Is MFA required for Heroku users that log in via single sign-on (SSO)?
Yes, the MFA requirement applies to all users who access a Salesforce product’s user interface, whether by logging in directly or via SSO.
On its own, SSO doesn’t satisfy the MFA requirement. If your SSO implementation relies on user credentials alone, it can leave user accounts vulnerable to common attacks such as phishing or credential stuffing.
Customers are fully responsible for the protection of accounts that are accessed using their SSO identity provider (IdP). An identity provider is a trusted system that stores and manages digital identities and authenticates your users.