Skip to Content
Last modified by Alex Cotiugă on 2026/05/12 13:07
Hide last authors
Alex Cotiugă 1.2 1 {{velocity}}
2 #set ($discard = $xwiki.ssx.use('PublicWebSite.WebHome'))
3 {{html clean="false"}}
4
5 ## PAGE HEADER
6 <section class="hero hero-centered service-hero" aria-labelledby="hero-title">
7 <div class="container hero-inner">
8 <div class="hero-kicker">
9 <i class="fa fa-lock" aria-hidden="true"></i>
10 XWiki authentication and access control
11 </div>
12
13 <h1 id="hero-title">Secure XWiki access, authentication and permissions</h1>
14
15 <p class="lead">
16 Configure and maintain XWiki authentication, user synchronization, group management and access rights
17 for production environments.
18 </p>
19
20 <p class="hero-support">
21 We help organizations connect XWiki with LDAP, Active Directory, SSO, OIDC, SAML or MFA, while keeping
22 permissions understandable, maintainable and aligned with internal access policies.
23 </p>
24
25 <div class="hero-actions">
26 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
27 <a class="btn btn-secondary" href="#access-control-process">See the approach</a>
28 </div>
29 </div>
30 </section>
31
32 ## WHY ACCESS CONTROL MATTERS
33 <section aria-labelledby="why-access-title">
34 <div class="container">
35 <h2 id="why-access-title">Access control is central to a reliable XWiki platform</h2>
36
37 <p class="section-intro">
38 XWiki often contains internal knowledge, procedures, project information, customer data, controlled documents
39 and business workflows. Authentication and permissions need to be configured carefully so users can access
40 what they need without exposing sensitive information or making administration too complex.
41 </p>
42
43 <div class="pathways">
44 <article class="pathway-card">
45 <div class="pathway-icon">
46 <i class="fa fa-sign-in" aria-hidden="true"></i>
47 </div>
48 <h3>Connect users securely</h3>
49 <p>
50 Integrate XWiki with your identity provider so users can access the platform with familiar credentials.
51 </p>
52 <ul>
53 <li>LDAP and Active Directory</li>
54 <li>OIDC, SAML and SSO</li>
55 <li>MFA and authentication extensions</li>
56 </ul>
57 </article>
58
59 <article class="pathway-card">
60 <div class="pathway-icon">
61 <i class="fa fa-users" aria-hidden="true"></i>
62 </div>
63 <h3>Manage groups clearly</h3>
64 <p>
65 Keep user and group synchronization understandable, scalable and aligned with the way permissions are used.
66 </p>
67 <ul>
68 <li>User synchronization</li>
69 <li>Group mapping and filtering</li>
70 <li>Large directory considerations</li>
71 </ul>
72 </article>
73
74 <article class="pathway-card">
75 <div class="pathway-icon">
76 <i class="fa fa-key" aria-hidden="true"></i>
77 </div>
78 <h3>Control access safely</h3>
79 <p>
80 Review and structure rights so spaces, pages and applications can be maintained without accidental exposure.
81 </p>
82 <ul>
Alex Cotiugă 1.3 83 <li>Wiki and page permissions</li>
Alex Cotiugă 1.2 84 <li>Admin and script rights awareness</li>
85 <li>Rights model cleanup</li>
86 </ul>
87 </article>
88 </div>
89 </div>
90 </section>
91
92 ## COMMON NEEDS
93 <section class="services" aria-labelledby="access-needs-title">
94 <div class="container">
95 <h2 id="access-needs-title">Common authentication and access control needs</h2>
96
97 <p class="section-intro">
98 Authentication and permissions often become more complex as XWiki grows. The right setup depends on your
99 identity provider, group structure, security expectations, user volume and internal administration model.
100 </p>
101
102 <div class="services-grid">
103 <article class="service">
104 <div class="service-icon" aria-hidden="true">
105 <i class="fa fa-address-book"></i>
106 </div>
107 <div class="service-body">
108 <h4>LDAP and Active Directory integration</h4>
109 <p>
110 Configuration, troubleshooting and optimization of LDAP/AD authentication, user creation and group synchronization.
111 </p>
112 </div>
113 </article>
114
115 <article class="service">
116 <div class="service-icon" aria-hidden="true">
117 <i class="fa fa-sign-in"></i>
118 </div>
119 <div class="service-body">
120 <h4>SSO, OIDC and SAML</h4>
121 <p>
122 Integration with identity providers, single sign-on flows and authentication extensions used in enterprise environments.
