diff --git a/docs/architecture.md b/docs/architecture.md
index 201c0047..3891e31c 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -23,6 +23,7 @@ SPDX-License-Identifier: Apache-2.0
   * [Central Contacts](#central-contacts)
   * [Central Navigation](#central-navigation)
   * [Filepicker](#filepicker)
+  * [Newsfeed](#newsfeed)
   * [(OpenProject) File Store](#openproject-file-store)
 * [Applications vs. Services](#applications-vs-services)
   * [Collabora (Office)](#collabora-office)
@@ -256,6 +257,7 @@ flowchart TD
  Intercom_Service-->|Silent Login, Token Exchange|IdP
  Intercom_Service-->|Filepicker|Nextcloud
  Intercom_Service-->|Central Navigations|Portal
+ Intercom_Service-->|Newsfeed|XWiki
  OX-AppSuite_Backend-->|Filepicker|Nextcloud
  OX-AppSuite_Backend-->|Videoconferences|Element
  Nextcloud-->|Central Navigation|Portal
@@ -264,6 +266,7 @@ flowchart TD
  XWiki-->|Central Navigation|Portal
  Nextcloud-->|Central Contacts|OX-AppSuite_Backend
  OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
+ Portal-->|Newsfeed|Intercom_Service
 ```
 
 Details can be found in the upstream documentation that is linked in the respective sections.
@@ -325,6 +328,14 @@ when adding a file to an email or storing a file into Nextcloud to avoid passing
 **Links**
 - [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).
 
+## Newsfeed
+
+The portal renders a newsfeed based on entries of a predefined openDesk blog in XWiki. It accesses the required XWiki
+service through the Intercom Service's `/wiki` endpoint, in combination with the previously described silent login.
+
+**Links:**
+- [XWiki Blog feature](https://extensions.xwiki.org/xwiki/bin/view/Extension/Blog%20Application)
+
 ## (OpenProject) File Store
 
 While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
diff --git a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
index 1d793048..99a35c57 100644
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -53,7 +53,8 @@ ics:
   secret: {{ .Values.secrets.intercom.secret | quote }}
   issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
   originRegex: "{{ .Values.global.domain }}"
-  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"phoenixusername"{{ end }}
+  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"opendesk_username"{{ end }}
+  usernameClaim: "opendesk_username"
   keycloak:
     realm: {{ .Values.platform.realm | quote }}
   default:
@@ -77,6 +78,9 @@ ics:
     oci: true
     url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
     audience: "opendesk-oxappsuite"
+  xwiki:
+    subdomain: {{ .Values.global.hosts.xwiki | quote }}
+    audience: "opendesk-xwiki"
   nextcloud:
     origin: {{ .Values.global.hosts.nextcloud | quote }}
     subdomain: {{ .Values.global.hosts.nextcloud | quote }}
@@ -103,7 +107,9 @@ podSecurityContext:
   fsGroupChangePolicy: "Always"
 
 provisioning:
-  enabled: true
+  # intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the
+  # client's claims this way.
+  enabled: false
   config:
     nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
     keycloak:
diff --git a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
index 4831f5f1..308c67f7 100644
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -375,6 +375,71 @@ config:
               claim.name: "opendesk_username"
               jsonType.label: "String"
     clients:
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
       - name: "opendesk-dovecot"
         clientId: "opendesk-dovecot"
         protocol: "openid-connect"
diff --git a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
index 771c555d..57bbaea2 100644
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -11,7 +11,7 @@ repositories:
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true
     url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
-
+    
 releases:
   - name: "xwiki"
     chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
diff --git a/helmfile/apps/xwiki/values.yaml.gotmpl b/helmfile/apps/xwiki/values.yaml.gotmpl
index cd896808..22e186da 100644
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -147,6 +147,7 @@ properties:
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
   "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
+
   ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
   "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
   ## SMTP settings
@@ -175,7 +176,7 @@ properties:
   # yamllint disable-line rule:line-length
   "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"
 
-  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "keycloak-bridge-auth"
   ## Fields to search in when importing users from the administration UI (not completely in scope for now)
   "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
     "sn,givenname,uid,mailPrimaryAddress"
diff --git a/helmfile/environments/default/charts.yaml.gotmpl b/helmfile/environments/default/charts.yaml.gotmpl
index 5e6e18d6..0203c0ef 100644
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -139,7 +139,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
     name: "intercom-service"
-    version: "2.7.1"
+    version: "2.7.3"
     verify: true
   jitsi:
     # providerCategory: "Platform"
@@ -321,7 +321,7 @@ charts:
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
     name: "opendesk-keycloak-bootstrap"
-    version: "2.1.3"
+    version: "2.1.4"
     verify: true
   openproject:
     # providerCategory: "Supplier"
diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl
index 1d776a32..00afd13e 100644
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -79,7 +79,7 @@ images:
     # upstreamMirrorStartFrom: ["2", "1", "0"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.4.0@sha256:df743b7ea30077dc941815ccc60198820d67bbba94853fa7a6f939c0f36af335"
+    tag: "2.7.3@sha256:bae60a9a14df53431f81846bf98520e3340dbfc1abae88622ccbd3c6e81cd930"
   jibri:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -469,7 +469,7 @@ images:
     # upstreamRepository: "nubus/images/portal-frontend"
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.5@sha256:75461683a2233c2e5c99499791ceb576b717c68baa28eef2c307e7052aaaf754"
+    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
   nubusPortalServer:
     # providerCategory: "Supplier"
     # providerResponsible: "Univention"
@@ -837,5 +837,5 @@ images:
     # upstreamMirrorStartFrom: ["0", "12"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.22-mariadb-jetty-alpine@sha256:ba29f44befc558c4a4d969f103b216c13a55194dbc532adc43567bee4943d65f"
+    tag: "0.23-mariadb-jetty-alpine@sha256:d358212cc5c3addc4be02cfd0f2b08aa8b88399ac5848e152111f231356558da"
 ...