Use the following configuration for Heroku.

Configure SAML SSO in Auth0

  1. Go to Dashboard > Applications > Applications and either create a new application or click the name of an application to update.
  2. Go to the Addons tab and enable the SAML2 Web App toggle.
  3. On the Settings tab, set the Application Callback URL to the ACS URL for your organization from the Settings page in the Single Sign-On section in Heroku.
    Dashboard Applications Applications Addons Tab SAML2 Web App Settings Tab
  4. Paste the following code into the Settings text box and click Debug.
    {
         "audience":"THE-HEROKU-ENTITY-ID",
         "mappings": {
           "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
         },
         "createUpnClaim": false,
         "passthroughClaimsWithNoMapping": false,
         "mapUnknownClaimsAsIs": false,
         "mapIdentities": false,
         "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
         "nameIdentifierProbes": [
           "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
         ]
        }
    

   The `audience` parameter is the **Heroku Entity ID** from the Settings page in Heroku. It will be formatted like this: `https://sso.heroku.com/saml/{yourHerokuOrg}.`
5. Scroll to the bottom of the page and click **Enable**.
6. On the **Usage** tab, locate **Identity Provider Metadata**, and click **Download** to download the metadata file. You'll need this when you configure Auth0 as the identity provider in Heroku.

   <Frame>![Dashboard Applications Applications Addons Tab SAML2 Web App Usage Tab](https://images.ctfassets.net/cdy7uua7fh8z/3T90BDpyTXFUWDp1JkncBU/86bdba6bed8130b34b42b25c9bf2d232/dashboard-applications-applications-addons-saml2-web-app-usage.png)</Frame>

## Configure SAML SSO in Heroku

In Heroku, on the Settings page in the <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications.">Single Sign-On</Tooltip> section, click **Upload Metadata** and select the file containing the **<Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities.">Identity Provider</Tooltip> Metadata** you downloaded in the previous step.