XWiki authenticators 101: the what, the how and the why

12 Aug 2021 5 min read

Written by

Stefana Nazare

, Product Owner Cloud & Pro Apps

Why you should set up an authentication system

A good authentication setup is one of the most important security measures that you can put in place in order to secure your data. Most commonly, an access control system determines the user's identity according to credentials such as username and password. However, there are multiple authentication systems available and in the following lines, you will learn more about the ones that are compatible with XWiki, their benefits, and the level of service that we offer for each of them. 

What authentication methods are available

XWiki standard authentication (form auth)

The default way to ensure access control within an XWiki instance is "form authentication". This method is available by default in any XWiki instance and it requires a user and a password. 

This method does not require any setup and it is supported at Bronze, Silver. Gold and Platinum level. 

Active Directory

One of the most commonly used methods of authentication is Active Directory, a service that stores information about user accounts from your organization (names, passwords, phone numbers, etc) and enables authorized users to access your data. The main advantages for using Active Directory are: 

  • logical hierarchical structure
  • users and groups management
  • users synchronization 
  • group mapping from AD to XWiki

To connect XWiki to an Active Directory server, you can choose any of the following options:

To learn more about how to configure and use authentication with Active Directory, check out our dedicated article

The Active Directory authentication is supported at Silver, Gold and Platinum level. 

Single Sign-On

SSO is a popular authentication method that enables users to authenticate with multiple applications and websites by using just one set of credentials. Compared to Active Directory, where all the connected applications require authentication (using the same credentials), Single Sign-On refers to systems where a single authentication provides access to multiple applications.

There are multiple SSO providers available, such as Okta, Google, Azure, OneLogin. However, when deciding upon the SSO provider to use with XWiki, it is important to consider the protocol that would be used.

Open ID / OAuth

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users.2

To set up SSO authentication through Open ID, you can either use the dedicated extensions or contact us for an estimation. 

SSO Authentication based on Open ID is supported at Silver, Gold and Platinum level. The configuration can be purchased separately as a one-time service for both on-premise and Cloud instances. At Gold and Platinum level, the SSO configuration is included in the support contract, for both cloud and on premise deployment. 

SAML

SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers.3 

The SAML authentication setup is usually performed by the specialized XWiki team, due to the higher complexity. At the moment there is no module available to directly integrate authentication based on SAML. 

For XWiki instances with SSO Authentication based on SAML we advise discussing with an Account Manager and creating a custom offer. Extra fees may be applied to support this authentication method. The configuration can be purchased separately as a one-time service for both on-premise and Cloud instances. At the Platinum level, the SSO configuration is included in the support contract, for XWiki cloud instances. 

Custom authenticators

With XWiki, it is possible to create a custom authenticator, perfectly tailored to your requirements. If you would like to create a custom authenticator please follow our documentation or, if you would like us to develop this feature for you, contact us at any time. 

In order to maintain custom authenticators, extra charges are applied. The yearly price for supporting custom features added on top of XWiki is 15% of the total value of the development.

Additional security measures

Aside from the authentication system, XWiki supports additional features related to security such as basic authentication, IP whitelisting, and many others. 

HTTP Basic authentication

HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header.4

To learn more about how to configure basic authentication on your XWiki instance please visit our documentation

The HTTP Basic authentication is supported at Silver, Gold and Platinum level. 

IP whitelisting

IP whitelisting is a mechanism that explicitly allows certain identified entities to access a particular service. This method can be set up by the users or by the XWiki's infrastructure administrators. 

IP whitelisting is supported at Silver, Gold and Platinum level. 

Further security

To learn more about all the available security features please visit our documentation. If you'd like to discover what authentication method suits you best and discuss further security measures, do not hesitate to get in touch with one of our Customer Success Agents.

SCHEDULE A CALL WITH AN XWIKI SPECIALIST

References

1 https://www.onelogin.com/learn/how-single-sign-on-works

2 https://openid.net/connect/

3 https://www.varonis.com/blog/what-is-saml/

4 https://www.ibm.com/docs/en/cics-ts/5.4?topic=concepts-http-basic-authentication

You may also be interested in:

Best practices

How Santa's elves manage Christmas operations with XWiki

Santa may get all the glory, but it’s the elves, backed by XWiki, who ensure all operations run smoothly like butter biscuits and Christmas magic happens on time. Learn what features are of great help for the elves in supporting Santa Claus to deliver Christmas.

News

🤖 The first AI-assistant in XWiki is here! (BETA)

XWiki SAS announces the release of the first XWiki LLM application (BETA), funded by NGI Search. The app integrates AI-powered functionalities directly into your wiki instance, bringing content generation, translation, and intelligent knowledge retrieval to your fingertips. To facilitate this, we’ve integrated a chatbot inside XWiki that allows you to ask any question about the information in your wiki, receiving answers based on our Retrieval Augmented Generation (RAG) system. Additionally, the LLM app offers you flexibility and control over your data through the chosen model, ensuring that your sensitive information remains private and secure. Read the full announcement here.