Use the following procedure to configure a quick connection for SSO to Heroku.
Tip: This procedure provides instructions for configuring minimum required connection settings. The instructions skip set-up screens in which all necessary information is automatically configured (or in which standard defaults are used). The administrative console guides you to required configuration steps automatically by displaying prompts at entry points for the task flows. In general, you may add or change settings on all screens to suit your special requirements.
  1. If you have not already done so, use PingFederate to configure the IdP adapter you want to use.
    For information and instructions, see Managing IdP adapters in the PingFederate documentation.
  2. On the Main Menu, select Create New under SP Connections in the IdP Configuration section.
  3. On the Connection Template page, select the Do not use a template for this connection and click Next.
  4. On the Connection Type screen, ensure that the Browser SSO profile is selected and click Next.
  5. On the Connection Options screen, ensure Browser SSO is selected and Xclick Next.
  6. On the Import Metadata screen, click Choose file to locate and upload the Heroku saml-metadata.xml file you created in Obtain the Heroku SAML 2.0 Metadata XML.
  7. On the Metadata Summary screen, click Next.
  8. On the General Info screen, ensure that the Partner’s Entity ID (Connection ID), Connection Name, and Base URL are accurate. Change details if required and click Next.
  9. On the Browser SSO screen, click Configure Browser SSO.
  10. On the SAML Profiles screen, ensure that the IdP-Initiated SSO and SP-Initiated SSO profiles are selected and click Next.
  11. On the Assertion Creation screen, click Configure Assertion Creation.
  12. On the Attribute Contract screen, ensure that the SAML_SUBJECT name format is set to: 
    following:urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  13. On the Authentication Source Mapping screen, click Map New Adapter Instance and map the IdP Adapter Instance you defined earlier in this procedure. When you return to the Authentication Source Mapping screen, click Done.
    Note: This configuration is site-dependent and cannot be pre-configured. For detailed information and instructions, see Managing authentication source mappings in the PingFederate documentation.
  14. When you return to the Assertion Creation screen, click Next
  15. On the Protocol Settings screen, click Configure Protocol Settings.
  16. On the Allowable SAML Bindings screen, ensure that the POSTand Redirect profiles are selected (de-select Artifact and SOAP) and click Next.
  17. On the screen, ensure that the Always sign the SAML Assertion is selected and click Next.
  18. On the Browser SSO screen, click Next and on the Credentials screen, click Configure Credentials.
  19. For more information, see Configuring digital signature settings in the PingFederate documentation. If you have not yet created or imported a signing certificate, click Manage Certificates and do so now. See Managing digital signing certificates and decryption keys in the PingFederate documentation.
  20. Click Next.
  21. On the Summary screen, click Done.
  22. On the Credentials screen, click Next.
  23. On the Activation & Summary screen, Activate the SP Connection.
  24. On the Activation & Summary screen, click Save.