Wiki source code of XWiki Authentication and Access Control

Version 8.7 by Agnease on 2026/05/25 12:49

Manage
- Copy
Actions
- Export
- Print Preview
Viewers
- Source
- Siblings
- Content
- Comments
- Attachments
- History
- Information
- Likes

version	line-number	content
1.2	1	{{velocity}}
	2	#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
	3	{{html clean="false"}}
	4	## PAGE HEADER
	5	<section class="hero hero-centered service-hero" aria-labelledby="hero-title">
	6	<div class="container hero-inner">
	7	<div class="hero-kicker">
	8	<i class="fa fa-lock" aria-hidden="true"></i>
	9	XWiki authentication and access control
	10	</div>
	11
	12	<h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
	13
	14	<p class="lead">
8.3	15	Secure XWiki access with LDAP, Active Directory, SSO, OIDC, SAML, MFA, user synchronization,
	16	group management and maintainable permission policies.
1.2	17	</p>
	18
	19	<div class="hero-actions">
	20	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
	21	<a class="btn btn-secondary" href="#access-control-process">See the approach</a>
	22	</div>
	23	</div>
	24	</section>
8.4	25	## WHY ACCESS CONTROL CARDS
	26	#set ($accessControlItems = [{
	27	'title': 'Connect users securely',
	28	'icon': 'sign-in',
	29	'content': 'Integrate XWiki with your identity provider so users can access the platform with familiar credentials.',
	30	'items': [
	31	'LDAP and Active Directory',
	32	'OIDC, SAML and SSO',
	33	'MFA and authentication extensions'
	34	]
	35	},{
	36	'title': 'Manage groups clearly',
	37	'icon': 'users',
	38	'content': 'Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.',
	39	'items': [
	40	'User synchronization',
	41	'Group mapping and filtering',
	42	'Large directory considerations'
	43	]
	44	},{
	45	'title': 'Control access safely',
	46	'icon': 'key',
	47	'content': 'Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.',
	48	'items': [
	49	'Wiki and page permissions',
	50	'Admin and script rights awareness',
	51	'Rights model cleanup'
	52	]
	53	}])
1.2	54
	55	<section aria-labelledby="why-access-title">
	56	<div class="container">
	57	<h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
	58	<p class="section-intro">
	59	XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
	60	and business workflows. Authentication and permissions need to be configured carefully so users can access
	61	what they need without exposing sensitive information or making administration too complex.
	62	</p>
	63	<div class="pathways">
8.4	64	#foreach ($entry in $accessControlItems)
	65	<article class="pathway-card">
	66	<div class="card-heading">
	67	<div class="pathway-icon">
	68	<i class="fa fa-$entry.icon" aria-hidden="true"></i>
	69	</div>
	70	<h3>$entry.title</h3>
	71	</div>
	72	<p>$entry.content</p>
	73	<ul>
	74	#foreach ($item in $entry.items)
	75	<li>$item</li>
	76	#end
	77	</ul>
	78	</article>
	79	#end
1.2	80	</div>
	81	</div>
	82	</section>
	83
	84	## COMMON NEEDS
8.6	85	#set ($accessNeedsItems = [{
	86	'title': 'LDAP and Active Directory integration',
	87	'icon': 'address-book',
	88	'content': 'Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.'
	89	},{
	90	'title': 'SSO, OIDC and SAML',
	91	'icon': 'sign-in',
	92	'content': 'Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.'
	93	},{
	94	'title': 'Multi-factor authentication',
	95	'icon': 'shield',
	96	'content': 'MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.'
	97	},{
	98	'title': 'User and group synchronization',
	99	'icon': 'users',
	100	'content': 'Review of synchronization strategy, group mapping, large-directory behavior and performance implications.'
	101	},{
	102	'title': 'Rights model review',
	103	'icon': 'key',
	104	'content': 'Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.'
	105	},{
	106	'title': 'Access-related troubleshooting',
	107	'icon': 'warning',
	108	'content': 'Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.'