123 </p>
124 </div>
125 </article>
126
127 <article class="service">
128 <div class="service-icon" aria-hidden="true">
129 <i class="fa fa-shield"></i>
130 </div>
131 <div class="service-body">
132 <h4>Multi-factor authentication</h4>
133 <p>
134 MFA setup, licensing, configuration, troubleshooting and review of authentication-related user experience.
135 </p>
136 </div>
137 </article>
138
139 <article class="service">
140 <div class="service-icon" aria-hidden="true">
141 <i class="fa fa-users"></i>
142 </div>
143 <div class="service-body">
144 <h4>User and group synchronization</h4>
145 <p>
146 Review of synchronization strategy, group mapping, large-directory behavior and performance implications.
147 </p>
148 </div>
149 </article>
150
151 <article class="service">
152 <div class="service-icon" aria-hidden="true">
153 <i class="fa fa-key"></i>
154 </div>
155 <div class="service-body">
156 <h4>Rights model review</h4>
157 <p>
158 Review and cleanup of space, page, group and application permissions to reduce confusion and access risks.
159 </p>
160 </div>
161 </article>
162
163 <article class="service">
164 <div class="service-icon" aria-hidden="true">
165 <i class="fa fa-warning"></i>
166 </div>
167 <div class="service-body">
168 <h4>Access-related troubleshooting</h4>
169 <p>
170 Investigation of login failures, missing users, group sync issues, unexpected permissions or denied access.
171 </p>
172 </div>
173 </article>
174 </div>
175 </div>
176 </section>
177
178 ## APPROACH
179 <section id="access-control-process" class="split-section" aria-labelledby="process-title">
180 <div class="container">
181 <div class="split-grid">
182 <div class="split-copy">
183 <h2 id="process-title">A practical access control approach</h2>
184
185 <p>
186 Authentication and permissions should be handled with care because small configuration mistakes can affect
187 access to the entire platform. The goal is to understand the current setup, clarify the expected access
188 model and apply changes in a controlled way.
189 </p>
190
191 <p>
192 When possible, authentication and rights changes should first be validated in a staging or temporary clone
193 of the instance, especially when directory synchronization, group mappings, SSO or custom rights logic are involved.
194 </p>
195 </div>
196
197 <ol class="process-list">
198 <li>
199 <strong>Review the current access setup</strong>
200 Authentication method, user directory, groups, synchronization behavior, rights configuration and known issues.
201 </li>
202 <li>
203 <strong>Clarify the target model</strong>
204 Expected login flow, user provisioning, group mapping, administration model and permission boundaries.
205 </li>
206 <li>
207 <strong>Validate configuration safely</strong>
208 Test authentication, synchronization and rights behavior before applying changes to production when needed.
209 </li>
210 <li>
211 <strong>Apply controlled changes</strong>
212 Update configuration, extensions, rights or group mappings with attention to rollback and administrator access.
213 </li>
214 <li>
215 <strong>Document the result</strong>
216 Provide practical notes about the final configuration, assumptions, risks and future maintenance actions.
217 </li>
218 </ol>
219 </div>
220 </div>
221 </section>
222
223 ## SPECIFIC AREAS
224 <section aria-labelledby="areas-title">
225 <div class="container">
226 <h2 id="areas-title">Specific areas we can review</h2>
227
228 <p class="section-intro">
229 Access control in XWiki is not limited to the login page. It includes the full chain from identity provider
230 to user synchronization, group membership, page permissions and application-level rules.
231 </p>
232
233 <div class="widgets">
234 <article class="widget">
235 <div class="icon" aria-hidden="true">
236 <i class="fa fa-server"></i>
237 <h4>Directory<br />configuration</h4>
238 </div>
239 <p>
240 LDAP/AD connection settings, bind users, search bases, user filters, group filters and synchronization behavior.
241 </p>
242 </article>
243
244 <article class="widget">
245 <div class="icon" aria-hidden="true">
246 <i class="fa fa-random"></i>
247 <h4>Group<br />mapping</h4>
248 </div>
249 <p>
250 Mapping external groups into XWiki groups while avoiding unnecessary complexity and performance issues.
251 </p>
252 </article>
253
254 <article class="widget">
255 <div class="icon" aria-hidden="true">
256 <i class="fa fa-lock"></i>
257 <h4>Permission<br />structure</h4>
258 </div>
259 <p>
260 Space and page rights, inheritance, administrative access, edit rights, view rights and application permissions.
261 </p>
262 </article>
263
264 <article class="widget">
265 <div class="icon" aria-hidden="true">
266 <i class="fa fa-user-secret"></i>
267 <h4>Security<br />sensitive rights</h4>
268 </div>
269 <p>
270 Review of powerful rights such as admin, programming, script and edit rights where they affect security.
271 </p>
272 </article>
273 </div>
274 </div>
275 </section>
276
277 ## IMPORTANT CONSIDERATIONS
278 <section class="services" aria-labelledby="considerations-title">
279 <div class="container">
280 <h2 id="considerations-title">Important considerations</h2>
281
282 <p class="section-intro">
283 Authentication and access control should be designed for both security and usability. A setup that is too
284 permissive creates risk, while a setup that is too complex becomes hard to operate and troubleshoot.
