Last updated 10 October 2019

Azure AD can serve as the identity provider, or “IdP,” for Active Directory (AD) to provide single-sign-on (SSO) user login to Heroku.

Heroku supports SSO via SAML, a standard in wide use by enterprises and companies to provide authentication services to products that would otherwise require separate accounts and logins.

Set up for your existing Active Directory to use SSO for Heroku takes about 15 minutes and has two main steps involving the Azure and Heroku web interfaces:

Step 1: Set up the Identity Provider “IdP” side (Azure AD)

As an admin, log into your Azure Portal, browse to Active Directory and select the directory which will be enabled with SSO for Heroku.

Create and configure a SAML application for your directory

1. Go to “Applications” and select “Add” from the footer menu
2. Choose “Add an application my organization is developing”
3. Give your application a name and select “Web application and/or Web App”
4. Enter your app properties with the information provided in your Heroku Organization settings page for SSO configuration:
   1. Sign-on URL: provide ‘Heroku Login URL’
   2. App ID URI: provide your 'ACS URL’
5. When your app has been successfully added, go to 'Enable users to sign on’
6. Copy the “FEDERATED METADATA DOCUMENT URL” and paste the URL into a new browser window. Save the file to your local machine (you will need this document later, so store it in a place that you remember).

Step 2: Set up the Service Provider side (Heroku)

1. In the Heroku web interface, select the Heroku org for which you want to set up SSO.
2. In the Settings tab for this org, upload the federation metadata document XML file.

Congratulations! SSO is now enabled for your Active Directory users through Azure IdP. Heroku users will now be able to login using Azure credentials at the “Heroku Login URL” you have configured.