Looking for up-to-date Help documentation? Documentation for the latest releases of Totara is now available at totara.help!

Visit the new Help site

All pages

Authentication is the process which allows a user to log in to your Totara Learn site.

There are a variety of methods available for user authentication in Totara and any number of available methods may be employed.  

Select the method that fits your situation the best. Once you have set up your authentication and set up the courses you can then enrol learners into the courses.

Manage authentication plugins table.

Setting the authentication method

  1. Select Site Administration > Plugins > Authentication > Manage Authentication.
  2. Click Manage authentications to set your authentication method.
  3. Click the Show/hide icon to enable or disable the authentication plugin(s), multiple authentication plugins can be enabled.
  4. Use the up/down arrows to change the order of the plugins. Ensure the plugin that handles most of the authentications is at the top of the list.
  5. Click Settings next to an authentication plugin to configure the plugin properties.
  6. Click Save changes to save your options.

If you have courses with guest access, set the Guest login button to show.

Authentication methods

Authentication methods (also known as authentication plugins) include:

Manual accounts

Accounts created manually by an administrator.

No login

Suspends user account.

Email-based self-registration

Enables users to create their own accounts. See more on the Email-based self-registration Help page. 

Self-registration with approvalEnables users to create their own accounts, but prevents them joining the site until they are approved. See Self-registration with approval Help page for more. 
CAS server (SSO)

Account details are located on an external CAS server.

Totara Connect client

Automatic single sign-on via Totara Connect servers.

External database

Account details are located on an external database.

FirstClass server

Account details are located on an external FirstClass server.

IMAP server

Account details are located on an external IMAP server.

LDAP server

Account details are located on an external LDAP server. See the LDAP server Help page for more. 

LTI (Experimental)

Use this with the Publish as LTI tool enrolment plugin to allow remote users to access selected courses and activities. 

MNet authentication

Separate Totara sites can connect and authenticate users.

NNTP server

Account details are located on an external NNTP server.

No authentication

For testing purposes only.

PAM (Pluggable Authentication Modules)

Account details come from the operating system Totara is running on, via PAM (can only be used Linux/Unix).

POP3 server

Account details are located on an external POP3 server.


Account details are located on an external Shibboleth server.

Web services authentication

Accounts used exclusively by web service clients.

Frequently found settings 

There are a number of settings that an authentication method may have, some of the more common ones are listed below. 

Lock user field

You can lock user profile fields. This is useful for sites where the user profile data is maintained by the administrators manually by editing user records or uploading using the Upload users facility.

If you are locking fields that are required by Totara, make sure that you provide that data when creating user accounts or the accounts will be unusable. Consider setting the lock mode to Unlocked if empty to avoid this problem.
Allow  job assignment fieldsThe selected Position, Organisation and Manager fields will be available for users when they sign-up 
Security risk: Please be aware that while this option is enabled, information about positions, organisation or managers will be public.
Password expiry

Set the length of time the password is valid for and the number of days before the password expiry that a notification is created.


Authentication types

Authentication typeDescription

Internal authentication

This type of authentication is used when Totara stores users' passwords and other details in the local Totara database. Authentication plugins such as manual and email are indicated as internal authentication.

External authentication

Other authentication plugins (such as: LDAP or POP3) are indicated as external authentication. With this type of authentication, users' details are not required to be stored in the local Totara database and a user's password field is labelled as 'not cached'.


Multi-authentication is supported. Each authentication plugin may be used to find a username/password match. Once found, a user is logged in and alternative plugins are not used. Therefore the plugin which handles the most logins should be moved to the top of the page to ensure minimal load is put on authentication servers.

Site settings

There are a number of settings you can configure in the Plugins > Authentication > Manage authentication area under Common settings


User deletion

This setting allows you to determine what happens to a user account if it is deleted. Select from the following options:

  • Full with random surname
  • Full (legacy)
  • Keep username, email and ID number (legacy)

If you choose Keep username, email, and id number then deleted user profile fields can be reactivated however their other data will be deleted including but not limited to; appraisals where the user is in the learner role, grades, and roles.

