>
242 - </article>
243 -
244 - <article class="widget">
245 - <div class="icon" aria-hidden="true">
246 - <i class="fa fa-random"></i>
247 - <h4>Group<br />mapping</h4>
248 - </div>
249 - <p>
250 - Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
251 - </p>
252 - </article>
253 -
254 - <article class="widget">
255 - <div class="icon" aria-hidden="true">
256 - <i class="fa fa-lock"></i>
257 - <h4>Permission<br />structure</h4>
258 - </div>
259 - <p>
260 - Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
261 - </p>
262 - </article>
263 -
264 - <article class="widget">
265 - <div class="icon" aria-hidden="true">
266 - <i class="fa fa-user-secret"></i>
267 - <h4>Security<br />sensitive rights</h4>
268 - </div>
269 - <p>
270 - Review of powerful rights such as admin, programming, script and edit rights where they affect security.
271 - </p>
272 - </article>
203 + #foreach ($entry in $accessAreasItems)
204 + <article class="widget">
205 + <div class="icon" aria-hidden="true">
206 + <i class="fa fa-$entry.icon"></i>
207 + <h4>$entry.title</h4>
208 + </div>
209 + <p>$entry.content</p>
210 + </article>
211 + #end
273 273   </div>
274 274   </div>
275 275   </section>
276 276  
277 277   ## IMPORTANT CONSIDERATIONS
217 + #set ($accessConsiderationItems = [{
218 + 'title': 'Large directory performance',
219 + 'icon': 'tachometer',
220 + 'content': 'Large numbers of users and groups can create synchronization, login-time or permission-management challenges.'
221 + },{
222 + 'title': 'Visibility of groups and users',
223 + 'icon': 'eye',
224 + 'content': 'Group display, permission screens and administration workflows should remain usable even with many directory groups.'
225 + },{
226 + 'title': 'User provisioning strategy',
227 + 'icon': 'user-plus',
228 + 'content': 'Decide when users are created, how profiles are updated and how synchronization behaves after first login.'
229 + },{
230 + 'title': 'Administrator access safety',
231 + 'icon': 'unlock-alt',
232 + 'content': 'Authentication changes should preserve reliable administrator access and avoid accidental lockouts.'
233 + },{
234 + 'title': 'Upgrade compatibility',
235 + 'icon': 'refresh',
236 + 'content': 'Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.'
237 + },{
238 + 'title': 'Documentation and handover',
239 + 'icon': 'file-text-o',
240 + 'content': 'Access rules, configuration decisions and operational assumptions should be documented for future maintenance.'
241 + }])
242 +
278 278   <section class="services" aria-labelledby="considerations-title">
279 279   <div class="container">
280 280   <h2 id="considerations-title">Important considerations</h2>
281 -
282 282   <p class="section-intro">
283 283   Authentication and access control should be designed for both security and usability. A setup that is too
284 284   permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
285 285   </p>
286 -
287 287   <div class="services-grid">
288 - <article class="service">
289 - <div class="service-icon" aria-hidden="true">
290 - <i class="fa fa-tachometer"></i>
291 - </div>
292 - <div class="service-body">
293 - <h4>Large directory performance</h4>
294 - <p>
295 - Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
296 - </p>
297 - </div>
298 - </article>
299 -
300 - <article class="service">
301 - <div class="service-icon" aria-hidden="true">
302 - <i class="fa fa-eye"></i>
303 - </div>
304 - <div class="service-body">
305 - <h4>Visibility of groups and users</h4>
306 - <p>
307 - Group display, permission screens and administration workflows should remain usable even with many directory groups.
308 - </p>
309 - </div>
310 - </article>
311 -
312 - <article class="service">
313 - <div class="service-icon" aria-hidden="true">
314 - <i class="fa fa-user-plus"></i>
315 - </div>
316 - <div class="service-body">
317 - <h4>User provisioning strategy</h4>
318 - <p>
319 - Decide when users are created, how profiles are updated and how synchronization behaves after first login.
320 - </p>
321 - </div>
322 - </article>
323 -
324 - <article class="service">
325 - <div class="service-icon" aria-hidden="true">
326 - <i class="fa fa-unlock-alt"></i>
327 - </div>
328 - <div class="service-body">
329 - <h4>Administrator access safety</h4>
330 - <p>
331 - Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
332 - </p>
333 - </div>
334 - </article>
335 -
336 - <article class="service">
337 - <div class="service-icon" aria-hidden="true">
338 - <i class="fa fa-refresh"></i>
339 - </div>
340 - <div class="service-body">
341 - <h4>Upgrade compatibility</h4>
342 - <p>
343 - Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
344 - </p>
345 - </div>
346 - </article>
347 -
348 - <article class="service">
349 - <div class="service-icon" aria-hidden="true">
350 - <i class="fa fa-file-text-o"></i>
351 - </div>
352 - <div class="service-body">
353 - <h4>Documentation and handover</h4>
354 - <p>
355 - Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
356 - </p>
357 - </div>
358 - </article>
251 + #foreach ($entry in $accessConsiderationItems)
252 + <article class="service">
253 + <div class="service-icon" aria-hidden="true">
254 + <i class="fa fa-$entry.icon"></i>
255 + </div>
256 + <div class="service-body">
257 + <h4>$entry.title</h4>
258 + <p>$entry.content</p>
259 + </div>
260 + </article>
261 + #end
359 359   </div>
360 360   </div>
361 361   </section>
362 362  
363 363   ## RELATED SERVICES
267 + #set ($relatedServiceItems = [{
268 + 'title': 'XWiki Support & Maintenance',
269 + 'url': 'services.xwiki-maintenance-support',
270 + 'content': 'Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.',
271 + 'linkLabel': 'View support services'
272 + },{
273 + 'title': 'XWiki Security Review',
274 + 'url': 'services.xwiki-security-review',
275 + 'content': 'Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.',
276 + 'linkLabel': 'View security review'
277 + }])
278 +
364 364   <section class="resource-strip" aria-labelledby="related-title">
365 365   <div class="container">
366 366   <h2 id="related-title">Related XWiki services</h2>
... ... @@ -370,21 +370,13 @@
370 370   </p>
371 371  
372 372   <div class="resource-grid">
373 - <article class="resource-card">
374 - <h4>XWiki Support &amp; Maintenance</h4>
375 - <p>
376 - Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
377 - </p>
378 - <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
379 - </article>
380 -
381 - <article class="resource-card">
382 - <h4>XWiki Security Review</h4>
383 - <p>
384 - Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
385 - </p>
386 - <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
387 - </article>
288 + #foreach ($entry in $relatedServiceItems)
289 + <article class="resource-card">
290 + <h4>$entry.title</h4>
291 + <p>$entry.content</p>
292 + <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
293 + </article>
294 + #end
388 388   </div>
389 389   </div>
390 390   </section>
Agnease.Code.SEODetailsClass[0]
metaTitle
... ... @@ -1,1 +1,1 @@
1 -XWiki Authentication and Access Control | SSO, LDAP and Permissions
1 +XWiki Authentication and Access Control Services | Agnease