In order to complete SSO setup for Heroku, there are some additional steps that must be taken to enable SSO for users.

Note: This section requires two pieces of information that can be found within PingFederate. The first is the SSO Application Endpoint, which can be found under on the Activation & Summary page of the SP Connection for Heroku and the second is the exported certificate used to sign the SAML assertion (configured in Configure a Connection).
  1. Navigate to this URL:
    https://dashboard.heroku.com/orgs/ORGANIZATION_NAME/settings
  2. Sign in with your Administrator credentials.
  3. Under the Single Sign On section, click Add Metadata Manually…
  4. Enter the SSO Application endpoint into the IdP Login Redirect URL field.
    https://<pf_host>:<pf_port>/idp/startSSO.ping?PartnerSpId=<IdP_connection_entity_id>
    Note: An email will be sent to new Heroku users instructing them on how to initiate SSO with the SSO Application endpoint.
  5. Copy and paste the SAML 2.0 Entity ID and signing certificate into the Identity Provider Issuer URL and Public Certificate, respectively.
    Tip: In order to override SAML 2.0 Entity ID on the Server Settings page for your SP Connection, navigate to General Info screen to add a Virtual Server ID. This value will be sent as the SAML Issuer URL.
  6. Click Save to complete Heroku SSO Setup.