Set Up Salesforce Identity SSO with Heroku

Last updated May 30, 2024

SSO is available only for Heroku Teams and Heroku Enterprise customers.

Salesforce Identity can serve as the identity provider (IdP), to provide single sign-on (SSO) user login to Heroku via SAML.

Setting up Salesforce as an identity provider for Heroku takes a few steps involving Salesforce and Heroku web interfaces:

Download Identity Provider Metadata from Salesforce

If you already set up Salesforce as an identity provider, you can download the Identity Provider metadata file.

  1. Log into your Salesforce org as an admin.
  2. Go to Settings > Identity > Identity Provider.
  3. Download the metadata file.

If you must set up Salesforce as an identity provider or change the identity provider configuration, refer detailed instructions including prerequisites.

Set Up the Service Provider Side (Heroku)

  1. In the Heroku web interface, select the team or Enterprise account you want to set up SSO for.
  2. Go to the Settings tab.
  3. Click Setup SSO.
  4. Upload the IdP metadata file you downloaded from Salesforce.
  5. Toggle the Enable SSO switch to enable.

Three values display in the Heroku dashboard. Heroku dashboard SSO settings Use these values to create and set up a connected app on Salesforce in the following steps.

  1. In a separate browser tab, go to your Salesforce Admin homepage.
  2. Go to Settings > Identity > Identity Provider.
  3. Click the link under the Service Providers section to create a new connected app.
  4. Fill in the required “Connected App Name”, “API Name”, and “Contact E-mail” fields. Note the app name for the next step.
  5. In the Web App Settings area, click Enable SAML and paste the three values from the Heroku dashboard.
  6. Make sure that the “Name ID Format” pick list in the Salesforce interface is set to the format described in the Heroku SSO settings list.
  7. Set “Subject type” to “username”. (Make sure that this username represents each user’s actual e-mail address. Some Salesforce installations permit email-like usernames that don’t correspond to working e-mail addresses.)
  8. Click Save at the bottom of the page.

Salesforce SSO settings

Finally, grant users access to this connected app to enable SSO.

  1. Go to your Salesforce Admin homepage.
  2. Click Administer > Manage Users > Profiles.
  3. Click the Profile Name of the user profile.
  4. Click the Edit button.
  5. Scroll down to Connected App Access, and select the connected app you created on the previous page. Repeat this step for any other user profiles that should be also be granted SSO login for Heroku.
  6. Scroll to the bottom of the page and click Save.

Congratulations! The setup is complete. Heroku users can now log in using Salesforce credentials at the “Heroku Login URL” you configured.

Feedback

Log in to submit feedback.