Skip to Content
Last modified by Agnease on 2026/05/25 12:52
From version 8.9
edited by Agnease
on 2026/05/25 12:52
Change comment: There is no comment for this version
To version 8.6
edited by Agnease
on 2026/05/25 12:47
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -8,11 +8,14 @@
8 8   <i class="fa fa-lock" aria-hidden="true"></i>
9 9   XWiki authentication and access control
10 10   </div>
11 +
11 11   <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
13 +
12 12   <p class="lead">
13 13   Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
14 14   group management and maintainable permission policies.
15 15   </p>
18 +
16 16   <div class="hero-actions">
17 17   <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
18 18   <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
... ... @@ -108,10 +108,12 @@
108 108   <section class="services" aria-labelledby="access-needs-title">
109 109   <div class="container">
110 110   <h2 id="access-needs-title">Common authentication and access control needs</h2>
114 +
111 111   <p class="section-intro">
112 112   Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
113 113   identity provider, group structure, security expectations, user volume and internal administration model.
114 114   </p>
119 +
115 115   <div class="services-grid">
116 116   #foreach ($entry in $accessNeedsItems)
117 117   <article class="service">
... ... @@ -118,6 +118,7 @@
118 118   <div class="service-icon" aria-hidden="true">
119 119   <i class="fa fa-$entry.icon"></i>
120 120   </div>
126 +
121 121   <div class="service-body">
122 122   <h4>$entry.title</h4>
123 123   <p>$entry.content</p>
... ... @@ -128,46 +128,46 @@
128 128   </div>
129 129   </section>
130 130  
131 - ## ACCESS CONTROL PROCESS
132 - #set ($accessProcessItems = [{
133 - 'title': 'Review the current access setup',
134 - 'content': 'Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.'
135 - },{
136 - 'title': 'Clarify the target model',
137 - 'content': 'Expected login flow, user provisioning, group mapping, administration model and permission boundaries.'
138 - },{
139 - 'title': 'Validate configuration safely',
140 - 'content': 'Test authentication, synchronization and rights behavior before applying changes to production when needed.'
141 - },{
142 - 'title': 'Apply controlled changes',
143 - 'content': 'Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.'
144 - },{
145 - 'title': 'Document the result',
146 - 'content': 'Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.'
147 - }])
148 -
137 + ## APPROACH
149 149   <section id="access-control-process" class="split-section" aria-labelledby="process-title">
150 150   <div class="container">
151 151   <div class="split-grid">
152 152   <div class="split-copy">
153 153   <h2 id="process-title">A practical access control approach</h2>
143 +
154 154   <p>
155 155   Authentication and permissions should be handled with care because small configuration mistakes can affect
156 156   access to the entire platform. The goal is to understand the current setup, clarify the expected access
157 157   model and apply changes in a controlled way.
158 158   </p>
149 +
159 159   <p>
160 160   When possible, authentication and rights changes should first be validated in a staging or temporary clone
161 161   of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
162 162   </p>
163 163   </div>
155 +
164 164   <ol class="process-list">
165 - #foreach ($entry in $accessProcessItems)
166 - <li>
167 - <strong>$entry.title</strong>
168 - $entry.content
169 - </li>
170 - #end
157 + <li>
158 + <strong>Review the current access setup</strong>
159 + Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
160 + </li>
161 + <li>
162 + <strong>Clarify the target model</strong>
163 + Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
164 + </li>
165 + <li>
166 + <strong>Validate configuration safely</strong>
167 + Test authentication, synchronization and rights behavior before applying changes to production when needed.
168 + </li>
169 + <li>
170 + <strong>Apply controlled changes</strong>
171 + Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
172 + </li>
173 + <li>
174 + <strong>Document the result</strong>
175 + Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
176 + </li>
171 171   </ol>
172 172   </div>
173 173   </div>
... ... @@ -174,108 +174,146 @@
174 174   </section>
175 175  
176 176   ## SPECIFIC AREAS
177 - #set ($accessAreasItems = [{
178 - 'title': 'Directory configuration',
179 - 'icon': 'server',
180 - 'content': 'LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.'
181 - },{
182 - 'title': 'Group mapping',
183 - 'icon': 'random',
184 - 'content': 'Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.'
185 - },{
186 - 'title': 'Permission structure',
187 - 'icon': 'lock',
188 - 'content': 'Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.'
189 - },{
190 - 'title': 'Security-sensitive rights',
191 - 'icon': 'user-secret',
192 - 'content': 'Review of powerful rights such as admin, programming, script and edit rights where they affect security.'
193 - }])
194 -
195 195   <section aria-labelledby="areas-title">
196 196   <div class="container">
197 197   <h2 id="areas-title">Specific areas we can review</h2>
186 +
198 198   <p class="section-intro">
199 199   Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
200 200   to user synchronization, group membership, page permissions and application-level rules.
201 201   </p>
191 +
202 202   <div class="widgets">
203 - #foreach ($entry in $accessAreasItems)
204 - <article class="widget">
205 - <div class="icon" aria-hidden="true">
206 - <i class="fa fa-$entry.icon"></i>
207 - <h4>$entry.title</h4>
208 - </div>
209 - <p>$entry.content</p>
210 - </article>
211 - #end
193 + <article class="widget">
194 + <div class="icon" aria-hidden="true">
195 + <i class="fa fa-server"></i>
196 + <h4>Directory<br />configuration</h4>
197 + </div>
198 + <p>
199 + LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
200 + </p>
201 + </article>
202 +
203 + <article class="widget">
204 + <div class="icon" aria-hidden="true">
205 + <i class="fa fa-random"></i>
206 + <h4>Group<br />mapping</h4>
207 + </div>
208 + <p>
209 + Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
210 + </p>
211 + </article>
212 +
213 + <article class="widget">
214 + <div class="icon" aria-hidden="true">
215 + <i class="fa fa-lock"></i>
216 + <h4>Permission<br />structure</h4>
217 + </div>
218 + <p>
219 + Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
220 + </p>
221 + </article>
222 +
223 + <article class="widget">
224 + <div class="icon" aria-hidden="true">
225 + <i class="fa fa-user-secret"></i>
226 + <h4>Security<br />sensitive rights</h4>
227 + </div>
228 + <p>
229 + Review of powerful rights such as admin, programming, script and edit rights where they affect security.
230 + </p>
231 + </article>
212 212   </div>
213 213   </div>
214 214   </section>
215 215  
216 216   ## IMPORTANT CONSIDERATIONS
217 - #set ($accessConsiderationItems = [{
218 - 'title': 'Large directory performance',
219 - 'icon': 'tachometer',
220 - 'content': 'Large numbers of users and groups can create synchronization, login-time or permission-management challenges.'
221 - },{
222 - 'title': 'Visibility of groups and users',
223 - 'icon': 'eye',
224 - 'content': 'Group display, permission screens and administration workflows should remain usable even with many directory groups.'
225 - },{
226 - 'title': 'User provisioning strategy',
227 - 'icon': 'user-plus',
228 - 'content': 'Decide when users are created, how profiles are updated and how synchronization behaves after first login.'
229 - },{
230 - 'title': 'Administrator access safety',
231 - 'icon': 'unlock-alt',
232 - 'content': 'Authentication changes should preserve reliable administrator access and avoid accidental lockouts.'
233 - },{
234 - 'title': 'Upgrade compatibility',
235 - 'icon': 'refresh',
236 - 'content': 'Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.'
237 - },{
238 - 'title': 'Documentation and handover',
239 - 'icon': 'file-text-o',
240 - 'content': 'Access rules, configuration decisions and operational assumptions should be documented for future maintenance.'
