Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 8.3
edited by Agnease
on 2026/05/22 14:12
Change comment: There is no comment for this version
To version 1.1
edited by Agnease
on 2026/05/12 13:05
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -XWiki Authentication and Access Control
1 +xwiki-authentication-access-control
Content
... ... @@ -1,404 +1,0 @@
1 -{{velocity}}
2 -#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 -{{html clean="false"}}
4 -
5 - ## PAGE HEADER
6 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 - <div class="container hero-inner">
8 - <div class="hero-kicker">
9 - <i class="fa fa-lock" aria-hidden="true"></i>
10 - XWiki authentication and access control
11 - </div>
12 -
13 - <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
14 -
15 - <p class="lead">
16 - Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
17 - group management and maintainable permission policies.
18 - </p>
19 -
20 - <div class="hero-actions">
21 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
22 - <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
23 - </div>
24 - </div>
25 - </section>
26 -
27 - ## WHY ACCESS CONTROL MATTERS
28 - <section aria-labelledby="why-access-title">
29 - <div class="container">
30 - <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
31 -
32 - <p class="section-intro">
33 - XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
34 - and business workflows. Authentication and permissions need to be configured carefully so users can access
35 - what they need without exposing sensitive information or making administration too complex.
36 - </p>
37 -
38 - <div class="pathways">
39 - <article class="pathway-card">
40 - <div class="pathway-icon">
41 - <i class="fa fa-sign-in" aria-hidden="true"></i>
42 - </div>
43 - <h3>Connect users securely</h3>
44 - <p>
45 - Integrate XWiki with your identity provider so users can access the platform with familiar credentials.
46 - </p>
47 - <ul>
48 - <li>LDAP and Active Directory</li>
49 - <li>OIDC, SAML and SSO</li>
50 - <li>MFA and authentication extensions</li>
51 - </ul>
52 - </article>
53 -
54 - <article class="pathway-card">
55 - <div class="pathway-icon">
56 - <i class="fa fa-users" aria-hidden="true"></i>
57 - </div>
58 - <h3>Manage groups clearly</h3>
59 - <p>
60 - Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.
61 - </p>
62 - <ul>
63 - <li>User synchronization</li>
64 - <li>Group mapping and filtering</li>
65 - <li>Large directory considerations</li>
66 - </ul>
67 - </article>
68 -
69 - <article class="pathway-card">
70 - <div class="pathway-icon">
71 - <i class="fa fa-key" aria-hidden="true"></i>
72 - </div>
73 - <h3>Control access safely</h3>
74 - <p>
75 - Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.
76 - </p>
77 - <ul>
78 - <li>Wiki and page permissions</li>
79 - <li>Admin and script rights awareness</li>
80 - <li>Rights model cleanup</li>
81 - </ul>
82 - </article>
83 - </div>
84 - </div>
85 - </section>
86 -
87 - ## COMMON NEEDS
88 - <section class="services" aria-labelledby="access-needs-title">
89 - <div class="container">
90 - <h2 id="access-needs-title">Common authentication and access control needs</h2>
91 -
92 - <p class="section-intro">
93 - Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
94 - identity provider, group structure, security expectations, user volume and internal administration model.
