Here's how to add and configure a new application in OneLogin for integration with the Peoplesafe platform:

Setting up OneLogin for Single Sign-On (SSO) with Peoplesafe involves configuring a new application within your OneLogin admin portal and then retrieving the necessary credentials. This guide will walk you through the process step-by-step.

1. Add a New Application

1. Log in to your OneLogin admin portal.
2. From the navigation menu, go to Applications > Applications.
3. Click the Add App button.
4. In the search bar, type "OpenID Connect".
5. Select the OpenId Connect (OIDC) connector by OneLogin, Inc. from the search results.
6. Give your application a descriptive Display Name (e.g., "Peoplesafe SSO"). You can also upload an icon if desired.
7. Click Save.

2. Configure Web Application Settings

After saving the application, you'll be taken to its configuration page.

1. Go to the Configuration tab.
2. You'll need to enter the following information:
   • Login URL (optional): This is the URL that initiates the login process from OneLogin. Enter https://nexus.peoplesafe.co.uk/login
   • Redirect URI(s): https://nexus.peoplesafe.co.uk/login
   • Post Logout Redirect URIs: https://nexus.peoplesafe.co.uk/login
3. Click Save after entering the details.

3. SSO Credentials & Configuration

Once the web application settings are configured, you need to update the SSO settings and retrieve the credentials that Peoplesafe will use to connect to OneLogin:

1. Navigate to the SSO tab (or OpenID Connect tab, depending on your OneLogin version) within your newly created Peoplesafe application.
2. Client ID: This is a unique identifier for your OneLogin application.
3. Application Type: For multi-platform applications that include native mobile apps, set this to "Native" to ensure proper handling of PKCE (Proof Key for Code Exchange), which is a security extension for OIDC requierd by the Peoplesafe mobile apps.
4. Ensure the "Token Endpoint Authentication Method" is set to "None (PKCE)".
5. Click Save if you made any changes on this tab.
6. Copy the Client ID value carefully. You will need to input this into Peoplesafe Nexus (section 5 below).

4. Configure Mobile Application Settings

After updating the SSO application configuration, you need to update the OneLogin redirect URLs for Peoplesafe Mobile Application (Android & iOS) support:

1. Go to the Configuration tab.
2. You will need to list a separate redirect URI for the Peoplesafe mobile applications. Enter this Redirect URI on a new line in each field:
   • Redirect URI(s): com.skyguard.s4h://onelogin-callback
   • Post Logout Redirect URI: com.skyguard.s4h://onelogin-callback
3. Click Save after entering the details.

5. Configuring a Custom User Field for Nexus Mapping

This optional step is for organisations that want to use a custom user field from OneLogin (e.g., employee ID) instead of the default OneLogin ID to match users with their profiles in the Peoplesafe platform. This is achieved by including a custom claim in the OIDC ID token.

1. In your OneLogin admin portal, navigate to your Peoplesafe SSO application.
2. Go to the Parameters tab.
3. Click the Add Parameter button.
4. A new window will appear. In the "Field name" box, type the exact name that Peoplesafe provides for the custom attribute (e.g., user_reference or employee_id).
5. In the "Value" dropdown, select the custom field from your OneLogin user profiles that you want to use for mapping.
6. Click Save.

If you skip this step, Peoplesafe will automatically use the user's default OneLogin ID to link their account.

6. Configure OneLogin inside Nexus

Once you have retrieved the Client ID, you must input these into Nexus. Nexus and the Peoplesafe apps will use these details to accept authentication requests from your OneLogin instance.

1. Log in to your Nexus account
2. From the navigation menu, go to Company Profile > Settings.
3. Scroll down to the OneLogin Configuration section
4. Toggle the Enable OneLogin button to On.
5. Input the subdomain of your OneLogin account (e.g., for example.onelogin.com, input example). This is essential to connect to your OneLogin tenant and enable SSO.
6. Paste the Client ID generated by OneLogin for your Peoplesafe OIDC application. You can find it on the "SSO" tab in your OneLogin admin portal.
7. Optional: If you configured a custom user field in OneLogin (as detailed in the previous section), enter the exact field name you defined there into the "OneLogin User Reference Mapping" field in Nexus.
8. Click Update to save the configuration.

By following these steps, you'll successfully configure OneLogin for SSO with Peoplesafe, enabling your users to log in seamlessly.