	109	}])
	110
1.2	111	<section class="services" aria-labelledby="access-needs-title">
	112	<div class="container">
	113	<h2 id="access-needs-title">Common authentication and access control needs</h2>
	114
	115	<p class="section-intro">
	116	Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
	117	identity provider, group structure, security expectations, user volume and internal administration model.
	118	</p>
	119
	120	<div class="services-grid">
8.6	121	#foreach ($entry in $accessNeedsItems)
	122	<article class="service">
	123	<div class="service-icon" aria-hidden="true">
	124	<i class="fa fa-$entry.icon"></i>
	125	</div>
1.2	126
8.6	127	<div class="service-body">
	128	<h4>$entry.title</h4>
	129	<p>$entry.content</p>
	130	</div>
	131	</article>
	132	#end
1.2	133	</div>
	134	</div>
	135	</section>
	136
8.7	137	## ACCESS CONTROL PROCESS
	138	#set ($accessProcessItems = [{
	139	'title': 'Review the current access setup',
	140	'content': 'Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.'
	141	},{
	142	'title': 'Clarify the target model',
	143	'content': 'Expected login flow, user provisioning, group mapping, administration model and permission boundaries.'
	144	},{
	145	'title': 'Validate configuration safely',
	146	'content': 'Test authentication, synchronization and rights behavior before applying changes to production when needed.'
	147	},{
	148	'title': 'Apply controlled changes',
	149	'content': 'Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.'
	150	},{
	151	'title': 'Document the result',
	152	'content': 'Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.'
	153	}])
	154
1.2	155	<section id="access-control-process" class="split-section" aria-labelledby="process-title">
	156	<div class="container">
	157	<div class="split-grid">
	158	<div class="split-copy">
	159	<h2 id="process-title">A practical access control approach</h2>
	160
	161	<p>
	162	Authentication and permissions should be handled with care because small configuration mistakes can affect
	163	access to the entire platform. The goal is to understand the current setup, clarify the expected access
	164	model and apply changes in a controlled way.
	165	</p>
	166
	167	<p>
	168	When possible, authentication and rights changes should first be validated in a staging or temporary clone
	169	of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
	170	</p>
	171	</div>
	172
	173	<ol class="process-list">
8.7	174	#foreach ($entry in $accessProcessItems)
	175	<li>
	176	<strong>$entry.title</strong>
	177	$entry.content
	178	</li>
	179	#end
1.2	180	</ol>
	181	</div>
	182	</div>
	183	</section>
	184
	185	## SPECIFIC AREAS
	186	<section aria-labelledby="areas-title">
	187	<div class="container">
	188	<h2 id="areas-title">Specific areas we can review</h2>
	189
	190	<p class="section-intro">
	191	Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
	192	to user synchronization, group membership, page permissions and application-level rules.
