Docs Developer Site
Enonic XP
arrow-down
    1. Widgets
  2. IAM
    1. Virtual apps
    1. Projects
    2. Layers
        1. AttachmentUploader
        2. Checkbox
        3. Combobox
        4. ContentSelector
        5. ContentTypeFilter
        6. CustomSelector
        7. Date
        8. DateTime
        9. Double
        10. GeoPoint
        11. HtmlArea
        12. ImageSelector
        13. Long
        14. MediaSelector
        15. Radiobutton
        16. Tag
        17. TextArea
        18. TextLine
        19. Time
      2. Field set
      3. Item set
      4. Option set
      5. Mixins
      6. Localization
    4. Content Types
    5. X-data
    6. Macros
    7. Custom styles
    8. Sites
      1. Regions
      2. Part component
      3. Layout component
      4. Text component
      5. Fragments
      6. Filtering
      7. Component indexing
      8. Visual editor
    10. Page templates
    1. Sandboxes
    2. Code
    3. Building
    4. Configuration
    1. Globals
    2. HTTP
    3. Controllers
    4. Filters
    5. Events
    6. Websocket
    7. Error handler
    8. ID provider
    9. Tasks
    10. Localization
    11. Mappings
    12. Components
    13. Processors
    14. Contributions
    15. Templating
    16. Main controller
    17. Java bridge
      1. Webapp Engine
        1. Image service
        2. Component service
      3. Admin Engine
      4. Asset service
      5. HTTP service
      6. IDprovider service
    2. Task engine
    3. Management Endpoint
    4. Statistics Endpoint
    1. Nodes and repos
    2. Properties
    3. Indexing
    4. Branches
    5. Queries (NoQL)
    6. Queries (DSL)
    7. Filters
    8. Aggregations
    9. Highlighting
    10. Editors
    1. Strategies
    2. Distributions
    3. Docker image
    4. Vhosts
    5. Configuration
    6. Backup & restore
    7. Systemd
    8. Clustering
    1. Admin API
    2. Application API
    3. Auditlog API
    4. Authentication API
    5. Cluster API
    6. Common API
    7. Content API
    8. Context API
    9. Event API
    10. Export API
    11. Grid API
    12. I18N API
    13. IO API
    14. Mail API
    15. Node API
    16. Portal API
    17. Project API
    18. Repo API
    19. Scheduler API
    20. Schema API
    21. Tasks API
    22. Value API
    23. VHost API
    24. Websocket API
  11. Audit Logs
    1. Upgrade Notes
    2. Upgrading Apps
Developer Docs Xp Next Iam

Identity and access management (IAM)

Contents

Enonic XP ships with a clearly defined and pluggable concept for handling authentication and authorization

Introduction

Enonic XP ships with a standard concept handling users, authentication, groups and roles based authorization. Additionally, the NoSQL storage supports fine-grained access control mechanisms down to a single item.

IAM Concepts

XP IAM consists of three central concepts:

Principals

Principals are object that can be given permissions. There are three different types of principals:

Users

Principals that can be authenticated.

Groups

Used to group other principals to simplify management.

Roles

Provides access to application specific functionality.

Permissions

Principals may be given with fine grade access to items stored in the NoSQL storage. An example of this is the XP CMS, where users typically get access to create or publish content in specific areas of the solution.

Identity providers

ID providers offer pluggable abstraction layer for user authentication. As such, in order to authenticate or even create users in XP, you will need to define an ID provider.

ID providers are linked to your webapp or site through virtual hosts.

Creating an ID provider

ID providers can be created and managed through the API, or through the Users app in the XP admin console.

An ID provider essentially consist of the following:

  • A unique name (cannot be changed later)

  • ID provider application, with optional configuration settings.

  • Permissions - specifies who can manage and access the ID provider

ID provider applications must be installed before you can select them.
Setting up an ID provider from the Users admin tool

System ID provider

XP ships with a special ID provider that cannot be removed or renamed. It is called the System ID provider.

When accessing the XP admin console for the first time in a fresh installation, you will see the login screen of System ID provider.

System ID provider login screen

The purpose of the System ID provider is to store system users, for example su(the Super User) and anonymous (the default user when no other user is specified).

