# OneLogin Setup and Configuration This guide covers setting up Single Sign-On (SSO) with OneLogin as your identity provider for Welkin Health. Once configured, care team members can log in to Welkin using their OneLogin credentials. ## Prerequisites * OneLogin account with admin access * Welkin Admin portal access * Welkin user accounts created for each team member (emails must match their OneLogin accounts) ## Step 1: Get Welkin SP metadata 1. Log in to the Welkin Admin portal 2. Navigate to **Settings → Single Sign-On (SSO)** 3. Note the following: * **Entity ID (Audience URI)** * **ACS URL (Assertion Consumer Service URL)** ## Step 2: Create a SAML application in OneLogin 1. Log in to your [OneLogin admin portal](https://app.onelogin.com/admin) 2. Navigate to **Applications → Applications** 3. Click **Add App** 4. Search for **SAML Custom Connector (Advanced)** and select it 5. Enter the app name: **Welkin Health** 6. Click **Save** ## Step 3: Configure the SAML connector In the application's **Configuration** tab: | Field | Value | | ---------------------- | --------------------------------------------- | | Audience (Entity ID) | Paste the Welkin Entity ID | | ACS URL (Consumer URL) | Paste the Welkin ACS URL | | ACS URL Validator | Leave default or enter the ACS URL as a regex | | Login URL | `https://app.welkinhealth.com` | | SAML initiator | Service Provider | | SAML nameID format | Email | | SAML issuer type | Specific | | SAML signature element | Both | Click **Save**. ## Step 4: Configure attribute mappings In the **Parameters** tab, add the following attributes: | OneLogin field | SAML attribute name | | -------------- | ------------------- | | Email | `email` | | First Name | `firstName` | | Last Name | `lastName` | Click **Save** after adding each attribute. ## Step 5: Get OneLogin IdP credentials In the **SSO** tab of the application: 1. Note the **Issuer URL** (IdP Entity ID) 2. Note the **SAML 2.0 Endpoint (HTTP)** (SSO URL) 3. Click **View Details** next to the X.509 Certificate and copy or download it ## Step 6: Configure SSO in Welkin Admin 1. Return to **Settings → Single Sign-On** in Welkin Admin 2. Enter: * **IdP Entity ID** – the Issuer URL from OneLogin * **SSO URL** – the SAML 2.0 HTTP endpoint from OneLogin * **IdP Certificate** – paste the X.509 certificate from OneLogin 3. Click **Save** ## Step 7: Assign users in OneLogin 1. In the OneLogin application, go to the **Users** tab 2. Assign the application to individual users or to roles/groups that include all Welkin users 3. Assigned users will now see Welkin Health in their OneLogin dashboard ## Step 8: Test SSO 1. Click **Test SSO** in Welkin Admin 2. You'll be redirected to OneLogin 3. Log in with an assigned user's credentials 4. Confirm you're returned to Welkin and logged in correctly Once verified, you can enable **Force SSO** in Welkin Admin to require all logins to use OneLogin. ## Ongoing management When a team member leaves: 1. Remove or suspend their OneLogin account – this immediately blocks SSO access to Welkin 2. If Force SSO is not enabled, also deactivate their Welkin account to prevent password-based login 3. See [Add, Delete, Modify Users](https://github.com/welkincloud-io/welkin-docs/blob/master/kb/admin/add-new-users.md) for Welkin user management --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.welkinhealth.com/integrations/single-sign-on/onelogin-setup-and-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.