Is MFA required for Heroku users that log in via single sign-on (SSO)?
Yes, the MFA requirement applies to all users who access a Salesforce product’s user interface, whether by logging in directly or via SSO.
On its own, SSO doesn’t satisfy the MFA requirement. If your SSO implementation relies on user credentials alone, it can leave user accounts vulnerable to common attacks such as phishing or credential stuffing.
Please note that if your Heroku Enterprise Account has SSO configured, you cannot enable Heroku's MFA feature. Instead, ensure that MFA is enforced with your SSO provider.
Customers are fully responsible for the protection of accounts that are accessed using their SSO identity provider (IdP). An identity provider is a trusted system that stores and manages digital identities and authenticates your users.
See also: Which verification methods satisfy the MFA requirement?