Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 8.8
edited by Agnease
on 2026/05/25 12:50
Change comment: There is no comment for this version
To version 8.9
edited by Agnease
on 2026/05/25 12:52
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -8,14 +8,11 @@
8 8   <i class="fa fa-lock" aria-hidden="true"></i>
9 9   XWiki authentication and access control
10 10   </div>
11 -
12 12   <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
13 -
14 14   <p class="lead">
15 15   Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
16 16   group management and maintainable permission policies.
17 17   </p>
18 -
19 19   <div class="hero-actions">
20 20   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
21 21   <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
... ... @@ -111,12 +111,10 @@
111 111   <section class="services" aria-labelledby="access-needs-title">
112 112   <div class="container">
113 113   <h2 id="access-needs-title">Common authentication and access control needs</h2>
114 -
115 115   <p class="section-intro">
116 116   Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
117 117   identity provider, group structure, security expectations, user volume and internal administration model.
118 118   </p>
119 -
120 120   <div class="services-grid">
121 121   #foreach ($entry in $accessNeedsItems)
122 122   <article class="service">
... ... @@ -123,7 +123,6 @@
123 123   <div class="service-icon" aria-hidden="true">
124 124   <i class="fa fa-$entry.icon"></i>
125 125   </div>
126 -
127 127   <div class="service-body">
128 128   <h4>$entry.title</h4>
129 129   <p>$entry.content</p>
... ... @@ -157,19 +157,16 @@
157 157   <div class="split-grid">
158 158   <div class="split-copy">
159 159   <h2 id="process-title">A practical access control approach</h2>
160 -
161 161   <p>
162 162   Authentication and permissions should be handled with care because small configuration mistakes can affect
163 163   access to the entire platform. The goal is to understand the current setup, clarify the expected access
164 164   model and apply changes in a controlled way.
165 165   </p>
166 -
167 167   <p>
168 168   When possible, authentication and rights changes should first be validated in a staging or temporary clone
169 169   of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
170 170   </p>
171 171   </div>
172 -
173 173   <ol class="process-list">
174 174   #foreach ($entry in $accessProcessItems)
175 175   <li>
... ... @@ -204,12 +204,10 @@
204 204   <section aria-labelledby="areas-title">
205 205   <div class="container">
206 206   <h2 id="areas-title">Specific areas we can review</h2>
207 -
208 208   <p class="section-intro">
209 209   Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
210 210   to user synchronization, group membership, page permissions and application-level rules.
211 211   </p>
212 -
213 213   <div class="widgets">
214 214   #foreach ($entry in $accessAreasItems)
215 215   <article class="widget">
... ... @@ -217,7 +217,6 @@
217 217   <i class="fa fa-$entry.icon"></i>
218 218   <h4>$entry.title</h4>
219 219   </div>
220 -
221 221   <p>$entry.content</p>
222 222   </article>
223 223   #end
... ... @@ -226,92 +226,68 @@
226 226   </section>
227 227  
228 228   ## IMPORTANT CONSIDERATIONS
217 + #set ($accessConsiderationItems = [{
218 + 'title': 'Large directory performance',
219 + 'icon': 'tachometer',
220 + 'content': 'Large numbers of users and groups can create synchronization, login-time or permission-management challenges.'
221 + },{
222 + 'title': 'Visibility of groups and users',
223 + 'icon': 'eye',
224 + 'content': 'Group display, permission screens and administration workflows should remain usable even with many directory groups.'
225 + },{
226 + 'title': 'User provisioning strategy',
227 + 'icon': 'user-plus',
228 + 'content': 'Decide when users are created, how profiles are updated and how synchronization behaves after first login.'
229 + },{
230 + 'title': 'Administrator access safety',
231 + 'icon': 'unlock-alt',
232 + 'content': 'Authentication changes should preserve reliable administrator access and avoid accidental lockouts.'
233 + },{
234 + 'title': 'Upgrade compatibility',
235 + 'icon': 'refresh',
236 + 'content': 'Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.'
237 + },{
238 + 'title': 'Documentation and handover',
239 + 'icon': 'file-text-o',
240 + 'content': 'Access rules, configuration decisions and operational assumptions should be documented for future maintenance.'
