Authentication is the process which allows a user to log in to your Totara Learn site.
There are a variety of methods available for user authentication in Totara and any number of available methods may be employed.
Select the method that fits your situation the best. Once you have set up your authentication and set up the courses you can then enrol learners into the courses.
If you have courses with guest access, set the Guest login button to show.
Authentication methods (also known as authentication plugins) include:
Accounts created manually by an administrator.
Suspends user account.
Enables users to create their own accounts. See more on the Email-based self-registration Help page.
|Self-registration with approval||Enables users to create their own accounts, but prevents them joining the site until they are approved. See Self-registration with approval Help page for more.|
|CAS server (SSO)|
Account details are located on an external CAS server.
|Totara Connect client|
Automatic single sign-on via Totara Connect servers.
Account details are located on an external database.
Account details are located on an external FirstClass server.
Account details are located on an external IMAP server.
Account details are located on an external LDAP server. See the LDAP server Help page for more.
Use this with the Publish as LTI tool enrolment plugin to allow remote users to access selected courses and activities.
Separate Totara sites can connect and authenticate users.
Account details are located on an external NNTP server.
For testing purposes only.
|PAM (Pluggable Authentication Modules)|
Account details come from the operating system Totara is running on, via PAM (can only be used Linux/Unix).
Account details are located on an external POP3 server.
Account details are located on an external Shibboleth server.
|Web services authentication|
Accounts used exclusively by web service clients.
There are a number of settings that an authentication method may have, some of the more common ones are listed below.
|Lock user field|
You can lock user profile fields. This is useful for sites where the user profile data is maintained by the administrators manually by editing user records or uploading using the Upload users facility.
|If you are locking fields that are required by Totara, make sure that you provide that data when creating user accounts or the accounts will be unusable. Consider setting the lock mode to Unlocked if empty to avoid this problem.|
|Allow job assignment fields||The selected Position, Organisation and Manager fields will be available for users when they sign-up|
Set the length of time the password is valid for and the number of days before the password expiry that a notification is created.
This type of authentication is used when Totara stores users' passwords and other details in the local Totara database. Authentication plugins such as manual and email are indicated as internal authentication.
Other authentication plugins (such as: LDAP or POP3) are indicated as external authentication. With this type of authentication, users' details are not required to be stored in the local Totara database and a user's password field is labelled as 'not cached'.
Multi-authentication is supported. Each authentication plugin may be used to find a username/password match. Once found, a user is logged in and alternative plugins are not used. Therefore the plugin which handles the most logins should be moved to the top of the page to ensure minimal load is put on authentication servers.
There are a number of settings you can configure in the Plugins > Authentication > Manage authentication area under Common settings.
This setting allows you to determine what happens to a user account if it is deleted. Select from the following options:
If you choose Keep username, email, and id number then deleted user profile fields can be reactivated however their other data will be deleted including but not limited to; appraisals where the user is in the learner role, grades, and roles.
If a user was deleted with the keep username, email, and id number setting then they will only be able to be fully deleted manually not through the HR import process.
If you want to recover a users record of learning then Suspend rather than Delete the user.
If you want users' to be able to create their own user accounts, i.e. self register, then select Email-based self-registration (or any other enabled plugin which can support self registration, like LDAP) from the dropdown menu.
|Enabling self registration results in the possibility of spammers creating accounts in order to use forum posts, blog entries etc. for spam. This risk can be minimised by limiting self registration to particular email domains using the Allowed email domains option. Alternatively, self registration may be enabled for a short period of time to allow users to create accounts and then later disabled.|
Allow login via email
Allow users to use both username and their email address (if unique) for site login.
Allow accounts with same email
If enabled, more than one user account can share the same email address.
This may result in security or privacy issues, for example with the password change confirmation email.
Prevent account creation when authenticating
When a user authenticates, an account on the site is automatically created if it doesn't yet exist. If an external database, such as LDAP, is used for authentication, but you wish to restrict access to the site to users with an existing account only, then this option should be enabled. New accounts will need to be created manually or via the upload users feature. Note that this setting doesn't apply to MNet authentication.
Autofocus login page form
Enabling this option improves usability of the login page so you don't need to navigate to username filed but automatically focusing fields may be considered an accessibility issue.
Guest login button
You can hide or show the guest login button on the login page. Hiding the guest login button disables guest access to your Totara site.
Any user logged in to the system can view any course that allows guest access without enrolling on the course.
Limit concurrent logins
If enabled the number of concurrent browser logins for each user is restricted.
Alternate login URL
This should be used with care, since a mistake in the URL or on the actual login page can lock you out of your site. If there is a problem, you can remove the entry from your database using, e.g., phpmyadmin for MYSQL.
Forgotten password URL
If your lost password handling is performed entirely outside of Totara; for example, only by a help desk, you can set the URL of that service here. Anybody pressing a lost password link in Totara will be redirected to this URL. Custom instructions for logging in can also be created.
This will disable all of Totara's lost password recovery options regardless of authentication method(s) in use.
|Enter custom login instructions that will be displayed on the login page. Leaving this blank will display the default instructions.||-|
Allowed email domains
A space separated list of allowed email domains, e.g. @totaralearning.com @totara.com
Denied email domains
|A space separated list of email domains that are not allowed to be registered, e.g. @hotmail.com @gmail.com||-|
Restrict domains when changing email
Enables verification of changed email addresses using allowed and denied email domains settings. If this setting is disabled the domains are enforced only when creating new users.
If ReCAPTCHA has been enabled in the user signup form then a Public (Site) and Private key are required to be entered. The keys are generated by http://www.google.com/recaptcha
Please note that as of 31 March 2018 reCAPTCHA v1 will no longer work. This means you will need to ensure you have upgraded to the latest minor release for your Totara Learn version and then update your keys so that you can use v2. You can read more on the reCAPTCHA FAQs.
There are two ways to manage single sign-on in Totara:
To determine the best method for your organisation it depends if you are trying to connect multiple Totara sites (Totara Connect) or if you are trying to connect Totara with external services (CAS).
To set up CAS follow these steps:
As CAS is an external open source solution you can read more about how CAS works on their website.
The Totara Academy has a whole course dedicated to Site-level user management in Totara Learn. Here you can learn more about user management, see best practice, and give it a go yourself.