Skip to Content
Version 8.3 by Agnease on 2026/05/22 14:12
Show last authors
1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4
5 ## PAGE HEADER
6 <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 <div class="container hero-inner">
8 <div class="hero-kicker">
9 <i class="fa fa-lock" aria-hidden="true"></i>
10 XWiki authentication and access control
11 </div>
12
13 <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
14
15 <p class="lead">
16 Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
17 group management and maintainable permission policies.
18 </p>
19
20 <div class="hero-actions">
21 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
22 <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
23 </div>
24 </div>
25 </section>
26
27 ## WHY ACCESS CONTROL MATTERS
28 <section aria-labelledby="why-access-title">
29 <div class="container">
30 <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
31
32 <p class="section-intro">
33 XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
34 and business workflows. Authentication and permissions need to be configured carefully so users can access
35 what they need without exposing sensitive information or making administration too complex.
36 </p>
37
38 <div class="pathways">
39 <article class="pathway-card">
40 <div class="pathway-icon">
41 <i class="fa fa-sign-in" aria-hidden="true"></i>
42 </div>
43 <h3>Connect users securely</h3>
44 <p>
45 Integrate XWiki with your identity provider so users can access the platform with familiar credentials.
46 </p>
47 <ul>
48 <li>LDAP and Active Directory</li>
49 <li>OIDC, SAML and SSO</li>
50 <li>MFA and authentication extensions</li>
51 </ul>
52 </article>
53
54 <article class="pathway-card">
55 <div class="pathway-icon">
56 <i class="fa fa-users" aria-hidden="true"></i>
57 </div>
58 <h3>Manage groups clearly</h3>
59 <p>
60 Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.
61 </p>
62 <ul>
63 <li>User synchronization</li>
64 <li>Group mapping and filtering</li>
65 <li>Large directory considerations</li>
66 </ul>
67 </article>
68
69 <article class="pathway-card">
70 <div class="pathway-icon">
71 <i class="fa fa-key" aria-hidden="true"></i>
72 </div>
73 <h3>Control access safely</h3>
74 <p>
75 Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.
76 </p>
77 <ul>
78 <li>Wiki and page permissions</li>
79 <li>Admin and script rights awareness</li>
80 <li>Rights model cleanup</li>
81 </ul>
82 </article>
83 </div>
84 </div>
85 </section>
86
87 ## COMMON NEEDS
88 <section class="services" aria-labelledby="access-needs-title">
89 <div class="container">
90 <h2 id="access-needs-title">Common authentication and access control needs</h2>
91
92 <p class="section-intro">
93 Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
94 identity provider, group structure, security expectations, user volume and internal administration model.
95 </p>
96
97 <div class="services-grid">
98 <article class="service">
99 <div class="service-icon" aria-hidden="true">
100 <i class="fa fa-address-book"></i>
101 </div>
102 <div class="service-body">
103 <h4>LDAP and Active Directory integration</h4>
104 <p>
105 Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
106 </p>
107 </div>
108 </article>
109
110 <article class="service">
111 <div class="service-icon" aria-hidden="true">
112 <i class="fa fa-sign-in"></i>
113 </div>
114 <div class="service-body">
115 <h4>SSO, OIDC and SAML</h4>
116 <p>
117 Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
118 </p>
119 </div>
120 </article>
121
122 <article class="service">
123 <div class="service-icon" aria-hidden="true">
124 <i class="fa fa-shield"></i>
125 </div>
126 <div class="service-body">
127 <h4>Multi-factor authentication</h4>
128 <p>
129 MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
130 </p>
131 </div>
132 </article>
133
134 <article class="service">
135 <div class="service-icon" aria-hidden="true">
136 <i class="fa fa-users"></i>
137 </div>
138 <div class="service-body">
139 <h4>User and group synchronization</h4>
140 <p>
141 Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
142 </p>
143 </div>
144 </article>
145
146 <article class="service">
147 <div class="service-icon" aria-hidden="true">
148 <i class="fa fa-key"></i>
149 </div>
150 <div class="service-body">
151 <h4>Rights model review</h4>
152 <p>
153 Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
154 </p>
155 </div>
156 </article>
157
158 <article class="service">
159 <div class="service-icon" aria-hidden="true">
160 <i class="fa fa-warning"></i>
161 </div>
162 <div class="service-body">
163 <h4>Access-related troubleshooting</h4>
164 <p>
165 Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
166 </p>
167 </div>
168 </article>
169 </div>
170 </div>
171 </section>
172
173 ## APPROACH
174 <section id="access-control-process" class="split-section" aria-labelledby="process-title">
175 <div class="container">
176 <div class="split-grid">
177 <div class="split-copy">
178 <h2 id="process-title">A practical access control approach</h2>
179
180 <p>
181 Authentication and permissions should be handled with care because small configuration mistakes can affect
182 access to the entire platform. The goal is to understand the current setup, clarify the expected access
183 model and apply changes in a controlled way.
