Changes for page xwiki-authentication-access-control
Last modified by Alex Cotiugă on 2026/05/12 13:07
From version 1.2
edited by Alex Cotiugă
on 2026/05/12 13:06
on 2026/05/12 13:06
Change comment:
There is no comment for this version
To version 1.1
edited by Alex Cotiugă
on 2026/05/12 13:05
on 2026/05/12 13:05
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -1,409 +1,0 @@ 1 -{{velocity}} 2 -#set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome')) 3 -{{html clean="false"}} 4 - 5 - ## PAGE HEADER 6 - <section class="hero hero-centered service-hero" aria-labelledby="hero-title"> 7 - <div class="container hero-inner"> 8 - <div class="hero-kicker"> 9 - <i class="fa fa-lock" aria-hidden="true"></i> 10 - XWiki authentication and access control 11 - </div> 12 - 13 - <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1> 14 - 15 - <p class="lead"> 16 - Configure and maintain XWiki authentication, user synchronization, group management and access rights 17 - for production environments. 18 - </p> 19 - 20 - <p class="hero-support"> 21 - We help organizations connect XWiki with LDAP, Active Directory, SSO, OIDC, SAML or MFA, while keeping 22 - permissions understandable, maintainable and aligned with internal access policies. 23 - </p> 24 - 25 - <div class="hero-actions"> 26 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a> 27 - <a class="btn btn-secondary" href="#access-control-process">See the approach</a> 28 - </div> 29 - </div> 30 - </section> 31 - 32 - ## WHY ACCESS CONTROL MATTERS 33 - <section aria-labelledby="why-access-title"> 34 - <div class="container"> 35 - <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2> 36 - 37 - <p class="section-intro"> 38 - XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents 39 - and business workflows. Authentication and permissions need to be configured carefully so users can access 40 - what they need without exposing sensitive information or making administration too complex. 41 - </p> 42 - 43 - <div class="pathways"> 44 - <article class="pathway-card"> 45 - <div class="pathway-icon"> 46 - <i class="fa fa-sign-in" aria-hidden="true"></i> 47 - </div> 48 - <h3>Connect users securely</h3> 49 - <p> 50 - Integrate XWiki with your identity provider so users can access the platform with familiar credentials. 51 - </p> 52 - <ul> 53 - <li>LDAP and Active Directory</li> 54 - <li>OIDC, SAML and SSO</li> 55 - <li>MFA and authentication extensions</li> 56 - </ul> 57 - </article> 58 - 59 - <article class="pathway-card"> 60 - <div class="pathway-icon"> 61 - <i class="fa fa-users" aria-hidden="true"></i> 62 - </div> 63 - <h3>Manage groups clearly</h3> 64 - <p> 65 - Keep user and group synchronization understandable, scalable and aligned with the way permissions are used. 66 - </p> 67 - <ul> 68 - <li>User synchronization</li> 69 - <li>Group mapping and filtering</li> 70 - <li>Large directory considerations</li> 71 - </ul> 72 - </article> 73 - 74 - <article class="pathway-card"> 75 - <div class="pathway-icon"> 76 - <i class="fa fa-key" aria-hidden="true"></i> 77 - </div> 78 - <h3>Control access safely</h3> 79 - <p> 80 - Review and structure rights so spaces, pages and applications can be maintained without accidental exposure. 81 - </p> 82 - <ul> 83 - <li>Space and page permissions</li> 84 - <li>Admin and script rights awareness</li> 85 - <li>Rights model cleanup</li> 86 - </ul> 87 - </article> 88 - </div> 89 - </div> 90 - </section> 91 - 92 - ## COMMON NEEDS 93 - <section class="services" aria-labelledby="access-needs-title"> 94 - <div class="container"> 95 - <h2 id="access-needs-title">Common authentication and access control needs</h2> 96 - 97 - <p class="section-intro"> 98 - Authentication and permissions often become more complex as XWiki grows. The right setup depends on your 99 - identity provider, group structure, security expectations, user volume and internal administration model. 100 - </p> 101 - 102 - <div class="services-grid"> 103 - <article class="service"> 104 - <div class="service-icon" aria-hidden="true"> 105 - <i class="fa fa-address-book"></i> 106 - </div> 107 - <div class="service-body"> 108 - <h4>LDAP and Active Directory integration</h4> 109 - <p> 110 - Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization. 111 - </p> 112 - </div> 113 - </article> 114 - 115 - <article class="service"> 116 - <div class="service-icon" aria-hidden="true"> 117 - <i class="fa fa-sign-in"></i> 118 - </div> 119 - <div class="service-body"> 120 - <h4>SSO, OIDC and SAML</h4> 121 - <p> 122 - Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments. 