Set Up Salesforce Identity SSO with Heroku
Last updated 20 February 2019
Table of Contents
SSO is available only in Heroku Enterprise. For specific instructions for other SSO providers, see the Using Single Sign-On Services with Heroku, for Administrators article.
Salesforce Identity can serve as the identity provider, or “IdP,” to provide single sign-on (SSO) user login to Heroku via SAML.
Setting up Salesforce as Identity provider for Heroku takes only a few simple steps involving Salesforce and Heroku web interfaces:
Download Identity Provider Metadata from Salesforce
If you have already setup Salesforce as an identity provider, you can login to your Salesforce org as admin and download the Identity Provider metadata file by navigating to *Settings > Identity > Identity Provider *
If you need to setup Salesforce as an identity provider or change the identity provider configuration, refer detailed instructions including prerequisites.
Set up the Service Provider side (Heroku)
- In the Heroku web interface, select the Heroku Enterprise Team or Enterprise Account for which you want to set up SSO.
- Go to the settings tab, click ‘Setup SSO’ and upload the IdP metadata file you downloaded from Salesforce.
- Toggle 'Enable SSO’ switch to enable federation.
Link Salesforce Identity to Heroku
You will see three values displayed in the Heroku dashboard in quick-copy fields. You’ll need these values to create and setup a Connected App on Salesforce using the following steps.
- In a separate browser tab, navigate to your Salesforce Admin homepage and navigate to *Settings > Identity > Identity Provider *
- Click the link under Service Providers section to create a new Connected App
- Fill in the required “Connected App Name”, “API Name”, and “Contact E-mail” fields. Note the app name because you’ll need it in the next step.
- In the “Web App Settings” area, click “Enable SAML” and paste in the three values from the Heroku dashboard.
- Make sure that the “Name ID Format” pick-list in the Salesforce interface is set to the format described in the Heroku SSO settings list.
- Set “Subject type” to “username”. (Make sure that this username represents each user’s actual e-mail address. Some Salesforce installations permit email-like usernames that do not correspond to working e-mail addresses.)
- Click “Save” at the bottom of the page.
Finally, you’ll need to grant users access to this “Connected app” to enable SSO.
- Navigate to your Salesforce Admin homepage.
- Click Administer > Manage Users > Profiles.
- Click the “Profile Name” of the user profile to which you want to extend Heroku login.
- Click the “Edit” button, scroll down to the “Connected App Access”, and select the Connected App you created in the previous page. (Repeat this step for any other user profiles that should be also be granted SSO login for Heroku.)
- Scroll to the bottom of the page and click “Save”.
Congratulations! Setup is complete. Heroku users will now be able to login using Salesforce credentials at the “Heroku Login URL” you have configured.