241 - }])
242 -
243 243   <section class="services" aria-labelledby="considerations-title">
244 244   <div class="container">
245 245   <h2 id="considerations-title">Important considerations</h2>
240 +
246 246   <p class="section-intro">
247 247   Authentication and access control should be designed for both security and usability. A setup that is too
248 248   permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
249 249   </p>
245 +
250 250   <div class="services-grid">
251 - #foreach ($entry in $accessConsiderationItems)
252 - <article class="service">
253 - <div class="service-icon" aria-hidden="true">
254 - <i class="fa fa-$entry.icon"></i>
255 - </div>
256 - <div class="service-body">
257 - <h4>$entry.title</h4>
258 - <p>$entry.content</p>
259 - </div>
260 - </article>
261 - #end
247 + <article class="service">
248 + <div class="service-icon" aria-hidden="true">
249 + <i class="fa fa-tachometer"></i>
250 + </div>
251 + <div class="service-body">
252 + <h4>Large directory performance</h4>
253 + <p>
254 + Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
255 + </p>
256 + </div>
257 + </article>
258 +
259 + <article class="service">
260 + <div class="service-icon" aria-hidden="true">
261 + <i class="fa fa-eye"></i>
262 + </div>
263 + <div class="service-body">
264 + <h4>Visibility of groups and users</h4>
265 + <p>
266 + Group display, permission screens and administration workflows should remain usable even with many directory groups.
267 + </p>
268 + </div>
269 + </article>
270 +
271 + <article class="service">
272 + <div class="service-icon" aria-hidden="true">
273 + <i class="fa fa-user-plus"></i>
274 + </div>
275 + <div class="service-body">
276 + <h4>User provisioning strategy</h4>
277 + <p>
278 + Decide when users are created, how profiles are updated and how synchronization behaves after first login.
279 + </p>
280 + </div>
281 + </article>
282 +
283 + <article class="service">
284 + <div class="service-icon" aria-hidden="true">
285 + <i class="fa fa-unlock-alt"></i>
286 + </div>
287 + <div class="service-body">
288 + <h4>Administrator access safety</h4>
289 + <p>
290 + Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
291 + </p>
292 + </div>
293 + </article>
294 +
295 + <article class="service">
296 + <div class="service-icon" aria-hidden="true">
297 + <i class="fa fa-refresh"></i>
298 + </div>
299 + <div class="service-body">
300 + <h4>Upgrade compatibility</h4>
301 + <p>
302 + Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
303 + </p>
304 + </div>
305 + </article>
306 +
307 + <article class="service">
308 + <div class="service-icon" aria-hidden="true">
309 + <i class="fa fa-file-text-o"></i>
310 + </div>
311 + <div class="service-body">
312 + <h4>Documentation and handover</h4>
313 + <p>
314 + Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
315 + </p>
316 + </div>
317 + </article>
262 262   </div>
263 263   </div>
264 264   </section>
265 265  
266 266   ## RELATED SERVICES
267 - #set ($relatedServiceItems = [{
268 - 'title': 'XWiki Support & Maintenance',
269 - 'url': 'services.xwiki-maintenance-support',
270 - 'content': 'Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.',
271 - 'linkLabel': 'View support services'
272 - },{
273 - 'title': 'XWiki Security Review',
274 - 'url': 'services.xwiki-security-review',
275 - 'content': 'Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.',
276 - 'linkLabel': 'View security review'
277 - }])
278 -
279 279   <section class="resource-strip" aria-labelledby="related-title">
280 280   <div class="container">
281 281   <h2 id="related-title">Related XWiki services</h2>
... ... @@ -285,13 +285,21 @@
285 285   </p>
286 286  
287 287   <div class="resource-grid">
288 - #foreach ($entry in $relatedServiceItems)
289 - <article class="resource-card">
290 - <h4>$entry.title</h4>
291 - <p>$entry.content</p>
292 - <a href="$xwiki.getURL($entry.url)">$entry.linkLabel</a>
293 - </article>
294 - #end
332 + <article class="resource-card">
333 + <h4>XWiki Support &amp; Maintenance</h4>
334 + <p>
335 + Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
336 + </p>
337 + <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
338 + </article>
339 +
340 + <article class="resource-card">
341 + <h4>XWiki Security Review</h4>
342 + <p>
343 + Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
344 + </p>
345 + <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
346 + </article>
295 295   </div>
296 296   </div>
297 297   </section>