# G Suite SSO
## Overview
Panther supports integrating with G Suite (now named Google Workspace) as a SAML provider to enable logging in to the Panther Console via SSO.
For more information on features, terminology, and limitations of SSO integrations with the Panther Console, see [Identity & Access Integrations](https://docs.panther.com/system-configuration/saml).
## How to configure SAML SSO to the Panther Console with G Suite
### Step 1: Obtain the SSO parameters from Panther
1. Log in to the Panther Console.
2. In the upper-right corner, click the gear icon, and then click **General**.
3. Navigate to the **Identity & Access** tab.
4. Next to **Enable SAML (Security Assertion Markup Language)**, set the toggle to `ON`.
5. If using [IdP-initiated login](https://docs.panther.com/system-configuration/saml/..#idp-initiated-vs.-sp-initiated-login), set the **Use IdP-Initiated Single Sign On (SSO)** toggle to `ON`.
6. Copy the the **Audience** and **ACS Consumer URL** values and store them in a secure location. You will need them in the following steps.
* If using IdP-initiated login, also copy the **Relay State** value.
{% hint style="info" %}
It's recommended to use [SP-initiated login](https://docs.panther.com/system-configuration/saml/..#sp-initiated-login-recommended), as it is generally considered more secure than IdP-initiated login.
{% endhint %}
### Step 2: Create the G Suite App
Follow the [GSuite guide for SAML-based SSO](https://support.google.com/a/answer/6087519) to add a custom SAML app.
{% hint style="info" %}
Note that it may take up to 24 hours for your changes to propagate in Google Workspace.
{% endhint %}
Make the following modifications to create the SAML app for Panther:
* In the **Service Provider Details** window, enter in the following:
* **ACS URL**: Paste the **ACS Consumer URL** value you obtained in the Panther Console in Step 1.
* **Entity ID**: Paste the **Audience** value you obtained in the Panther Console in Step 1.
* **Start URL**: If using IdP-initiated login, paste the **Relay State** value you copied from the Panther Console in Step 1. If using SP-initiated login, leave this value blank.
* On the **Attribute mapping** page, configure the following attribute mappings:
* **First Name**: `PantherFirstName`
* **Last Name**: `PantherLastName`
* **Primary email**: `PantherEmail`
### Step 3: Enable the SAML app in Google Workspace
Follow [Google's documentation to turn on the SAML app](https://support.google.com/a/answer/6087519).
### Step 4: Configure SAML in Panther
1. Navigate back to the **Identity & Access** section in the Panther Console from Step 1. In the **Default Role** field, choose the Panther role that your new users will be assigned by default when they first log in via SSO.
{% hint style="warning" %}
Panther highly recommends not setting this value to `Admin`.
{% endhint %}
2. Below the **Identity Provider URL** field, click **click here** to upload the metadata file you downloaded from Google while configuring the SAML app.
3. Click **Save Changes**.
To test your setup, go to your Panther sign-in page and click **Login with SSO**.
%20(1).png?alt=media)