95 - </p>
96 -
97 - <div class="services-grid">
98 - <article class="service">
99 - <div class="service-icon" aria-hidden="true">
100 - <i class="fa fa-address-book"></i>
101 - </div>
102 - <div class="service-body">
103 - <h4>LDAP and Active Directory integration</h4>
104 - <p>
105 - Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
106 - </p>
107 - </div>
108 - </article>
109 -
110 - <article class="service">
111 - <div class="service-icon" aria-hidden="true">
112 - <i class="fa fa-sign-in"></i>
113 - </div>
114 - <div class="service-body">
115 - <h4>SSO, OIDC and SAML</h4>
116 - <p>
117 - Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
118 - </p>
119 - </div>
120 - </article>
121 -
122 - <article class="service">
123 - <div class="service-icon" aria-hidden="true">
124 - <i class="fa fa-shield"></i>
125 - </div>
126 - <div class="service-body">
127 - <h4>Multi-factor authentication</h4>
128 - <p>
129 - MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
130 - </p>
131 - </div>
132 - </article>
133 -
134 - <article class="service">
135 - <div class="service-icon" aria-hidden="true">
136 - <i class="fa fa-users"></i>
137 - </div>
138 - <div class="service-body">
139 - <h4>User and group synchronization</h4>
140 - <p>
141 - Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
142 - </p>
143 - </div>
144 - </article>
145 -
146 - <article class="service">
147 - <div class="service-icon" aria-hidden="true">
148 - <i class="fa fa-key"></i>
149 - </div>
150 - <div class="service-body">
151 - <h4>Rights model review</h4>
152 - <p>
153 - Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
154 - </p>
155 - </div>
156 - </article>
157 -
158 - <article class="service">
159 - <div class="service-icon" aria-hidden="true">
160 - <i class="fa fa-warning"></i>
161 - </div>
162 - <div class="service-body">
163 - <h4>Access-related troubleshooting</h4>
164 - <p>
165 - Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
166 - </p>
167 - </div>
168 - </article>
169 - </div>
170 - </div>
171 - </section>
172 -
173 - ## APPROACH
174 - <section id="access-control-process" class="split-section" aria-labelledby="process-title">
175 - <div class="container">
176 - <div class="split-grid">
177 - <div class="split-copy">
178 - <h2 id="process-title">A practical access control approach</h2>
179 -
180 - <p>
181 - Authentication and permissions should be handled with care because small configuration mistakes can affect
182 - access to the entire platform. The goal is to understand the current setup, clarify the expected access
183 - model and apply changes in a controlled way.
184 - </p>
185 -
186 - <p>
187 - When possible, authentication and rights changes should first be validated in a staging or temporary clone
188 - of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
189 - </p>
190 - </div>
191 -
192 - <ol class="process-list">
193 - <li>
194 - <strong>Review the current access setup</strong>
195 - Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
196 - </li>
197 - <li>
198 - <strong>Clarify the target model</strong>
199 - Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
200 - </li>
201 - <li>
202 - <strong>Validate configuration safely</strong>
203 - Test authentication, synchronization and rights behavior before applying changes to production when needed.
204 - </li>
205 - <li>
206 - <strong>Apply controlled changes</strong>
207 - Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
208 - </li>
209 - <li>
210 - <strong>Document the result</strong>
211 - Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
212 - </li>
213 - </ol>
214 - </div>
215 - </div>
216 - </section>
217 -
218 - ## SPECIFIC AREAS
219 - <section aria-labelledby="areas-title">
220 - <div class="container">
221 - <h2 id="areas-title">Specific areas we can review</h2>
222 -
223 - <p class="section-intro">
224 - Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
225 - to user synchronization, group membership, page permissions and application-level rules.
226 - </p>
227 -
228 - <div class="widgets">
229 - <article class="widget">
230 - <div class="icon" aria-hidden="true">
231 - <i class="fa fa-server"></i>
232 - <h4>Directory<br />configuration</h4>
233 - </div>
234 - <p>
235 - LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
236 - </p>
237 - </article>
238 -
239 - <article class="widget">
240 - <div class="icon" aria-hidden="true">
241 - <i class="fa fa-random"></i>
242 - <h4>Group<br />mapping</h4>
243 - </div>
244 - <p>
245 - Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
246 - </p>
247 - </article>
248 -
249 - <article class="widget">
250 - <div class="icon" aria-hidden="true">
251 - <i class="fa fa-lock"></i>
252 - <h4>Permission<br />structure</h4>
253 - </div>
254 - <p>
255 - Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
256 - </p>
257 - </article>
258 -
259 - <article class="widget">
260 - <div class="icon" aria-hidden="true">
261 - <i class="fa fa-user-secret"></i>
262 - <h4>Security<br />sensitive rights</h4>
263 - </div>
264 - <p>
265 - Review of powerful rights such as admin, programming, script and edit rights where they affect security.