	193	</p>
	194
	195	<div class="widgets">
	196	<article class="widget">
	197	<div class="icon" aria-hidden="true">
	198	<i class="fa fa-server"></i>
	199	<h4>Directory<br />configuration</h4>
	200	</div>
	201	<p>
	202	LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
	203	</p>
	204	</article>
	205
	206	<article class="widget">
	207	<div class="icon" aria-hidden="true">
	208	<i class="fa fa-random"></i>
	209	<h4>Group<br />mapping</h4>
	210	</div>
	211	<p>
	212	Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
	213	</p>
	214	</article>
	215
	216	<article class="widget">
	217	<div class="icon" aria-hidden="true">
	218	<i class="fa fa-lock"></i>
	219	<h4>Permission<br />structure</h4>
	220	</div>
	221	<p>
	222	Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
	223	</p>
	224	</article>
	225
	226	<article class="widget">
	227	<div class="icon" aria-hidden="true">
	228	<i class="fa fa-user-secret"></i>
	229	<h4>Security<br />sensitive rights</h4>
	230	</div>
	231	<p>
	232	Review of powerful rights such as admin, programming, script and edit rights where they affect security.
	233	</p>
	234	</article>
	235	</div>
	236	</div>
	237	</section>
	238
	239	## IMPORTANT CONSIDERATIONS
	240	<section class="services" aria-labelledby="considerations-title">
	241	<div class="container">
	242	<h2 id="considerations-title">Important considerations</h2>
	243
	244	<p class="section-intro">
	245	Authentication and access control should be designed for both security and usability. A setup that is too
	246	permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
	247	</p>
	248
	249	<div class="services-grid">
	250	<article class="service">
	251	<div class="service-icon" aria-hidden="true">
	252	<i class="fa fa-tachometer"></i>
	253	</div>
	254	<div class="service-body">
	255	<h4>Large directory performance</h4>
	256	<p>
	257	Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
	258	</p>
	259	</div>
	260	</article>
	261
	262	<article class="service">
	263	<div class="service-icon" aria-hidden="true">
	264	<i class="fa fa-eye"></i>
	265	</div>
	266	<div class="service-body">
	267	<h4>Visibility of groups and users</h4>
	268	<p>
	269	Group display, permission screens and administration workflows should remain usable even with many directory groups.
	270	</p>
	271	</div>
	272	</article>
	273
	274	<article class="service">
	275	<div class="service-icon" aria-hidden="true">
	276	<i class="fa fa-user-plus"></i>
	277	</div>
	278	<div class="service-body">
	279	<h4>User provisioning strategy</h4>
	280	<p>
	281	Decide when users are created, how profiles are updated and how synchronization behaves after first login.
	282	</p>
	283	</div>
	284	</article>
	285
	286	<article class="service">
	287	<div class="service-icon" aria-hidden="true">
	288	<i class="fa fa-unlock-alt"></i>
	289	</div>
	290	<div class="service-body">
	291	<h4>Administrator access safety</h4>
	292	<p>
	293	Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
	294	</p>
	295	</div>
	296	</article>
	297
	298	<article class="service">
	299	<div class="service-icon" aria-hidden="true">
	300	<i class="fa fa-refresh"></i>
	301	</div>
	302	<div class="service-body">
	303	<h4>Upgrade compatibility</h4>
	304	<p>
	305	Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
	306	</p>
	307	</div>
	308	</article>
	309
	310	<article class="service">
	311	<div class="service-icon" aria-hidden="true">
	312	<i class="fa fa-file-text-o"></i>
	313	</div>
	314	<div class="service-body">
	315	<h4>Documentation and handover</h4>
	316	<p>
	317	Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
	318	</p>
	319	</div>
	320	</article>
	321	</div>
	322	</div>
	323	</section>
	324
	325	## RELATED SERVICES
	326	<section class="resource-strip" aria-labelledby="related-title">
	327	<div class="container">
	328	<h2 id="related-title">Related XWiki services</h2>
	329
	330	<p class="section-intro">
	331	Authentication and access control often connect with maintenance, upgrades and security review.
	332	</p>
	333
	334	<div class="resource-grid">
	335	<article class="resource-card">
	336	<h4>XWiki Support & Maintenance</h4>
	337	<p>
	338	Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
	339	</p>
	340	<a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
	341	</article>
	342
	343	<article class="resource-card">
	344	<h4>XWiki Security Review</h4>
	345	<p>
	346	Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
	347	</p>
	348	<a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
	349	</article>
	350	</div>
	351	</div>
	352	</section>
	353
	354	## CTA
	355	<section class="cta-section" aria-labelledby="cta-title">
	356	<div class="container">
	357	<div class="cta-panel">
	358	<h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
	359
	360	<p>
	361	Send a short description of your authentication setup, identity provider, current XWiki version,
	362	user/group volume and the access control issue or improvement you want to address.
	363	</p>
	364
	365	<a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
	366	</div>
	367	</div>
	368	</section>
	369
	370	{{/html}}
	371	{{/velocity}}