123 - </p> 124 - </div> 125 - </article> 126 - 127 - <article class="service"> 128 - <div class="service-icon" aria-hidden="true"> 129 - <i class="fa fa-shield"></i> 130 - </div> 131 - <div class="service-body"> 132 - <h4>Multi-factor authentication</h4> 133 - <p> 134 - MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience. 135 - </p> 136 - </div> 137 - </article> 138 - 139 - <article class="service"> 140 - <div class="service-icon" aria-hidden="true"> 141 - <i class="fa fa-users"></i> 142 - </div> 143 - <div class="service-body"> 144 - <h4>User and group synchronization</h4> 145 - <p> 146 - Review of synchronization strategy, group mapping, large-directory behavior and performance implications. 147 - </p> 148 - </div> 149 - </article> 150 - 151 - <article class="service"> 152 - <div class="service-icon" aria-hidden="true"> 153 - <i class="fa fa-key"></i> 154 - </div> 155 - <div class="service-body"> 156 - <h4>Rights model review</h4> 157 - <p> 158 - Review and cleanup of space, page, group and application permissions to reduce confusion and access risks. 159 - </p> 160 - </div> 161 - </article> 162 - 163 - <article class="service"> 164 - <div class="service-icon" aria-hidden="true"> 165 - <i class="fa fa-warning"></i> 166 - </div> 167 - <div class="service-body"> 168 - <h4>Access-related troubleshooting</h4> 169 - <p> 170 - Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access. 171 - </p> 172 - </div> 173 - </article> 174 - </div> 175 - </div> 176 - </section> 177 - 178 - ## APPROACH 179 - <section id="access-control-process" class="split-section" aria-labelledby="process-title"> 180 - <div class="container"> 181 - <div class="split-grid"> 182 - <div class="split-copy"> 183 - <h2 id="process-title">A practical access control approach</h2> 184 - 185 - <p> 186 - Authentication and permissions should be handled with care because small configuration mistakes can affect 187 - access to the entire platform. The goal is to understand the current setup, clarify the expected access 188 - model and apply changes in a controlled way. 189 - </p> 190 - 191 - <p> 192 - When possible, authentication and rights changes should first be validated in a staging or temporary clone 193 - of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved. 194 - </p> 195 - </div> 196 - 197 - <ol class="process-list"> 198 - <li> 199 - <strong>Review the current access setup</strong> 200 - Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues. 201 - </li> 202 - <li> 203 - <strong>Clarify the target model</strong> 204 - Expected login flow, user provisioning, group mapping, administration model and permission boundaries. 205 - </li> 206 - <li> 207 - <strong>Validate configuration safely</strong> 208 - Test authentication, synchronization and rights behavior before applying changes to production when needed. 209 - </li> 210 - <li> 211 - <strong>Apply controlled changes</strong> 212 - Update configuration, extensions, rights or group mappings with attention to rollback and administrator access. 213 - </li> 214 - <li> 215 - <strong>Document the result</strong> 216 - Provide practical notes about the final configuration, assumptions, risks and future maintenance actions. 217 - </li> 218 - </ol> 219 - </div> 220 - </div> 221 - </section> 222 - 223 - ## SPECIFIC AREAS 224 - <section aria-labelledby="areas-title"> 225 - <div class="container"> 226 - <h2 id="areas-title">Specific areas we can review</h2> 227 - 228 - <p class="section-intro"> 229 - Access control in XWiki is not limited to the login page. It includes the full chain from identity provider 230 - to user synchronization, group membership, page permissions and application-level rules. 231 - </p> 232 - 233 - <div class="widgets"> 234 - <article class="widget"> 235 - <div class="icon" aria-hidden="true"> 236 - <i class="fa fa-server"></i> 237 - <h4>Directory<br />configuration</h4> 238 - </div> 239 - <p> 240 - LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior. 241 - </p> 242 - </article> 243 - 244 - <article class="widget"> 245 - <div class="icon" aria-hidden="true"> 246 - <i class="fa fa-random"></i> 247 - <h4>Group<br />mapping</h4> 248 - </div> 249 - <p> 250 - Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues. 251 - </p> 252 - </article> 253 - 254 - <article class="widget"> 255 - <div class="icon" aria-hidden="true"> 256 - <i class="fa fa-lock"></i> 257 - <h4>Permission<br />structure</h4> 258 - </div> 259 - <p> 260 - Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions. 261 - </p> 262 - </article> 263 - 264 - <article class="widget"> 265 - <div class="icon" aria-hidden="true"> 266 - <i class="fa fa-user-secret"></i> 267 - <h4>Security<br />sensitive rights</h4> 268 - </div> 269 - <p> 270 - Review of powerful rights such as admin, programming, script and edit rights where they affect security. 