- Why you should set up an authentication system
- What authentication methods are available
- Additional security measures
Why you should set up an authentication system
A good authentication setup is one of the most important security measures that you can put in place in order to secure your data. Most commonly, an access control system determines the user's identity according to credentials such as username and password. However, there are multiple authentication systems available and in the following lines, you will learn more about the ones that are compatible with XWiki, their benefits, and the level of service that we offer for each of them.
What authentication methods are available
XWiki standard authentication (form auth)
The default way to ensure access control within an XWiki instance is "form authentication". This method is available by default in any XWiki instance and it requires a user and a password.
Active Directory
One of the most commonly used methods of authentication is Active Directory, a service that stores information about user accounts from your organization (names, passwords, phone numbers, etc) and enables authorized users to access your data. The main advantages for using Active Directory are:
- logical hierarchical structure
- users and groups management
- users synchronization
- group mapping from AD to XWiki
To connect XWiki to an Active Directory server, you can choose any of the following options:
- The Active Directory Pro Application, which offers a visual editor and technical support
- The manual and generic approach using the LDAP Authenticator extension
To learn more about how to configure and use authentication with Active Directory, check out our dedicated article.
Single Sign-On
SSO is a popular authentication method that enables users to authenticate with multiple applications and websites by using just one set of credentials. Compared to Active Directory, where all the connected applications require authentication (using the same credentials), Single Sign-On refers to systems where a single authentication provides access to multiple applications.
There are multiple SSO providers available, such as Okta, Google, Azure, OneLogin. However, when deciding upon the SSO provider to use with XWiki, it is important to consider the protocol that would be used.
Open ID / OAuth
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users.2
To set up SSO authentication through Open ID, you can either use the dedicated extensions or contact us for an estimation.
SAML
SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers.3
The SAML authentication setup is usually performed by the specialized XWiki team, due to the higher complexity. At the moment there is no module available to directly integrate authentication based on SAML.
Custom authenticators
With XWiki, it is possible to create a custom authenticator, perfectly tailored to your requirements. If you would like to create a custom authenticator please follow our documentation or, if you would like us to develop this feature for you, contact us at any time.
Additional security measures
Aside from the authentication system, XWiki supports additional features related to security such as basic authentication, IP whitelisting, and many others.
HTTP Basic authentication
HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header.4
To learn more about how to configure basic authentication on your XWiki instance please visit our documentation.
IP whitelisting
IP whitelisting is a mechanism that explicitly allows certain identified entities to access a particular service. This method can be set up by the users or by the XWiki's infrastructure administrators.
Further security
To learn more about all the available security features please visit our documentation. If you'd like to discover what authentication method suits you best and discuss further security measures, do not hesitate to get in touch with one of our Customer Success Agents.
SCHEDULE A CALL WITH AN XWIKI SPECIALIST
References
1 https://www.onelogin.com/learn/how-single-sign-on-works
3 https://www.varonis.com/blog/what-is-saml/
4 https://www.ibm.com/docs/en/cics-ts/5.4?topic=concepts-http-basic-authentication