Configure SSO with Heroku

You must have administrative rights to your organization account on Heroku to configure SSO. Organization accounts are included with Heroku Enterprise plans.

You can configure SSO so that your users can log into Heroku using any of Auth0's supported identity providers.

1. Obtain Your Heroku Identifiers

On the Settings page for your organization in Heroku, scroll to the **Single Sign On (SSO) section.

You will need the following two parameters from this section to integrate with Auth0:

  • Heroku Entity ID
  • ACS URL

2. Register Heroku with Auth0

Log in to your Auth0 Dashboard and select the client for which you want to enable SSO with Heroku. Go to the Addons section of your Client, and enable SAML2 Web App:

Enter the ACS URL from the previous step into the Application Callback URL field and update the settings as follows:

{
 "audience":"THE-HEROKU-ENTITY-ID",
 "mappings": {
   "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
 },
 "createUpnClaim": false,
 "passthroughClaimsWithNoMapping": false,
 "mapUnknownClaimsAsIs": false,
 "mapIdentities": false,
 "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
 "nameIdentifierProbes": [
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
 ]
}

The audience parameter is the Heroku Entity ID. It will be formatted like this: https://sso.heroku.com/saml/YOUR-HEROKU-ORG

Click Save.

3. Provide Auth0 Metadata to Heroku

Open up the Usage section of the SAML2 Web App Configuration pop-up and download the Identity Provider Metadata.

Return to Heroku. Click on Upload Metadata and select the file containing the Identity Provider Metadata you downloaded in the previous step.

Once you've uploaded your metadata, your SSO integration is fully set up.