Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 8.5
edited by Agnease
on 2026/05/25 12:45
Change comment: There is no comment for this version
To version 1.1
edited by Agnease
on 2026/05/12 13:05
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -XWiki Authentication and Access Control
1 +xwiki-authentication-access-control
Content
... ... @@ -1,401 +1,0 @@
1 -{{velocity}}
2 -#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 -{{html clean="false"}}
4 - ## PAGE HEADER
5 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
6 - <div class="container hero-inner">
7 - <div class="hero-kicker">
8 - <i class="fa fa-lock" aria-hidden="true"></i>
9 - XWiki authentication and access control
10 - </div>
11 -
12 - <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
13 -
14 - <p class="lead">
15 - Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
16 - group management and maintainable permission policies.
17 - </p>
18 -
19 - <div class="hero-actions">
20 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
21 - <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
22 - </div>
23 - </div>
24 - </section>
25 - ## WHY ACCESS CONTROL CARDS
26 - #set ($accessControlItems = [{
27 - 'title': 'Connect users securely',
28 - 'icon': 'sign-in',
29 - 'content': 'Integrate XWiki with your identity provider so users can access the platform with familiar credentials.',
30 - 'items': [
31 - 'LDAP and Active Directory',
32 - 'OIDC, SAML and SSO',
33 - 'MFA and authentication extensions'
34 - ]
35 - },{
36 - 'title': 'Manage groups clearly',
37 - 'icon': 'users',
38 - 'content': 'Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.',
39 - 'items': [
40 - 'User synchronization',
41 - 'Group mapping and filtering',
42 - 'Large directory considerations'
43 - ]
44 - },{
45 - 'title': 'Control access safely',
46 - 'icon': 'key',
47 - 'content': 'Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.',
48 - 'items': [
49 - 'Wiki and page permissions',
50 - 'Admin and script rights awareness',
51 - 'Rights model cleanup'
52 - ]
53 - }])
54 -
55 - <section aria-labelledby="why-access-title">
56 - <div class="container">
57 - <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
58 - <p class="section-intro">
59 - XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
60 - and business workflows. Authentication and permissions need to be configured carefully so users can access
61 - what they need without exposing sensitive information or making administration too complex.
62 - </p>
63 - <div class="pathways">
64 - #foreach ($entry in $accessControlItems)
65 - <article class="pathway-card">
66 - <div class="card-heading">
67 - <div class="pathway-icon">
68 - <i class="fa fa-$entry.icon" aria-hidden="true"></i>
69 - </div>
70 - <h3>$entry.title</h3>
71 - </div>
72 - <p>$entry.content</p>
73 - <ul>
74 - #foreach ($item in $entry.items)
75 - <li>$item</li>
76 - #end
77 - </ul>
78 - </article>
79 - #end
80 - </div>
81 - </div>
82 - </section>
83 -
84 - ## COMMON NEEDS
85 - <section class="services" aria-labelledby="access-needs-title">
86 - <div class="container">
87 - <h2 id="access-needs-title">Common authentication and access control needs</h2>
88 -
89 - <p class="section-intro">
90 - Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
91 - identity provider, group structure, security expectations, user volume and internal administration model.
