Configure Single Sign-on with Heroku

Configure Single Sign-on with Heroku

You must have administrative rights to your organization account on Heroku to configure Single Sign-on (SSO). Organization accounts are included with Heroku Enterprise plans.

You can configure Single Sign-on (SSO) so that your users can log into Heroku using any of Auth0's supported identity providers.

1. Obtain Your Heroku Identifiers

On the Settings page for your organization in Heroku, scroll to the Single Sign-On (SSO) section.

You will need the following two parameters from this section to integrate with Auth0:

  • Heroku Entity ID

2. Register Heroku with Auth0

Log in to your Auth0 Dashboard and select the application for which you want to configure SSO with Heroku. Go to the Addons section of your Application, and enable SAML2 Web App:

Enter the ACS URL from the previous step into the Application Callback URL field and update the settings as follows:

 "mappings": {
   "email": ""
 "createUpnClaim": false,
 "passthroughClaimsWithNoMapping": false,
 "mapUnknownClaimsAsIs": false,
 "mapIdentities": false,
 "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
 "nameIdentifierProbes": [

The audience parameter is the Heroku Entity ID. It will be formatted like this:

Click Save.

3. Provide Auth0 Metadata to Heroku

Open up the Usage section of the SAML2 Web App Configuration pop-up and download the Identity Provider Metadata.

Return to Heroku. Click on Upload Metadata and select the file containing the Identity Provider Metadata you downloaded in the previous step.

Once you've uploaded your metadata, your SSO integration is fully set up.