Last updated August 31, 2021

Salesforce Identity can serve as the identity provider, or “IdP,” to provide single sign-on (SSO) user login to Heroku via SAML.

Setting up Salesforce as Identity provider for Heroku takes only a few simple steps involving Salesforce and Heroku web interfaces:

Download Identity Provider Metadata from Salesforce

If you have already setup Salesforce as an identity provider, you can login to your Salesforce org as admin and download the Identity Provider metadata file by navigating to *Settings > Identity > Identity Provider *

If you need to setup Salesforce as an identity provider or change the identity provider configuration, refer detailed instructions including prerequisites.

Set up the Service Provider side (Heroku)

1. In the Heroku web interface, select the Heroku Enterprise Team or Enterprise Account for which you want to set up SSO.
2. Go to the settings tab, click Setup SSO and upload the IdP metadata file you downloaded from Salesforce.
3. Toggle Enable SSO switch to enable federation.

Link Salesforce Identity to Heroku

You will see three values displayed in the Heroku dashboard in quick-copy fields. You’ll need these values to create and setup a Connected App on Salesforce using the following steps.

1. In a separate browser tab, navigate to your Salesforce Admin homepage and navigate to Settings > Identity > Identity Provider.
2. Click the link under Service Providers section to create a new Connected App
3. Fill in the required “Connected App Name”, “API Name”, and “Contact E-mail” fields. Note the app name because you’ll need it in the next step.
4. In the “Web App Settings” area, click Enable SAML and paste in the three values from the Heroku dashboard.
5. Make sure that the “Name ID Format” pick-list in the Salesforce interface is set to the format described in the Heroku SSO settings list.
6. Set “Subject type” to “username”. (Make sure that this username represents each user’s actual e-mail address. Some Salesforce installations permit email-like usernames that do not correspond to working e-mail addresses.)
7. Click Save at the bottom of the page.

Finally, you’ll need to grant users access to this “Connected app” to enable SSO.

1. Navigate to your Salesforce Admin homepage.
2. Click Administer > Manage Users > Profiles.
3. Click the Profile Name of the user profile to which you want to extend Heroku login.
4. Click the Edit button, scroll down to “Connected App Access”, and select the Connected App you created in the previous page. (Repeat this step for any other user profiles that should be also be granted SSO login for Heroku.)
5. Scroll to the bottom of the page and click Save.

Congratulations! Setup is complete. Heroku users will now be able to login using Salesforce credentials at the “Heroku Login URL” you have configured.