92 - </p>
93 -
94 - <div class="services-grid">
95 - <article class="service">
96 - <div class="service-icon" aria-hidden="true">
97 - <i class="fa fa-address-book"></i>
98 - </div>
99 - <div class="service-body">
100 - <h4>LDAP and Active Directory integration</h4>
101 - <p>
102 - Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
103 - </p>
104 - </div>
105 - </article>
106 -
107 - <article class="service">
108 - <div class="service-icon" aria-hidden="true">
109 - <i class="fa fa-sign-in"></i>
110 - </div>
111 - <div class="service-body">
112 - <h4>SSO, OIDC and SAML</h4>
113 - <p>
114 - Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
115 - </p>
116 - </div>
117 - </article>
118 -
119 - <article class="service">
120 - <div class="service-icon" aria-hidden="true">
121 - <i class="fa fa-shield"></i>
122 - </div>
123 - <div class="service-body">
124 - <h4>Multi-factor authentication</h4>
125 - <p>
126 - MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
127 - </p>
128 - </div>
129 - </article>
130 -
131 - <article class="service">
132 - <div class="service-icon" aria-hidden="true">
133 - <i class="fa fa-users"></i>
134 - </div>
135 - <div class="service-body">
136 - <h4>User and group synchronization</h4>
137 - <p>
138 - Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
139 - </p>
140 - </div>
141 - </article>
142 -
143 - <article class="service">
144 - <div class="service-icon" aria-hidden="true">
145 - <i class="fa fa-key"></i>
146 - </div>
147 - <div class="service-body">
148 - <h4>Rights model review</h4>
149 - <p>
150 - Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
151 - </p>
152 - </div>
153 - </article>
154 -
155 - <article class="service">
156 - <div class="service-icon" aria-hidden="true">
157 - <i class="fa fa-warning"></i>
158 - </div>
159 - <div class="service-body">
160 - <h4>Access-related troubleshooting</h4>
161 - <p>
162 - Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
163 - </p>
164 - </div>
165 - </article>
166 - </div>
167 - </div>
168 - </section>
169 -
170 - ## APPROACH
171 - <section id="access-control-process" class="split-section" aria-labelledby="process-title">
172 - <div class="container">
173 - <div class="split-grid">
174 - <div class="split-copy">
175 - <h2 id="process-title">A practical access control approach</h2>
176 -
177 - <p>
178 - Authentication and permissions should be handled with care because small configuration mistakes can affect
179 - access to the entire platform. The goal is to understand the current setup, clarify the expected access
180 - model and apply changes in a controlled way.
181 - </p>
182 -
183 - <p>
184 - When possible, authentication and rights changes should first be validated in a staging or temporary clone
185 - of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
186 - </p>
187 - </div>
188 -
189 - <ol class="process-list">
190 - <li>
191 - <strong>Review the current access setup</strong>
192 - Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
193 - </li>
194 - <li>
195 - <strong>Clarify the target model</strong>
196 - Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
197 - </li>
198 - <li>
199 - <strong>Validate configuration safely</strong>
200 - Test authentication, synchronization and rights behavior before applying changes to production when needed.
201 - </li>
202 - <li>
203 - <strong>Apply controlled changes</strong>
204 - Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
205 - </li>
206 - <li>
207 - <strong>Document the result</strong>
208 - Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
209 - </li>
210 - </ol>
211 - </div>
212 - </div>
213 - </section>
214 -
215 - ## SPECIFIC AREAS
216 - <section aria-labelledby="areas-title">
217 - <div class="container">
218 - <h2 id="areas-title">Specific areas we can review</h2>
219 -
220 - <p class="section-intro">
221 - Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
222 - to user synchronization, group membership, page permissions and application-level rules.
223 - </p>
224 -
225 - <div class="widgets">
226 - <article class="widget">
227 - <div class="icon" aria-hidden="true">
228 - <i class="fa fa-server"></i>
229 - <h4>Directory<br />configuration</h4>
230 - </div>
231 - <p>
232 - LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
233 - </p>
234 - </article>
235 -
236 - <article class="widget">
237 - <div class="icon" aria-hidden="true">
238 - <i class="fa fa-random"></i>
239 - <h4>Group<br />mapping</h4>
240 - </div>
241 - <p>
242 - Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
243 - </p>
244 - </article>
245 -
246 - <article class="widget">
247 - <div class="icon" aria-hidden="true">
248 - <i class="fa fa-lock"></i>
249 - <h4>Permission<br />structure</h4>
250 - </div>
251 - <p>
252 - Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
253 - </p>
254 - </article>
255 -
256 - <article class="widget">
257 - <div class="icon" aria-hidden="true">
258 - <i class="fa fa-user-secret"></i>
259 - <h4>Security<br />sensitive rights</h4>
260 - </div>
261 - <p>
262 - Review of powerful rights such as admin, programming, script and edit rights where they affect security.