271 - </p> 272 - </article> 273 - </div> 274 - </div> 275 - </section> 276 - 277 - ## IMPORTANT CONSIDERATIONS 278 - <section class="services" aria-labelledby="considerations-title"> 279 - <div class="container"> 280 - <h2 id="considerations-title">Important considerations</h2> 281 - 282 - <p class="section-intro"> 283 - Authentication and access control should be designed for both security and usability. A setup that is too 284 - permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot. 285 - </p> 286 - 287 - <div class="services-grid"> 288 - <article class="service"> 289 - <div class="service-icon" aria-hidden="true"> 290 - <i class="fa fa-tachometer"></i> 291 - </div> 292 - <div class="service-body"> 293 - <h4>Large directory performance</h4> 294 - <p> 295 - Large numbers of users and groups can create synchronization, login-time or permission-management challenges. 296 - </p> 297 - </div> 298 - </article> 299 - 300 - <article class="service"> 301 - <div class="service-icon" aria-hidden="true"> 302 - <i class="fa fa-eye"></i> 303 - </div> 304 - <div class="service-body"> 305 - <h4>Visibility of groups and users</h4> 306 - <p> 307 - Group display, permission screens and administration workflows should remain usable even with many directory groups. 308 - </p> 309 - </div> 310 - </article> 311 - 312 - <article class="service"> 313 - <div class="service-icon" aria-hidden="true"> 314 - <i class="fa fa-user-plus"></i> 315 - </div> 316 - <div class="service-body"> 317 - <h4>User provisioning strategy</h4> 318 - <p> 319 - Decide when users are created, how profiles are updated and how synchronization behaves after first login. 320 - </p> 321 - </div> 322 - </article> 323 - 324 - <article class="service"> 325 - <div class="service-icon" aria-hidden="true"> 326 - <i class="fa fa-unlock-alt"></i> 327 - </div> 328 - <div class="service-body"> 329 - <h4>Administrator access safety</h4> 330 - <p> 331 - Authentication changes should preserve reliable administrator access and avoid accidental lockouts. 332 - </p> 333 - </div> 334 - </article> 335 - 336 - <article class="service"> 337 - <div class="service-icon" aria-hidden="true"> 338 - <i class="fa fa-refresh"></i> 339 - </div> 340 - <div class="service-body"> 341 - <h4>Upgrade compatibility</h4> 342 - <p> 343 - Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades. 344 - </p> 345 - </div> 346 - </article> 347 - 348 - <article class="service"> 349 - <div class="service-icon" aria-hidden="true"> 350 - <i class="fa fa-file-text-o"></i> 351 - </div> 352 - <div class="service-body"> 353 - <h4>Documentation and handover</h4> 354 - <p> 355 - Access rules, configuration decisions and operational assumptions should be documented for future maintenance. 356 - </p> 357 - </div> 358 - </article> 359 - </div> 360 - </div> 361 - </section> 362 - 363 - ## RELATED SERVICES 364 - <section class="resource-strip" aria-labelledby="related-title"> 365 - <div class="container"> 366 - <h2 id="related-title">Related XWiki services</h2> 367 - 368 - <p class="section-intro"> 369 - Authentication and access control often connect with maintenance, upgrades and security review. 370 - </p> 371 - 372 - <div class="resource-grid"> 373 - <article class="resource-card"> 374 - <h4>XWiki Support & Maintenance</h4> 375 - <p> 376 - Ongoing support for production environments, including troubleshooting, maintenance planning and operational review. 377 - </p> 378 - <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a> 379 - </article> 380 - 381 - <article class="resource-card"> 382 - <h4>XWiki Security Review</h4> 383 - <p> 384 - Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure. 385 - </p> 386 - <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a> 387 - </article> 388 - </div> 389 - </div> 390 - </section> 391 - 392 - ## CTA 393 - <section class="cta-section" aria-labelledby="cta-title"> 394 - <div class="container"> 395 - <div class="cta-panel"> 396 - <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2> 397 - 398 - <p> 399 - Send a short description of your authentication setup, identity provider, current XWiki version, 400 - user/group volume and the access control issue or improvement you want to address. 401 - </p> 402 - 403 - <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a> 404 - </div> 405 - </div> 406 - </section> 407 - 408 -{{/html}} 409 -{{/velocity}}