what about a more generic version of the prior question: Assuming one already has an apache (httpd) based site using "HTTP Basic Authorization" feature in apache, what is the technique for allowing already authenticated users to use that same authentication in Xwiki? This assumes some means of mapping the basic auth name to the xwiki user name, which is trivial. In other words you could use something like mod_auth_mysql<http://www.howtoforge.com/mod_auth_mysql_apache2_debian&g… alllow password-based access to restricted portions of a website (or entire thing if .htaccess at toplevel) via apache. More security or extranet access can be granted via mod_ssl combined with client certificates & "fake basic authentication"<http://www.modssl.org/docs/2.8/ssl_reference.html#S… : - FakeBasicAuth When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509command: openssl x509 -noout -subject -in *certificate*.crt). Note that no password is obtained from the user. Every entry in the user file needs this password: `` xxj31ZMTZzkVA'', which is the DES-encrypted version of the word ` password''. Those who live under MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''. in other words you have an external table mapping the client-certificate's DN, which can be an elaborate string like "/O=ufl.edu/OU=Employees/C=US/O=University of Florida/CN=ANDREW MEYER/Email= dontasemebro(a)ufl.edu|&quot; and this would provide authentication for user 'Xwiki.AndrewMeyer' and grant that user access based on the associated xwiki account. With the advent of https://www.myopenid.com the latter client-certificate, SSL-based authentication ought to be considered as a nice "universal login identity".... IMHO it provides a consistent way of handling identity across a wide variety of sites. In the past i've setup http://ipssources.com which uses 2-factor auth via HP "Digital Badge" -- similar can be achieved, much more easily, and cheaply, via MyOpenID. Their system is indeed like HP's "digital badge" except that it's free and works across multiple websites. MyOpenID has potential of being a useful service if it catches on.... When i used it, it smoothly sent me a client-cert and appears to provide a decent API for management: You have the following certificates: Label Serial Number Created Revoked gnuvelle BF1E 2008-02-11 16:32:29.195635 Revoke this Certificate Thus making the potentially-difficult task of issuing and installing client certificates in the user's browser a no-brainer (at least in firefox). If they've correctly handled the MS/vs-the-world issues so that IE and Netscape and mac users can access the web as ubiquitously as advertised, they've won most of the "client auth" battle IMHO.... -- Niels http://nielsmayer.com On Sat, Mar 15, 2008 at 8:47 PM, Glenn Everitt &lt;Glenn.Everitt(a)compuware.com&gt; wrote: