OAuth2 Single Sign-On (SSO) Login — User Guide

Your site can offer Single Sign-On (SSO) so you log in with an external account (e.g. Microsoft, Google, or your organisation’s identity provider) instead of a Totara password. The SSO flow is started from a special login page that first checks your email in the Academy (Totara) and then sends you to the provider to sign in. This guide describes what you see and what to do as an end user.

Who uses SSO login?

Any user who is allowed to use SSO by the site administrator. SSO is only available if:

• The OAuth2 authentication plugin is enabled.
• An OAuth2 issuer (e.g. Microsoft, Google) is configured and linked to the login page.
• Your email address already exists in the Academy (Totara) and is not deleted. The site checks your email before sending you to the external provider.

How do I start SSO login?

You do not open login.php directly by typing the URL. Instead:

• Your organisation will give you a link or a button (e.g. “Sign in with Microsoft” or “Single Sign-On”) on the main login page or elsewhere. That link points to the OAuth2 login script and includes which identity provider (issuer) to use.
• The address looks like: Your site URL + /auth/oauth2/login.php?id= + a number (the issuer ID). Example: https://yoursite.com/auth/oauth2/login.php?id=1

Use the link or button provided by your site; do not guess the issuer ID.

What happens step by step?

1. SSO page — You see a “Single Sign-On” form with the message “Enter your email to continue to SSO”.
2. Enter your email — Type the same email address that is registered in the Academy (Totara). This is the address your organisation uses for your account.
3. Click Continue — The site checks that this email exists in the Academy and that the account is not deleted.
4. If your email is not found — You see “Access denied” and the message that your email is not authorized to use the Academy. You are redirected to the normal login page after a few seconds, or you can click “Go to login”. You cannot use SSO until your account exists in the Academy with that email.
5. If your email is found — You are redirected to the external provider (e.g. Microsoft or Google). Your email may be pre-filled there (login hint) to make signing in easier.
6. Sign in at the provider — Enter your credentials for that provider (e.g. work Microsoft account). Complete any two-factor or consent steps they require.
7. Return to the Academy — After the provider confirms your identity, you are sent back to the Academy. The system links your provider account to your Academy account (by email) and logs you in. You are then taken to the page you were trying to reach (or the site home).

Other messages you might see

• Session Expired — Your browser session expired (e.g. you left the page open too long before clicking Continue). Use “Go to Login Page” or wait for the automatic redirect, then start again from the SSO link.
• Access denied — Your email is not in the Academy or the account is deleted. Contact your administrator to get an account with that email, or use the normal login if you have a different account.

Important notes

• SSO only works if your email already exists in the Academy. The site does not create new accounts from the provider; it only links an existing Academy user to the provider account.
• Use the same email in the SSO form as in your Academy profile. If your provider uses a different email, the Academy will not find your account and will show “Access denied”.
• If you see “OAuth2 authentication plugin is not enabled” or similar, SSO is turned off. Use the normal login page or contact your administrator.