Google SAML with 2FA app_not_configured_for_user

I am trying to connect SuiteCRM (self-hosted) to Google SAML service, but keep getting an error 403: app_not_configured_for_user

Here is my setup:
Google GSuite/Workspaces: paid license
2FA is enabled for all users.

Google SAML: Customer APP
User access: on for everyone
ACS URL: https://[our domain]/index.php?action=Login&module=Users
Entity ID: https://[our domain]/index.php?action=Login&module=Users / also tried with php-saml
Start URL: empty
Signed response: not ticked
SAML attribute mapping: not configured

SuiteCRM SAML settings:
Login URL:[our id]
SLO URL: empty
X509 Certificate: [generated certificate]

Followed these instructions:

On the SuiteCRM I’m seeing this in the log when trying to authenticate:
Wed Oct 28 17:03:15 2020 [3371][-none-][FATAL] SECURITY: User authentication for failed
Wed Oct 28 17:03:15 2020 [3371][-none-][FATAL] FAILED LOGIN:attempts[1], ip[our ip], username[]

Does anyone have any idea where the problem is?

Did you ever find a solution to this? I am having an identical issue.

no i haven’t. I’ve actually gave up on the idea for now