I'm trying to setup a third party service that needs an api token

Resolution

Users that have SSO don't have access to long-lived tokens. This is for security reasons in case the user is removed from the IDP, but not from the Heroku Team or apps.