263 - </p>
264 - </article>
265 - </div>
266 - </div>
267 - </section>
268 -
269 - ## IMPORTANT CONSIDERATIONS
270 - <section class="services" aria-labelledby="considerations-title">
271 - <div class="container">
272 - <h2 id="considerations-title">Important considerations</h2>
273 -
274 - <p class="section-intro">
275 - Authentication and access control should be designed for both security and usability. A setup that is too
276 - permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
277 - </p>
278 -
279 - <div class="services-grid">
280 - <article class="service">
281 - <div class="service-icon" aria-hidden="true">
282 - <i class="fa fa-tachometer"></i>
283 - </div>
284 - <div class="service-body">
285 - <h4>Large directory performance</h4>
286 - <p>
287 - Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
288 - </p>
289 - </div>
290 - </article>
291 -
292 - <article class="service">
293 - <div class="service-icon" aria-hidden="true">
294 - <i class="fa fa-eye"></i>
295 - </div>
296 - <div class="service-body">
297 - <h4>Visibility of groups and users</h4>
298 - <p>
299 - Group display, permission screens and administration workflows should remain usable even with many directory groups.
300 - </p>
301 - </div>
302 - </article>
303 -
304 - <article class="service">
305 - <div class="service-icon" aria-hidden="true">
306 - <i class="fa fa-user-plus"></i>
307 - </div>
308 - <div class="service-body">
309 - <h4>User provisioning strategy</h4>
310 - <p>
311 - Decide when users are created, how profiles are updated and how synchronization behaves after first login.
312 - </p>
313 - </div>
314 - </article>
315 -
316 - <article class="service">
317 - <div class="service-icon" aria-hidden="true">
318 - <i class="fa fa-unlock-alt"></i>
319 - </div>
320 - <div class="service-body">
321 - <h4>Administrator access safety</h4>
322 - <p>
323 - Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
324 - </p>
325 - </div>
326 - </article>
327 -
328 - <article class="service">
329 - <div class="service-icon" aria-hidden="true">
330 - <i class="fa fa-refresh"></i>
331 - </div>
332 - <div class="service-body">
333 - <h4>Upgrade compatibility</h4>
334 - <p>
335 - Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
336 - </p>
337 - </div>
338 - </article>
339 -
340 - <article class="service">
341 - <div class="service-icon" aria-hidden="true">
342 - <i class="fa fa-file-text-o"></i>
343 - </div>
344 - <div class="service-body">
345 - <h4>Documentation and handover</h4>
346 - <p>
347 - Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
348 - </p>
349 - </div>
350 - </article>
351 - </div>
352 - </div>
353 - </section>
354 -
355 - ## RELATED SERVICES
356 - <section class="resource-strip" aria-labelledby="related-title">
357 - <div class="container">
358 - <h2 id="related-title">Related XWiki services</h2>
359 -
360 - <p class="section-intro">
361 - Authentication and access control often connect with maintenance, upgrades and security review.
362 - </p>
363 -
364 - <div class="resource-grid">
365 - <article class="resource-card">
366 - <h4>XWiki Support &amp; Maintenance</h4>
367 - <p>
368 - Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
369 - </p>
370 - <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
371 - </article>
372 -
373 - <article class="resource-card">
374 - <h4>XWiki Security Review</h4>
375 - <p>
376 - Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
377 - </p>
378 - <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
379 - </article>
380 - </div>
381 - </div>
382 - </section>
383 -
384 - ## CTA
385 - <section class="cta-section" aria-labelledby="cta-title">
386 - <div class="container">
387 - <div class="cta-panel">
388 - <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
389 -
390 - <p>
391 - Send a short description of your authentication setup, identity provider, current XWiki version,
392 - user/group volume and the access control issue or improvement you want to address.
393 - </p>
394 -
395 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
396 - </div>
397 - </div>
398 - </section>
399 -
400 -{{/html}}
401 -{{/velocity}}
Agnease.Code.SEODetailsClass[0]
metaDescription
... ... @@ -1,1 +1,0 @@
1 -XWiki authentication and access control services for SSO, LDAP, OIDC, SAML, MFA, user groups, permissions and secure enterprise access management.
metaTitle
... ... @@ -1,1 +1,0 @@
1 -XWiki Authentication and Access Control Services | Agnease