
English: 
With single sign-on or SSO, your users can
access multiple applications with just one
login.
We show how to set up SSO with a Salesforce
org as the identity provider, and an external
Heroku app as the service provider. This configuration
lets your users log in to the Heroku app with
their Salesforce credentials.
For SSO to work, the identity provider - Salesforce
- and the service provider - Heroku - must
be able to talk to each other. That’s where
SAML comes in. It standardizes the way Salesforce
and Heroku exchange user information.
Here’s the general process to set up SSO.
First, enable Salesforce as the identity provider.
Next, get key information from the service
provider, Heroku.
Then, you can integrate Heroku with the Salesforce

English: 
With single sign-on or SSO, your users can
access multiple applications with just one
login.
We show how to set up SSO with a Salesforce
org as the identity provider, and an external
Heroku app as the service provider. This configuration
lets your users log in to the Heroku app with
their Salesforce credentials.
For SSO to work, the identity provider - Salesforce
- and the service provider - Heroku - must
be able to talk to each other. That’s where
SAML comes in. It standardizes the way Salesforce
and Heroku exchange user information.
Here’s the general process to set up SSO.
First, enable Salesforce as the identity provider.
Next, get key information from the service
provider, Heroku.
Then, you can integrate Heroku with the Salesforce

English: 
org by creating a connected app.
And you can map your Salesforce users to the
connected app.
Before you set up Salesforce as an identity
provider, make sure you have a My Domain.
Here’s how to check that a My Domain is
enabled.
There it is!
Now you can set up SSO. First, enable Salesforce
as an identity provider.
Here’s the Salesforce org. Go to the Identity
Provider settings page and click Enable Identity
Provider.
That was easy. Now it’s time to get some
information from the service provider.
From the Heroku app, we retrieved the Entity
ID - the app’s unique name for itself - and
the ACS URL - where the identity provider
sends SAML messages. We also got the Subject
Type, which we need to map users.
This app also gives you an optional start
URL, where you can send users for login.
To put this information to use you can set
up a connected app.

English: 
org by creating a connected app.
And you can map your Salesforce users to the
connected app.
Before you set up Salesforce as an identity
provider, make sure you have a My Domain.
Here’s how to check that a My Domain is
enabled.
There it is!
Now you can set up SSO. First, enable Salesforce
as an identity provider.
Here’s the Salesforce org. Go to the Identity
Provider settings page and click Enable Identity
Provider.
That was easy. Now it’s time to get some
information from the service provider.
From the Heroku app, we retrieved the Entity
ID - the app’s unique name for itself - and
the ACS URL - where the identity provider
sends SAML messages. We also got the Subject
Type, which we need to map users.
This app also gives you an optional start
URL, where you can send users for login.
To put this information to use you can set
up a connected app.

English: 
Go back to the Salesforce org and create a
new connected app.
Give the app a name and a contact email.
Salesforce and Heroku both speak SAML, so
you can enable SAML.
Next, enter the Entity ID, ACS URL, and Start
URL, and select the Subject Type.
The service provider requires us to set the Subject Type to Federation ID.
Next, find the connected app’s metadata
and share it with the service provider.
The sample service provider asked for the metadata
in a URL, which is called the Metadata Discovery Endpoint.
After sharing the metadata with the service
provider, it’s time to map users in the
Salesforce org to the app.
Keep in mind that the way you map users depends
on the service provider, and some service
providers even handle this step for you. Communicate
with your service provider to figure out how
to handle this step.
By mapping users, you make sure your Salesforce

English: 
Go back to the Salesforce org and create a
new connected app.
Give the app a name and a contact email.
Salesforce and Heroku both speak SAML, so
you can enable SAML.
Next, enter the Entity ID, ACS URL, and Start
URL, and select the Subject Type.
The service provider requires us to set the Subject Type to Federation ID.
Next, find the connected app’s metadata
and share it with the service provider.
The sample service provider asked for the metadata
in a URL, which is called the Metadata Discovery Endpoint.
After sharing the metadata with the service
provider, it’s time to map users in the
Salesforce org to the app.
Keep in mind that the way you map users depends
on the service provider, and some service
providers even handle this step for you. Communicate
with your service provider to figure out how
to handle this step.
By mapping users, you make sure your Salesforce

English: 
org and service provider agree on how to represent
users. The way users are represented depends
on the Subject Type, which indicates how the
service provider expects Salesforce to send
user information in SAML messages.
The Heroku app expects the Salesforce to send
the user’s Federation ID in SAML messages.
So we make sure the user has a Federation
ID that the service provider can recognize.
The Federation ID can be anything, as long
as it’s a value Salesforce and the service
provider can identify. For this demo, we can
use this user ID, which Heroku and Salesforce
both recognize as the same user.
At login Salesforce sends a SAML message with
the user’s Salesforce Federation ID in the
subject. The service provider recognizes the
Federation ID and allows login with SSO.
The Salesforce org is now set up as an identity
provider with SAML single sign-on configured

English: 
org and service provider agree on how to represent
users. The way users are represented depends
on the Subject Type, which indicates how the
service provider expects Salesforce to send
user information in SAML messages.
The Heroku app expects the Salesforce to send
the user’s Federation ID in SAML messages.
So we make sure the user has a Federation
ID that the service provider can recognize.
The Federation ID can be anything, as long
as it’s a value Salesforce and the service
provider can identify. For this demo, we can
use this user ID, which Heroku and Salesforce
both recognize as the same user.
At login Salesforce sends a SAML message with
the user’s Salesforce Federation ID in the
subject. The service provider recognizes the
Federation ID and allows login with SSO.
The Salesforce org is now set up as an identity
provider with SAML single sign-on configured

English: 
for an external Heroku app. And users can
access the Heroku app with SSO.
To learn more, check out these resources
Or join us on the trail at trailblazer.salesforce.com.

English: 
for an external Heroku app. And users can
access the Heroku app with SSO.
To learn more, check out these resources
Or join us on the trail at trailblazer.salesforce.com.
