> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to configure the Auth0 as an identity provider using the SAML2 Web App Addon for Heroku.

# Configure Heroku as SAML Service Provider

Use the following <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> configuration for Heroku.

## Configure SAML SSO in Auth0

1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications) and either create a new application or click the name of an application to update.
2. Go to the **Addons** tab and enable the **SAML2 Web App** toggle.
3. On the **Settings** tab, set the **Application Callback URL** to the **ACS URL** for your organization from the Settings page in the Single Sign-On section in Heroku.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/6dJgYkcOgMZ73HVTkAWt1x/fe9dbbf306e6c587cb3326c00a3b4e1f/2025-02-27_13-59-00.png" alt="Dashboard Applications Applications Addons Tab SAML2 Web App Settings Tab" />
   </Frame>
4. Paste the following code into the **Settings** text box and click **Debug**.

   ```json lines theme={null}
   {
        "audience":"THE-HEROKU-ENTITY-ID",
        "mappings": {
          "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        },
        "createUpnClaim": false,
        "passthroughClaimsWithNoMapping": false,
        "mapUnknownClaimsAsIs": false,
        "mapIdentities": false,
        "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "nameIdentifierProbes": [
          "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        ]
       }
   ```

   The `audience` parameter is the **Heroku Entity ID** from the Settings page in Heroku. It will be formatted like this: `https://sso.heroku.com/saml/{yourHerokuOrg}.`
5. Scroll to the bottom of the page and click **Enable**.
6. On the **Usage** tab, locate **Identity Provider Metadata**, and click **Download** to download the metadata file. You'll need this when you configure Auth0 as the identity provider in Heroku.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/cdy7uua7fh8z/3T90BDpyTXFUWDp1JkncBU/86bdba6bed8130b34b42b25c9bf2d232/dashboard-applications-applications-addons-saml2-web-app-usage.png" alt="Dashboard Applications Applications Addons Tab SAML2 Web App Usage Tab" />
   </Frame>

## Configure SAML SSO in Heroku

In Heroku, on the Settings page in the <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=Single+Sign-On">Single Sign-On</Tooltip> section, click **Upload Metadata** and select the file containing the **<Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=Identity+Provider">Identity Provider</Tooltip> Metadata** you downloaded in the previous step.