XP XP 7.15.0 7.15.0 Users in the System ID provider that are not system users are called Service Accounts.

Prior to XP XP XP 7.15.0 7.15.0 , users added to the System ID provider were treated as regular users with username-password credentials. Users with username-password credentials in the System ID provider are still supported, but strongly discouraged. Instead, use service accounts with JWT tokens. See Service Accounts for more details.
Avoid adding real users to the System ID provider, rather create a new ID provider instead.

Service Accounts

A service account is a special kind of user used by remote applications and services to authenticate with XP. Service accounts are not meant to be used by humans. Service accounts are managed by XP Users app.

Each Service Account may (but not required to) have one or several Service Account keys. Using Service Account Key is beneficial for security reasons:

  • It allows to authenticate without transferring the password over the network.

  • Multiple Shared Account Keys allow rotation of Public-Private key-pairs without service interruption.

  • Stored Public key is not a hash of a password, so it is not possible to reverse-engineer the password from the public key.

Service accounts keys are used to make an authorized call to:

  • Management Endpoint

  • any other XP service port endpoint that supports authentication and is configured to use the System ID provider. See Virtual Hosts for more details.

Requests are authenticated by JWT token in the Authorization header.

Content of the header should look like the following:

Authorization: Bearer <token>

A JWT token must follow the following rules:

  • it must be a valid RFC-7519 JWT token.

  • alg header parameter must be set to RS256.

  • kid header parameter must be set to ID of the public key that corresponds to the private key used to sign the token.

  • sub claim must be set to ID of the service account, for instance, user:system:user_id.

  • exp claim must be set to expiration time of the token. The token will be rejected if it is expired.

  • iat claim must be set to issue time of the token. The token will be rejected if it was issued in the future.

Private key from Public-Private key pair is stored only on the client side and must not be shared with the XP server.

Public key from Public-Private key pair is stored in the XP server and is used to verify signature of the token.

Service account keys are a security risk if not managed correctly. Make sure to rotate keys regularly and keep them safe. If you suspect that your keys have been compromised, you can revoke them in the Users app. Whenever possible use other ID providers instead, such as OIDC ID provider.
JWT header example 
{
  "kid": "51a29c2ab5ebf945f6a5ddac8935bf8b",
  "typ": "JWT",
  "alg": "RS256"
}
JWT payload example 
{
  "sub": "user:system:user_id",
  "exp": 1692787396,
  "iat": 1692787366
}

ID provider apps

In order for an ID provider to work, it must be associated with an ID provider application that handles the authentication process.

You may install ID providers from Enonic Market, or build your own for a fully customized experience.

Standard ID provider app

Enonic XP is shipped with an app called the "Standard ID provider". This is also the app that is being used by the System ID provider

Built-in roles

Enonic XP is shipped with several built-in roles (described below) which grant certain permissions when applied to users. New roles can be created by users with Administrators and Users Administrator roles.

Permissions for every role can be overridden by Administrator or Content Manager Administrator on the content level.

Administrator Users with the Administrator role have full access to all content and admin tools through the user interface.

Administration Console Login Users with this role can log in to the administration console. These users will also require a role for each of the admin tools that the users need access to.

Content Manager Administrator

This role allows full access to Content Studio, including ability to create and delete content projects.

Content Manager Expert

This role gives members ability to view and modify source code in the rich text editor.

Content Manager App

Give users to access to the legacy default project in Content Studio. Users with this role can see content and sites, but cannot create new sites or any new content in the project.

As of v7.3, XP supports creation of custom content projects. These offer project-specific roles that automatically provide access to both Content Studio and the project itself.

Users App

Provides view-only access to the Users admin tool.

Users Administrator

Grants full access to the Users admin tool, including create/edit/delete for ID providers, users, roles, and groups.

Authenticated

Users automatically get this role when they are logged into the platform, regardless of ID provider.

Everyone

A special role that both authenticated users, and visitors (Anonymous user) all have in common. The role is for instance used to grant read permissions to publicly available content projects.

XP XP 7.11.0 7.11.0

Schemas Administrator

Grants permissions to manipulate virtual applications and schemas.

NOTE: If you are using Content Projects, your project will have a set of project-specific roles in addition to the built-in ones.

Contents

Contents

AI-powered search

Juke AI