alphagov · thomasiles · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026
diff --git a/app/controllers/auth_controller.rb b/app/controllers/auth_controller.rb
@@ -0,0 +1,14 @@
+class AuthController < ApplicationController
+  def callback
+    # We come here after one login
+    # We will need to restore, form_id, mode and form_slug, which we should have saved before sending
+    if session["return_to"].present?
+
+      # We need to do something to get the user's email here.
+      #
+      # We then need to set the email in the session somewhere
+      session["one_login_email"] = "example@example.org"
+      redirect_to session["return_to"]
+    end
+  end
+end
diff --git a/app/controllers/fake_onelogin_controller.rb b/app/controllers/fake_onelogin_controller.rb
@@ -0,0 +1,8 @@
+class FakeOneloginController < ApplicationController
+  def show
+  end
+
+  def create
+    redirect_to auth_callback_path(mode: "preview-draft", form_id: 14, form_slug: "testing-none-of-the-above")
+  end
+end
diff --git a/app/controllers/forms/check_your_answers_controller.rb b/app/controllers/forms/check_your_answers_controller.rb
@@ -36,6 +36,14 @@ def submit_answers
         return render template: "errors/incomplete_submission", locals: { form: @form, current_context: }
       end
 
+      if email_confirmation_input.send_confirmation == "onelogin"
+        # TODO: We need to save where to comeback to here in a cookie or session state
+        # When we come back from one login, we'll need mode, form_id and form_slug?
+        session["return_to"] = request.fullpath
+        return redirect_to onelogin_path
+        # return redirect_to auth_url
+      end
+
       begin
         submission_reference = FormSubmissionService.call(current_context:,
                                                           email_confirmation_input:,
@@ -55,6 +63,37 @@ def submit_answers
       render "errors/submission_error", status: :internal_server_error
     end
 
+    # TODO: This is a new method, which will handle the submission for the one login callback
+    def auth_callback
+      return redirect_to error_repeat_submission_path(@form.id) if current_context.form_submitted?
+
+      unless current_context.can_visit?(CheckYourAnswersStep::CHECK_YOUR_ANSWERS_PAGE_SLUG)
+        EventLogger.log_form_event("incomplete_or_repeat_submission_error")
+        return render template: "errors/incomplete_submission", locals: { form: @form, current_context: }
+      end
+
+      begin
+        # Let's hackily build an email_confirmation_input mocked up with the email.
+        # This will send the current confirmation email to the one login address, which isn't what we want eventally
+        # but might be handy to test it
+        confirmation_email_address = session["one_login_email"]
+        email_confirmation_input = EmailConfirmationInput.new(confirmation_email_address:, send_confirmation: :send_email)
+        requested_email_confirmation = email_confirmation_input.send_confirmation == "send_email"
+        submission_reference = FormSubmissionService.call(current_context:,
+                                                          email_confirmation_input:,
+                                                          mode:).submit
+
+        current_context.save_submission_details(submission_reference, requested_email_confirmation)
+        session["one_login_email"] = nil
+
+        redirect_to :form_submitted
+      rescue StandardError => e
+        log_rescued_exception(e)
+
+        render "errors/submission_error", status: :internal_server_error
+      end
+    end
+
   private
 
     def email_confirmation_input_params

diff --git a/app/input_objects/email_confirmation_input.rb b/app/input_objects/email_confirmation_input.rb
@@ -8,7 +8,7 @@ class EmailConfirmationInput
   before_validation :strip_email_whitespace
 
   validates :send_confirmation, presence: true
-  validates :send_confirmation, inclusion: { in: %w[send_email skip_confirmation] }
+  validates :send_confirmation, inclusion: { in: %w[send_email skip_confirmation onelogin] }
   validates :confirmation_email_address, presence: true, if: :validate_email?
   validates :confirmation_email_address, email_address: { message: :invalid_email }, allow_blank: true, if: :validate_email?
 

diff --git a/app/views/fake_onelogin/show.html.erb b/app/views/fake_onelogin/show.html.erb
@@ -0,0 +1,9 @@
+<div class="govuk-grid-row">
+  <div class="govuk-grid-column-two-thirds-from-desktop">
+    <%= form_tag onelogin_create_url, method: :POST do %>
+      <%= label_tag(:email, "Enter the email address, this will be totally ignored anyway") %>
+      <%= text_field_tag(:email) %>
+      <%= submit_tag("Finish login") %>
+    <% end %>
+  </div>
+
diff --git a/app/views/forms/check_your_answers/show.html.erb b/app/views/forms/check_your_answers/show.html.erb
@@ -25,6 +25,7 @@
         <%= form.govuk_radio_button :send_confirmation, 'send_email', link_errors: :true do %>
           <%= form.govuk_email_field :confirmation_email_address, autocomplete: 'email', spellcheck: false  %>
         <% end %>
+        <%= form.govuk_radio_button :send_confirmation, 'onelogin' %>
         <%= form.govuk_radio_button :send_confirmation, 'skip_confirmation' %>
       <% end %>
 

diff --git a/config/locales/cy.yml b/config/locales/cy.yml
@@ -412,6 +412,7 @@ cy:
       email_confirmation_input:
         confirmation_email_address: Pa gyfeiriad e-bost ydych chi eisiau i ni anfon eich cadarnhad ato?
         send_confirmation_options:
+          onelogin: Yes, send a confirmation email with answers to my one login account
           send_email: Ydw
           skip_confirmation: Na
       remove_input:

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -412,6 +412,7 @@ en:
       email_confirmation_input:
         confirmation_email_address: What email address do you want us to send your confirmation to?
         send_confirmation_options:
+          onelogin: Yes, send a confirmation email with answers to my one login account
           send_email: 'Yes'
           skip_confirmation: 'No'
       remove_input:

diff --git a/config/routes.rb b/config/routes.rb
@@ -22,13 +22,21 @@
     form_slug: Form::FORM_SLUG_REGEX,
   }
 
+  get "/auth-callback" => "auth#callback", as: :auth_callack
+
+  # Fake routes for testing
+  get "/onelogin" => "fake_onelogin#show", as: :onelogin
+  post "/onelogin" => "fake_onelogin#create", as: :onelogin_create
+
   # If we make changes to allowed mode values, update the WAF rules first
   scope "/:mode", mode: /preview-draft|preview-archived|preview-live|form/ do
     get "/:form_id" => "forms/base#redirect_to_friendly_url_start", as: :form_id, constraints: form_id_constraints
     scope "/:form_id/:form_slug(.:locale)", constraints: form_constraints do
       get "/" => "forms/base#redirect_to_friendly_url_start", as: :form
       get "/#{CheckYourAnswersStep::CHECK_YOUR_ANSWERS_PAGE_SLUG}" => "forms/check_your_answers#show", as: :check_your_answers
       post "/#{CheckYourAnswersStep::CHECK_YOUR_ANSWERS_PAGE_SLUG}" => "forms/check_your_answers#submit_answers", as: :form_submit_answers
+      get "/#{CheckYourAnswersStep::CHECK_YOUR_ANSWERS_PAGE_SLUG}/auth" => "forms/check_your_answers#auth_callback", as: :auth_callback
+
       get "/submitted" => "forms/submitted#submitted", as: :form_submitted
       get "/privacy" => "forms/privacy_page#show", as: :form_privacy