First, deploy Panther Enterprise and go to the General Settings page. Note the values for "Audience" and "ACS URL":
Follow the GSuite guide for SAML-based SSO, which we trace step-by-step below:
Go to the Apps Admin console and select "Add App" -> "Add custom SAML app"
Enter an application name:
Download the metadata file and keep this handy.
Leave all the settings on this page as their default values and click "continue."
Configure the ACS URL and Entity ID using the values shown in the Panther General Settings page:
ACS URL: Use the "ACS Consumer URL" shown in the Panther General Settings
Entity ID: Use the "Audience" shown in the Panther General Settings
Leave the rest of the fields as their defaults and click "continue." Configure the attribute mapping as follows:
First Name -> "PantherFirstName"
Last Name -> "PantherLastName"
Primary email -> "PantherEmail"
Click Finish. Now we need to enable the app: click the down array next to User Access to expand this tab:
Toggle the app to "On for everyone" (or more selectively assign to OUs if you prefer) and click "save."
Panther does not yet support direct uploads of SAML metadata files (we're working on it!)
In the meantime, you will need to publish that metadata file (which shouldn't contain sensitive information, but double-check to be sure) to a public S3 bucket or any other public location so you can generate a URL for it.
The URL must be HTTPS, and it must point to the public XML metadata document.
From the Panther settings page, enable SAML with a default Panther role of your choice and paste the URL which points to the metadata file that you published.
Don't forget to switch to "Enabled", click "Save", and then you're done! Now, clicking the "Login with SSO" button will redirect you to GSuite: