Authentication is the process which allows a user to log in to your Totara Learn site.
There are a variety of methods available for user authentication in Totara and any number of available methods may be employed.
Select the method that fits your situation the best. Once you have set up your authentication and set up the courses you can then enrol learners into the courses.
If you have courses with guest access, set the Guest login button to show.
Authentication methods (also known as authentication plugins) include:
Accounts created manually by an administrator.
Suspends user account.
Enables users to create their own accounts. Read more below.
|Self-registration with approval||Enables users to create their own accounts, but prevents them joining the site until they are approved. Read more below.|
|CAS server (SSO)|
Account details are located on an external CAS server.
Account details are located on an external database.
Account details are located on an external FirstClass server.
Account details are located on an external IMAP server.
Account details are located on an external LDAP server.
Separate Totara sites can connect and authenticate users.
Account details are located on an external NNTP server.
For testing purposes only.
|PAM (Pluggable Authentication Modules)|
Account details come from the operating system Totara is running on, via PAM (can only be used Linux/Unix).
Account details are located on an external POP3 server.
Account details are located on an external RADIUS server.
Account details are located on an external Shibboleth server.
|Web services authentication|
Accounts used exclusively by web service clients.
There are a number of settings an authentication method may have, including:
Lock user field: You can lock user profile fields. This is useful for sites where the user profile data is maintained by the administrators manually by editing user records or uploading using the Upload users facility.
|If you are locking fields that are required by Totara, make sure that you provide that data when creating user accounts or the accounts will be unusable. Consider setting the lock mode to Unlocked if empty to avoid this problem.|
|Security risk: Please be aware that while this option is enabled, information about positions, organisation or managers will be public.|
If you have chosen Email-based self-registration and wish potential users to be able to create their own accounts, select Email-based self-registration from the self registration dropdown menu in the common settings section. Potential users will then be presented with a Create new account button on the login page.
The Email-based self-registration authentication plugin must be enabled to allow users who previously self registered via this plugin, to log in with that plugin. Selecting Email-based self-registration as the self registration method allows potential users to self register.
The plugin Self-registration with approval is slightly different from the Email-based self-registration as it requires a Site administrator or another user with the capability auth/approved:approve to approve the registration request before the user is added to the site.
The user registers in the same way as with the Email-based self-registration method and gets an email to confirm their email address. The Site administrator (or another user with the capability listed above) can then go to Site administration > Plugins > Authentication > Self-registration with approval > Pending requests to either approve or reject the user's request. Once this is done, the user will get an email to let them know whether or not they've been approved.
This type of authentication is used when Totara stores users' passwords and other details in the local Totara database. Authentication plugins such as manual and email are indicated as internal authentication.
Other authentication plugins (such as: LDAP or POP3) are indicated as external authentication. With this type of authentication, users' details are not required to be stored in the local Totara database and a user's password field is labelled as 'not cached'.
Multi-authentication is supported. Each authentication plugin may be used to find a username/password match. Once found, a user is logged in and alternative plugins are not used. Therefore the plugin which handles the most logins should be moved to the top of the page to ensure minimal load is put on authentication servers.
Keep username, email, and id number: A deleted user profile fields can be reactivated, their other data will be deleted including but not limited to:
Full deletion: This is the default setting.
If a user was deleted with the keep username, email, and id number setting then they will only be able to be fully deleted manually not through the HR import process.
If you want to recover a users record of learning then Suspend rather than Delete the user.
If you want users' to be able to create their own user accounts, i.e. self register, then select Email-based self-registration (or any other enabled plugin which can support self registration, like LDAP) from the dropdown menu.
|Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimised by limiting self registration to particular email domains using the Allowed email domains option. Alternatively, self registration may be enabled for a short period of time to allow users to create accounts and then later disabled.|
Allow users to use both username and their email address (if unique) for site login.
If enabled, more than one user account can share the same email address.
This may result in security or privacy issues, for example with the password change confirmation email.
When a user authenticates, an account on the site is automatically created if it doesn't yet exist. If an external database, such as LDAP, is used for authentication, but you wish to restrict access to the site to users with an existing account only, then this option should be enabled. New accounts will need to be created manually or via the upload users feature. Note that this setting doesn't apply to MNet authentication.
Enabling this option improves usability of the login page so you don't need to navigate to username filed but automatically focusing fields may be considered an accessibility issue.
You can hide or show the guest login button on the login page. Hiding the guest login button disables guest access to your Totara site.
|Any user logged in to the system can view any course that allows guest access without enrolling on the course.|
If enabled the number of concurrent browser logins for each user is restricted.
|The oldest session is terminated after reaching the limit, please note that users may lose all unsaved work. This setting is not compatible with single sign-on (SSO) authentication plugins.|
This should be used with care, since a mistake in the URL or on the actual login page can lock you out of your site. If there is a problem, you can remove the entry from your database (table mdl_config) using, e.g., phpmyadmin for mysql.
If your lost password handling is performed entirely outside of Totara; for example, only by a help desk, you can set the URL of that service here. Anybody pressing a lost password link in Totara will be redirected to this URL. Custom instructions for logging in can also be created.
|This will disable all of Totara's lost password recovery options regardless of authentication method(s) in use.|
Authentication may be restricted to particular email domains when using Email-based self-registration so that, for example, only learners with an organisation domain email can log in.
Enables verification of changed email addresses using allowed and denied email domains settings. If this setting is disabled the domains are enforced only when creating new users.
If ReCAPTCHA has been enabled in the user signup form then a Public (Site) and Private key are required to be entered. The keys are generated by http://www.google.com/recaptcha.
Please note that as of 31 March 2018 reCAPTCHA v1 will no longer work. This means you will need to ensure you have upgraded to the latest minor release for your Totara Learn version and then update your keys so that you can use v2. You can read more on the reCAPTCHA FAQs.
There are two ways to manage single sign-on in Totara:
To determine the best method for your organisation it depends if you are trying to connect multiple Totara sites (Totara Connect) or if you are trying to connect Totara with external services (CAS).
To set up CAS follow these steps:
As CAS is an external open source solution you can read more about how CAS works on their website.
The Totara Academy has a whole course dedicated to Site-level user management in Totara Learn. Here you can learn more about user management, see best practice, and give it a go yourself.