241 + }])
242 +
229 229   <section class="services" aria-labelledby="considerations-title">
230 230   <div class="container">
231 231   <h2 id="considerations-title">Important considerations</h2>
232 -
233 233   <p class="section-intro">
234 234   Authentication and access control should be designed for both security and usability. A setup that is too
235 235   permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
236 236   </p>
237 -
238 238   <div class="services-grid">
239 - <article class="service">
240 - <div class="service-icon" aria-hidden="true">
241 - <i class="fa fa-tachometer"></i>
242 - </div>
243 - <div class="service-body">
244 - <h4>Large directory performance</h4>
245 - <p>
246 - Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
247 - </p>
248 - </div>
249 - </article>
250 -
251 - <article class="service">
252 - <div class="service-icon" aria-hidden="true">
253 - <i class="fa fa-eye"></i>
254 - </div>
255 - <div class="service-body">
256 - <h4>Visibility of groups and users</h4>
257 - <p>
258 - Group display, permission screens and administration workflows should remain usable even with many directory groups.
259 - </p>
260 - </div>
261 - </article>
262 -
263 - <article class="service">
264 - <div class="service-icon" aria-hidden="true">
265 - <i class="fa fa-user-plus"></i>
266 - </div>
267 - <div class="service-body">
268 - <h4>User provisioning strategy</h4>
269 - <p>
270 - Decide when users are created, how profiles are updated and how synchronization behaves after first login.
271 - </p>
272 - </div>
273 - </article>
274 -
275 - <article class="service">
276 - <div class="service-icon" aria-hidden="true">
277 - <i class="fa fa-unlock-alt"></i>
278 - </div>
279 - <div class="service-body">
280 - <h4>Administrator access safety</h4>
281 - <p>
282 - Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
283 - </p>
284 - </div>
285 - </article>
286 -
287 - <article class="service">
288 - <div class="service-icon" aria-hidden="true">
289 - <i class="fa fa-refresh"></i>
290 - </div>
291 - <div class="service-body">
292 - <h4>Upgrade compatibility</h4>
293 - <p>
294 - Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
295 - </p>
296 - </div>
297 - </article>
298 -
299 - <article class="service">
300 - <div class="service-icon" aria-hidden="true">
301 - <i class="fa fa-file-text-o"></i>
302 - </div>
303 - <div class="service-body">
304 - <h4>Documentation and handover</h4>
305 - <p>
306 - Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
307 - </p>
308 - </div>
309 - </article>
251 + #foreach ($entry in $accessConsiderationItems)
252 + <article class="service">
253 + <div class="service-icon" aria-hidden="true">
254 + <i class="fa fa-$entry.icon"></i>
255 + </div>
256 + <div class="service-body">
257 + <h4>$entry.title</h4>
258 + <p>$entry.content</p>
259 + </div>
260 + </article>
261 + #end
310 310   </div>
311 311   </div>
312 312   </section>
313 313  
314 314   ## RELATED SERVICES
267 + #set ($relatedServiceItems = [{
268 + 'title': 'XWiki Support & Maintenance',
269 + 'url': 'services.xwiki-maintenance-support',
270 + 'content': 'Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.',
271 + 'linkLabel': 'View support services'
272 + },{
273 + 'title': 'XWiki Security Review',
274 + 'url': 'services.xwiki-security-review',
275 + 'content': 'Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.',
276 + 'linkLabel': 'View security review'
277 + }])
278 +
315 315   <section class="resource-strip" aria-labelledby="related-title">
316 316   <div class="container">
317 317   <h2 id="related-title">Related XWiki services</h2>
... ... @@ -321,21 +321,13 @@
321 321   </p>
322 322  
323 323   <div class="resource-grid">
324 - <article class="resource-card">
325 - <h4>XWiki Support &amp; Maintenance</h4>
326 - <p>
327 - Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
328 - </p>
329 - <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
330 - </article>
331 -
332 - <article class="resource-card">
333 - <h4>XWiki Security Review</h4>
334 - <p>
335 - Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
336 - </p>
337 - <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
338 - </article>
288 + #foreach ($entry in $relatedServiceItems)
289 + <article class="resource-card">
290 + <h4>$entry.title</h4>
291 + <p>$entry.content</p>
292 + <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
293 + </article>
294 + #end
339 339   </div>
340 340   </div>
341 341   </section>