Skip to main content


Totara SAML application setup

This articles demonstrates how to set up SSO to Totara using the SAML protocol. The configuration takes place in HelloID and Totara.

  • HelloID environment

  • Totara environment

Create or import a certificate

If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.

Application setup
Add the Totara application

Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "Totara". Find the SAML template, and click Add. Learn more about managing applications here.

General tab

In the Default Login URL field, replace {url} with the base URL of your Totara instance. If your Totara environment is hosted, replace {customer} with your account ID. Or, if your Totara environment is dedicated, remove {customer} entirely.

After you have customized this field, copy its value.

Select the Next button.

Single Sign-On tab

On the Single Sign-On tab, perform the following steps:

  1. In the Endpoint/ACS URL field, paste the value you copied from the Default Login URL field.

  2. In the X509 Certificate drop down, select the certificate that you previously created or imported.

  3. In the ACS validation list, enter all the URLs where the SAML request could be initiated from, one per line.

  4. In the Extra audience(s) field, enter the metadata URL provided by Totara. This will be in the format of: https://{url}/simplesaml/module.php/saml/sp/metadata.php/{customer}

  5. Select the Next button.

Self Service tab

On the Self Service tab, choose whether to create a Self Service product, which makes the application requestable. This is optional. Select the Next button.

Finish tab

On the Finish tab, select the Savebutton to add the application to HelloID.


By default, the nameID and uid attributes are sent to Totara, mapped to the {{user.userguid}} and {{user.contactEmail}}, respectively. If your Totara setup requires different values to be sent, edit the mapping set.

Totara setup

Go to Applications > Applications. Locate your newly-added Totara application and select its Edit link. Right-click the Download metadata button and select Copy link address. This will be in the format of:{guid}


To complete setup, request a SAML connection from your Totara administrator. Send them the metadata URL you copied.

Validate and use ACS request URL

After you have set up and tested the SSO connection, return to the Single Sign-On tab and turn on the Validate and use ACS request URL toggle. Select the Save button.