How to use existing users of XWiki as application behind Keycloak SSO/Web-SSO Link and map the users/groups from XWiki with keycloak (OpenID Connect or SAML 2.0)

Hi everybody,

I’ve tried to connect XWiki with Keycloak Web-SSO as application.

Can someone explain me how I can access existing users/user rights as IdP in the application “XWiki” after successful login/authentication in Keycloak and how the mapping between the Keycloak user and the users of the application works/is done?

Has anyone here been able to successfully connect XWiki using OpenID Connect or as alternative also SAML 2.0?

Would be grateful for experiences/tips or tricks

Maybe someone here can help me

Many thanks for your help

If you edit a user created by the OpenID Connect authenticator with the object editor you will notice it contain a XWiki.OIDC.UserClass object with the “issuer” and the “subject”. That’s currently what this authenticator uses to identify a user profile. So one way to reuse the existing profile is to create this kind of objects and set the right issue and subject in them.

1 Like

@tmortagne many thanks for your reply, I’ll try that in my running configuration of keyclaok and xwiki.

Otherwise I’ld contact once again

Is there any experience using the XWiki extension “OpenID Connect Authenticator” using the OpenID Connect protocol with Keycloak or other SSO/IAM systems?

Does XWiki also support SAML or other alternative protocols?

You have several examples on

There is Authenticator Jasig CAS ( it seems, but I don’t have any experience with it.

1 Like


I can help you with that since we are deeply integrating keycloak with our wiki.

You can use GitHub - tdudgeon/xwiki_authenticator_keycloak: Keycloak authenticator for XWiki as base for your project

It’s 5 year old but changing xwiki version and following instructions it will works.

You must download the Keycloak adapters and follow their instructions

You can found the adapters here all theses jar should be put in the libs forlder of your tomcat

You will have as explain in their documentation to change context.xml of your tomcat with

<?xml version="1.0" encoding="UTF-8"?>
    <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
  <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

Also in your WEB-INF folder you will need keycloak.json with your configuration

  "realm": "yourKeycloakRealm",
  "auth-server-url": "yourKeycloakDomain/auth",
  "ssl-required": "external",
  "resource": "yourClientId",
  "credentials": {
    "secret": "yourClientSecret"
  "use-resource-role-mappings": false,
  "confidential-port": 0

Also at the end of your web.xml you will need something like




your_role is a realm role that your user in keycloak must have to login through the keycloak adapter

also xwiki.cfg will need

Then you probably have to change a bit the extension of their github to fit your needs

You should probably fork it as well, upgrade pom to your xwiki version fix java issues due to the upgrade to last version of xwiki and then recompile it to be installed in your wiki.

It’s not really an easy works especially rebuild and deploy your own version of the extension but I hope this information will save you a few days of additional work.

1 Like

@tmortagne thanks for your quick reply to my questions

@Cracky5457 many thanks for you for your detailed answer

I’ll use this for the XWiki connection to keycloak and try to do the mapping between the users like this