Set Up Salesforce Identity SSO with Heroku
Last updated 20 November 2017
Table of Contents
SSO is available only in Heroku Enterprise accounts. For specific instructions for other SSO providers, see the Using Single Sign-On Services with Heroku, for Administrators article.
Salesforce Identity can serve as the identity provider, or “IdP,” to provide single sign-on (SSO) user login to Heroku and other services. Federation of identify in this way provides centralized, unified user access and identity management across all services.
Heroku supports SSO via SAML, a standard in wide use by enterprises and companies to provide authentication services to products that would otherwise require separate accounts and logins.
Setting up SSO for Heroku takes about 15 minutes and has three main steps involving the Salesforce and Heroku web interfaces:
Set up the Identity Provider “IdP” side (Salesforce)
As an admin, log into your Salesforce org and go to “Setup”.
Create your IdP certificate in Salesforce
- From the home page: Administer > Security Controls > Create and manage certificate. (This menu item may be called “Certificate and Key Management”).
- Create – if one is not there already – or make note of the name/label of an existing self-signed certificate.
Download your IdP info file from Salesforce
- From the home page: Administer > Security Controls > Identity Provider.
- Click “Enable Identity Provider” then select the certificate you just created (or found) in the list and click “Save”.
- Next, click “Download Metadata”. You will need this file in Step 2. (Note that your Salesforce Org must have a domain name. If it does not, you can create one for it at this point in the “Identity Provider” section of your Administrative interface for this Org)
Set up the Service Provider side (Heroku)
- In the Heroku web interface, select the Heroku Enterprise Team for which you want to set up SSO.
- In the settings tab for this Team, upload the IdP metadata file you downloaded from Salesforce. You will see that identity federation is enabled on the Heroku side.
Link Salesforce Identity to Heroku
You will see three values displayed in the Heroku dashboard in quick-copy fields. You’ll need to paste these into Salesforce to complete setup.
- In a separate browser tab, navigate to your Salesforce Admin homepage
- Click Administer > Security Controls > Identity Provider.
- Click the link in the content area leading to “Connected Apps”.
- Fill in the required “Connected App Name”, “API Name”, and “Contact E-mail” fields. Note the app name because you’ll need it in the next step.
- In the “Web App Settings” area, click “Enable SAML” and paste in the three values from the Heroku dashboard.
- Make sure that the “Name ID Format” pick-list in the Salesforce interface is set to the format described in the Heroku SSO settings list.
- Set “Subject type” to “username”. (Make sure that this username represents each user’s actual e-mail address. Some Salesforce installations permit email-like usernames that do not correspond to working e-mail addresses.)
- Click “Save” at the bottom of the page.
Finally, you’ll need to grant users access to this “Connected app” to enable SSO.
- Navigate to your Salesforce Admin homepage.
- Click Administer > Manage Users > Profiles.
- Click the “Profile Name” of the user profile to which you want to extend Heroku login.
- Click the “Edit” button, scroll down to the “Connected App Access”, and select the Connected App you created in the previous page. (Repeat this step for any other user profiles that should be also be granted SSO login for Heroku.)
- Scroll to the bottom of the page and click “Save”.
Congratulations! Setup is complete. Heroku users will now be able to login using Salesforce credentials at the “Heroku Login URL” you have configured.