Looking for up-to-date Help documentation? Documentation for the latest releases of Totara is now available at totara.help!

Visit the new Help site

All pages

Authentication is the process which allows a user to log in to your Totara site.

There are a variety of methods available for user authentication in Totara.

Select the method that fits your situation the best. Once you have set up your authentication and set up the courses you can then enrol learners into the courses.

Setting the authentication method

  1. Select Site Administration > Plugins > Authentication > Manage Authentication.
  2. Click Manage authentications to set your authentication method.
  3. Click the Show/hide icon to enable or disable the authentication plugin(s), multiple authentication plugins can be enabled.
  4. Use the up/down arrows to change the order of the plugins. Ensure the plugin that handles most of the authentications is at the top of the list.
  5. Click 'Settings' next to an authentication plugin to configure the plugin properties.
  6. Click 'Save changes' to save your options.


If you have chosen Email-based self-registration and wish potential users to be able to create their own accounts, select 'Email-based self-registration' from the self registration drop-down menu in the common settings section. Potential users will then be presented with a 'Create new account' button on the login page.

If you have courses with guest access, set the Guest login button to show.

Authentication methods

Authentication methods (also known as authentication plugins) include:

  • Manual accounts: Accounts created manually by an administrator.
  • No login: Suspends user account, Note usernames are not allowed to include the @ character when uploading users.
  • Email-based self-registration: Enables users to create their own accounts.
  • CAS server (SSO): Account details are located on an external CAS server.
  • External database: Account details are located on an external database.
  • FirstClass server: Account details are located on an external FirstClass server.
  • IMAP server: Account details are located on an external IMAP server.
  • LDAP server: Account details are located on an external LDAP server.
  • Moodle Network authentication: Separate Totara sites can connect and authenticate users.
  • NNTP server: Account details are located on an external NNTP server.
  • No authentication: For testing purposes only.
  • PAM (Pluggable Authentication Modules): Account details come from the operating system Totara is running on, via PAM (can only be used Linux/Unix).
  • POP3 server: Account details are located on an external POP3 server.
  • RADIUS server: Account details are located on an external RADIUS server.
  • Shibboleth: Account details are located on an external Shibboleth server.
  • NTLM/Integrated Authentication.

Authentication types

Internal authentication

This type of authentication is used when Totara stores users' passwords and other details in the local Totara database. Authentication plug-ins such as manual and email are indicated as internal authentication.

External authentication

Other authentication plug-ins (such as: LDAP or POP3) are indicated as external authentication. With this type of authentication, users' details are not required to be stored in the local Totara database and a user's password field is labelled as 'not cached'.


Multi-authentication is supported. Each authentication plug-in may be used to find a username/password match. Once found, a user is logged in and alternative plug-ins are not used. Therefore the plug-in which handles the most logins should be moved to the top of the page to ensure minimal load is put on authentication servers.

Common settings

User deletion

Keep username, email, and id number: A deleted user profile fields can be reactivated, their other data will be deleted including but not limited to:

  • Appraisals where the user is in the learner role
  • Grades
  • Tags
  • Roles
  • Preferences
  • User custom fields
  • Private keys
  • Customised pages
  • Facetoface signups
  • Feedback360 assignments and responses
  • Position assignments
  • Programs & certifications
  • Goals
  • Evidence items
  • Scheduled reports
  • Reminders
  • Course and program enrolments 
  • Positions manager, appraiser, and temp manager positions will be unassigned
  • Audience assignments
  • Groups membership
  • Messages will be marked as read

Full deletion: Since Totara 2.7.3 an option for Full user deletion has been added, this is the default setting.

If a user was deleted with the keep username, email, and id number setting then they will only be able to be fully deleted manually not through the HR import process.

If you want to recover a users record of learning then Suspend rather than Delete the user.

Self registration

If you want users' to be able to create their own user accounts, i.e. self-register, then select Email-based self-registration (or any other enabled plugin which can support self registration, like LDAP) from the drop-down menu. This results in a 'Is this your first time here?' question and a 'Create new account' button being displayed on the login page.

Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimized by limiting self registration to particular email domains using the 'Allowed email domains'. Alternatively, self registration may be enabled for a short period of time to allow users to create accounts and then later disabled.
The Email-based self-registration authentication plugin must be enabled to allow users who previously self-registered to log in with that plugin. Selecting Email-based self-registration as the self registration method allows potential users to self register.

Guest login button

You can hide or show the guest login button on the login page. Hiding the guest login button disables guest access to your Totara site.

Any user logged in to the system can view any course that allows guest access without enrolling on the course.

Alternate login URL

This should be used with care, since a mistake in the URL or on the actual login page can lock you out of your site. If there is a problem, you can remove the entry from your database (table mdl_config) using, e.g., phpmyadmin for mysql.

Forgotten password URL

If your lost password handling is performed entirely outside of Totara; for example, only by a help desk, you can set the URL of that service here. Anybody pressing a 'lost password' link in Totara will be redirected to this URL. Note that this will disable all of Totara's lost password recovery options regardless of authentication method(s) in use.

Allowed and denied email domains

Authentication may be restricted to particular email domains when using Email-based self-registration so that, for example, only learners with an organisation domain email can log in.

Single sign-on

There are two ways to manage single sign-on in Totara:

To determine the best method for your organisation it depends if you are trying to connect multiple Totara sites (Totara Connect) or if you are trying to connect Totara with external services (CAS). 

CAS server SSO

To set up CAS follow these steps:

  1. Select Site Administration > Plugins > Authentication > Manage Authentication.
  2. Click the show icon () alongside the CAS server (SSO) authentication method. 
  3. Click Settings next to CAS server (SSO) to configure the plugin setting.
  4. Click Save changes to save your options.

As CAS is an external open source solution you can read more about how CAS works on their website

On this page

Provide feedback about this page using the link in the bottom right of this page. 

Still have questions? Why not post them in the forums of the Totara Community?

  • No labels