266 - </p>
267 - </article>
268 - </div>
269 - </div>
270 - </section>
271 -
272 - ## IMPORTANT CONSIDERATIONS
273 - <section class="services" aria-labelledby="considerations-title">
274 - <div class="container">
275 - <h2 id="considerations-title">Important considerations</h2>
276 -
277 - <p class="section-intro">
278 - Authentication and access control should be designed for both security and usability. A setup that is too
279 - permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
280 - </p>
281 -
282 - <div class="services-grid">
283 - <article class="service">
284 - <div class="service-icon" aria-hidden="true">
285 - <i class="fa fa-tachometer"></i>
286 - </div>
287 - <div class="service-body">
288 - <h4>Large directory performance</h4>
289 - <p>
290 - Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
291 - </p>
292 - </div>
293 - </article>
294 -
295 - <article class="service">
296 - <div class="service-icon" aria-hidden="true">
297 - <i class="fa fa-eye"></i>
298 - </div>
299 - <div class="service-body">
300 - <h4>Visibility of groups and users</h4>
301 - <p>
302 - Group display, permission screens and administration workflows should remain usable even with many directory groups.
303 - </p>
304 - </div>
305 - </article>
306 -
307 - <article class="service">
308 - <div class="service-icon" aria-hidden="true">
309 - <i class="fa fa-user-plus"></i>
310 - </div>
311 - <div class="service-body">
312 - <h4>User provisioning strategy</h4>
313 - <p>
314 - Decide when users are created, how profiles are updated and how synchronization behaves after first login.
315 - </p>
316 - </div>
317 - </article>
318 -
319 - <article class="service">
320 - <div class="service-icon" aria-hidden="true">
321 - <i class="fa fa-unlock-alt"></i>
322 - </div>
323 - <div class="service-body">
324 - <h4>Administrator access safety</h4>
325 - <p>
326 - Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
327 - </p>
328 - </div>
329 - </article>
330 -
331 - <article class="service">
332 - <div class="service-icon" aria-hidden="true">
333 - <i class="fa fa-refresh"></i>
334 - </div>
335 - <div class="service-body">
336 - <h4>Upgrade compatibility</h4>
337 - <p>
338 - Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
339 - </p>
340 - </div>
341 - </article>
342 -
343 - <article class="service">
344 - <div class="service-icon" aria-hidden="true">
345 - <i class="fa fa-file-text-o"></i>
346 - </div>
347 - <div class="service-body">
348 - <h4>Documentation and handover</h4>
349 - <p>
350 - Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
351 - </p>
352 - </div>
353 - </article>
354 - </div>
355 - </div>
356 - </section>
357 -
358 - ## RELATED SERVICES
359 - <section class="resource-strip" aria-labelledby="related-title">
360 - <div class="container">
361 - <h2 id="related-title">Related XWiki services</h2>
362 -
363 - <p class="section-intro">
364 - Authentication and access control often connect with maintenance, upgrades and security review.
365 - </p>
366 -
367 - <div class="resource-grid">
368 - <article class="resource-card">
369 - <h4>XWiki Support &amp; Maintenance</h4>
370 - <p>
371 - Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
372 - </p>
373 - <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
374 - </article>
375 -
376 - <article class="resource-card">
377 - <h4>XWiki Security Review</h4>
378 - <p>
379 - Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
380 - </p>
381 - <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
382 - </article>
383 - </div>
384 - </div>
385 - </section>
386 -
387 - ## CTA
388 - <section class="cta-section" aria-labelledby="cta-title">
389 - <div class="container">
390 - <div class="cta-panel">
391 - <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
392 -
393 - <p>
394 - Send a short description of your authentication setup, identity provider, current XWiki version,
395 - user/group volume and the access control issue or improvement you want to address.
396 - </p>
397 -
398 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
399 - </div>
400 - </div>
401 - </section>
402 -
403 -{{/html}}
404 -{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,1 +1,0 @@
1 -XWiki authentication and access control services for SSO, LDAP, OIDC, SAML, MFA, user groups, permissions and secure enterprise access management.
metaTitle
... ... @@ -1,1 +1,0 @@
1 -XWiki Authentication and Access Control Services | Agnease