MFA Requirement - SSO


Is MFA required for Heroku users that log in via single sign-on (SSO)?


Yes, the MFA requirement applies to all users who access a Salesforce product’s user interface, whether by logging in directly or via SSO.

On its own, SSO doesn’t satisfy the MFA requirement. If your SSO implementation relies on user credentials alone, it can leave user accounts vulnerable to common attacks such as phishing or credential stuffing.

Please note that if your Heroku Enterprise Account has SSO configured, you cannot enable Heroku's MFA feature. Instead, ensure that MFA is enforced with your SSO provider.

Customers are fully responsible for the protection of accounts that are accessed using their SSO identity provider (IdP). An identity provider is a trusted system that stores and manages digital identities and authenticates your users.

See also: Which verification methods satisfy the MFA requirement?

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support