285 </p>
286
287 <div class="services-grid">
288 <article class="service">
289 <div class="service-icon" aria-hidden="true">
290 <i class="fa fa-tachometer"></i>
291 </div>
292 <div class="service-body">
293 <h4>Large directory performance</h4>
294 <p>
295 Large numbers of users and groups can create synchronization, login-time or permission-management challenges.
296 </p>
297 </div>
298 </article>
299
300 <article class="service">
301 <div class="service-icon" aria-hidden="true">
302 <i class="fa fa-eye"></i>
303 </div>
304 <div class="service-body">
305 <h4>Visibility of groups and users</h4>
306 <p>
307 Group display, permission screens and administration workflows should remain usable even with many directory groups.
308 </p>
309 </div>
310 </article>
311
312 <article class="service">
313 <div class="service-icon" aria-hidden="true">
314 <i class="fa fa-user-plus"></i>
315 </div>
316 <div class="service-body">
317 <h4>User provisioning strategy</h4>
318 <p>
319 Decide when users are created, how profiles are updated and how synchronization behaves after first login.
320 </p>
321 </div>
322 </article>
323
324 <article class="service">
325 <div class="service-icon" aria-hidden="true">
326 <i class="fa fa-unlock-alt"></i>
327 </div>
328 <div class="service-body">
329 <h4>Administrator access safety</h4>
330 <p>
331 Authentication changes should preserve reliable administrator access and avoid accidental lockouts.
332 </p>
333 </div>
334 </article>
335
336 <article class="service">
337 <div class="service-icon" aria-hidden="true">
338 <i class="fa fa-refresh"></i>
339 </div>
340 <div class="service-body">
341 <h4>Upgrade compatibility</h4>
342 <p>
343 Authentication extensions, configuration keys and security behavior should be reviewed during XWiki upgrades.
344 </p>
345 </div>
346 </article>
347
348 <article class="service">
349 <div class="service-icon" aria-hidden="true">
350 <i class="fa fa-file-text-o"></i>
351 </div>
352 <div class="service-body">
353 <h4>Documentation and handover</h4>
354 <p>
355 Access rules, configuration decisions and operational assumptions should be documented for future maintenance.
356 </p>
357 </div>
358 </article>
359 </div>
360 </div>
361 </section>
362
363 ## RELATED SERVICES
364 <section class="resource-strip" aria-labelledby="related-title">
365 <div class="container">
366 <h2 id="related-title">Related XWiki services</h2>
367
368 <p class="section-intro">
369 Authentication and access control often connect with maintenance, upgrades and security review.
370 </p>
371
372 <div class="resource-grid">
373 <article class="resource-card">
374 <h4>XWiki Support &amp; Maintenance</h4>
375 <p>
376 Ongoing support for production environments, including troubleshooting, maintenance planning and operational review.
377 </p>
378 <a href="$xwiki.getURL('services.xwiki-maintenance-support')">View support services</a>
379 </article>
380
381 <article class="resource-card">
382 <h4>XWiki Security Review</h4>
383 <p>
384 Security-aware review of versions, extensions, rights, scripting, authentication and upgrade exposure.
385 </p>
386 <a href="$xwiki.getURL('services.xwiki-security-review')">View security review</a>
387 </article>
388 </div>
389 </div>
390 </section>
391
392 ## CTA
393 <section class="cta-section" aria-labelledby="cta-title">
394 <div class="container">
395 <div class="cta-panel">
396 <h2 id="cta-title">Need help with XWiki authentication or permissions?</h2>
397
398 <p>
399 Send a short description of your authentication setup, identity provider, current XWiki version,
400 user/group volume and the access control issue or improvement you want to address.
401 </p>
402
403 <a class="btn btn-primary" href="$xwiki.getURL('contact.WebHome')">Discuss access control needs</a>
404 </div>
405 </div>
406 </section>
407
408 {{/html}}
409 {{/velocity}}