If a user was deleted with the keep username, email, and id number setting then they will only be able to be fully deleted manually not through the HR import process.

If you want to recover a users record of learning then Suspend rather than Delete the user.

Self registration 

If you want users' to be able to create their own user accounts, i.e. self register, then select Email-based self-registration (or any other enabled plugin which can support self registration, like LDAP) from the dropdown menu.

Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimised by limiting self registration to particular email domains using the Allowed email domains option. Alternatively, self registration may be enabled for a short period of time to allow users to create accounts and then later disabled.

Allow login via email

Allow users to use both username and their email address (if unique) for site login.


Allow accounts with same email

If enabled, more than one user account can share the same email address. 

This may result in security or privacy issues, for example with the password change confirmation email.

Prevent account creation when authenticating

When a user authenticates, an account on the site is automatically created if it doesn't yet exist. If an external database, such as LDAP, is used for authentication, but you wish to restrict access to the site to users with an existing account only, then this option should be enabled. New accounts will need to be created manually or via the upload users feature. Note that this setting doesn't apply to MNet authentication.


Autofocus login page form

Enabling this option improves usability of the login page so you don't need to navigate to username filed but automatically focusing fields may be considered an accessibility issue.


Guest login button

You can hide or show the guest login button on the login page. Hiding the guest login button disables guest access to your Totara site.

Any user logged in to the system can view any course that allows guest access without enrolling on the course.

Limit concurrent logins

If enabled the number of concurrent browser logins for each user is restricted. 


Alternate login URL

This should be used with care, since a mistake in the URL or on the actual login page can lock you out of your site. If there is a problem, you can remove the entry from your database using, e.g., phpmyadmin for MYSQL.


Forgotten password URL

If your lost password handling is performed entirely outside of Totara; for example, only by a help desk, you can set the URL of that service here. Anybody pressing a lost password link in Totara will be redirected to this URL. Custom instructions for logging in can also be created.

This will disable all of Totara's lost password recovery options regardless of authentication method(s) in use.


Enter custom login instructions that will be displayed on the login page. Leaving this blank will display the default instructions. -

Allowed email domains

A space separated list of allowed email domains, e.g. @totaralearning.com @totara.com


Denied email domains

A space separated list of email domains that are not allowed to be registered, e.g. @hotmail.com @gmail.com-

Restrict domains when changing email

Enables verification of changed email addresses using allowed and denied email domains settings. If this setting is disabled the domains are enforced only when creating new users.



If ReCAPTCHA has been enabled in the user signup form then a Public (Site) and Private key are required to be entered. The keys are generated by http://www.google.com/recaptcha 

Please note that as of 31 March 2018 reCAPTCHA v1 will no longer work. This means you will need to ensure you have upgraded to the latest minor release for your Totara Learn version and then update your keys so that you can use v2. You can read more on the reCAPTCHA FAQs.

Single sign-on

There are two ways to manage single sign-on in Totara:

To determine the best method for your organisation it depends if you are trying to connect multiple Totara sites (Totara Connect) or if you are trying to connect Totara with external services (CAS). 

CAS server SSO

To set up CAS follow these steps:

  1. Select Site Administration > Plugins > Authentication > Manage Authentication.
  2. Click the show icon () alongside the CAS server (SSO) authentication method. 
  3. Click Settings next to CAS server (SSO) to configure the plugin setting.
  4. Click Save changes to save your options.

As CAS is an external open source solution you can read more about how CAS works on their website

On this page

The Totara Academy has a whole course dedicated to Site-level user management in Totara Learn. Here you can learn more about user management, see best practice, and give it a go yourself.

Provide feedback about this page using the link in the bottom right of this page. 

Still have questions? Why not post them in the forums of the Totara Community?