184 </p>
185
186 <p>
187 When possible, authentication and rights changes should first be validated in a staging or temporary clone
188 of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
189 </p>
190 </div>
191
192 <ol class="process-list">
193 <li>
194 <strong>Review the current access setup</strong>
195 Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
196 </li>
197 <li>
198 <strong>Clarify the target model</strong>
199 Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
200 </li>
201 <li>
202 <strong>Validate configuration safely</strong>
203 Test authentication, synchronization and rights behavior before applying changes to production when needed.
204 </li>
205 <li>
206 <strong>Apply controlled changes</strong>
207 Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
208 </li>
209 <li>
210 <strong>Document the result</strong>
211 Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
212 </li>
213 </ol>
214 </div>
215 </div>
216 </section>
217
218 ## SPECIFIC AREAS
219 <section aria-labelledby="areas-title">
220 <div class="container">
221 <h2 id="areas-title">Specific areas we can review</h2>
222
223 <p class="section-intro">
224 Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
225 to user synchronization, group membership, page permissions and application-level rules.
226 </p>
227
228 <div class="widgets">
229 <article class="widget">
230 <div class="icon" aria-hidden="true">
231 <i class="fa fa-server"></i>
232 <h4>Directory<br />configuration</h4>
233 </div>
234 <p>
235 LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
236 </p>
237 </article>
238
239 <article class="widget">
240 <div class="icon" aria-hidden="true">
241 <i class="fa fa-random"></i>
242 <h4>Group<br />mapping</h4>
243 </div>
244 <p>
245 Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
246 </p>
247 </article>
248
249 <article class="widget">
250 <div class="icon" aria-hidden="true">
251 <i class="fa fa-lock"></i>
252 <h4>Permission<br />structure</h4>
253 </div>
254 <p>
255 Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
256 </p>
257 </article>
258
259 <article class="widget">
260 <div class="icon" aria-hidden="true">
261 <i class="fa fa-user-secret"></i>
262 <h4>Security<br />sensitive rights</h4>
263 </div>
264 <p>
265 Review of powerful rights such as admin, programming, script and edit rights where they affect security.
266 </p>
267 </article>
268 </div>
269 </div>
270 </section>
271
272 ## IMPORTANT CONSIDERATIONS
273 <section class="services" aria-labelledby="considerations-title">
274 <div class="container">
275 <h2 id="considerations-title">Important considerations</h2>
276
277 <p class="section-intro">
278 Authentication and access control should be designed for both security and usability. A setup that is too
279 permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
280 </p>
281
282 <div class="services-grid">
283 <article class="service">
284 <div class="service-icon" aria-hidden="true">
285 <i class="fa fa-tachometer"></i>
286 </div>
287 <div class="service-body">
288 <h4>Large directory performance</h4>
289 <p>
290 Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
291 </p>
292 </div>
293 </article>
294
295 <article class="service">
296 <div class="service-icon" aria-hidden="true">
297 <i class="fa fa-eye"></i>
298 </div>
299 <div class="service-body">
300 <h4>Visibility of groups and users</h4>
301 <p>
302 Group display, permission screens and administration workflows should remain usable even with many directory groups.
303 </p>
304 </div>
305 </article>
306
307 <article class="service">
308 <div class="service-icon" aria-hidden="true">
309 <i class="fa fa-user-plus"></i>
310 </div>
311 <div class="service-body">
312 <h4>User provisioning strategy</h4>
313 <p>
314 Decide when users are created, how profiles are updated and how synchronization behaves after first login.
315 </p>
316 </div>
317 </article>
318
319 <article class="service">
320 <div class="service-icon" aria-hidden="true">
321 <i class="fa fa-unlock-alt"></i>
322 </div>
323 <div class="service-body">
324 <h4>Administrator access safety</h4>
325 <p>
326 Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
327 </p>
328 </div>
329 </article>
330
331 <article class="service">
332 <div class="service-icon" aria-hidden="true">
333 <i class="fa fa-refresh"></i>
334 </div>
335 <div class="service-body">
336 <h4>Upgrade compatibility</h4>
337 <p>
338 Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
339 </p>
340 </div>
341 </article>
342
343 <article class="service">
344 <div class="service-icon" aria-hidden="true">
345 <i class="fa fa-file-text-o"></i>
346 </div>
347 <div class="service-body">
348 <h4>Documentation and handover</h4>
349 <p>
350 Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
351 </p>
352 </div>
353 </article>
354 </div>
355 </div>
356 </section>
357
358 ## RELATED SERVICES
359 <section class="resource-strip" aria-labelledby="related-title">
360 <div class="container">
361 <h2 id="related-title">Related XWiki services</h2>
362
363 <p class="section-intro">
364 Authentication and access control often connect with maintenance, upgrades and security review.
365 </p>
366
367 <div class="resource-grid">
368 <article class="resource-card">
369 <h4>XWiki Support &amp; Maintenance</h4>
370 <p>
371 Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
372 </p>
373 <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
374 </article>
375
376 <article class="resource-card">
377 <h4>XWiki Security Review</h4>
378 <p>
379 Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
380 </p>
381 <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
382 </article>
383 </div>
384 </div>
385 </section>
386
387 ## CTA
388 <section class="cta-section" aria-labelledby="cta-title">
389 <div class="container">
390 <div class="cta-panel">
391 <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
392
393 <p>
394 Send a short description of your authentication setup, identity provider, current XWiki version,
395 user/group volume and the access control issue or improvement you want to address.
396 </p>
397
398 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
399 </div>
400 </div>
401 </section>
402
403 {{/html}}
404 {{/velocity}}