On the Passly side:
Protocol Type: SAML SP-Init
Assertion Consumer Service URL: https://{CW_Domain}/v4_6_release/auth/{CompanyID}/Acs
Allow Multiple Audiences: Unchecked
Service Entity ID: https://{CW_Domain}/v4_6_release/auth/{CompanyID}/metadata
Identity Issuer: https://{org}.my.passly.com/trust
Multiple Audiences: Checked
Audience URI: https://{CW_Domain}/v4_6_release/auth/{CompanyID}/metadata
Attribute Transform: {User.EmailAddress} => schemas.xmlsoap.org/.../nameidentifier
Sign Token Response: Checked
Sign Assertion: Checked
Signing Algorithm: SHA-256
Fixed Relay State: <blank>
On the CW side:
Login URL: https://{org}.my.passly.com/trust/launch?ApplicationId={App_Guid} (found by right-clicking the app in the Launchpad and copying the link)
Identity Provider ID: https://{org}.my.passly.com/trust
Upload the Certificate and ensure the fingerprint matches.