Summary and recommendation
Heroku, Salesforce's cloud platform service, does not support SCIM provisioning on any plan. While Heroku offers SAML 2.0 SSO integration with just-in-time (JIT) provisioning across all plans—including standard development tiers—this only creates users on first login and provides no automated lifecycle management. Users must be manually removed from teams and the platform when they leave the organization, creating a significant security gap for development teams managing cloud infrastructure access.
This limitation is particularly problematic for DevOps and platform teams who need to maintain strict access controls over production deployments and cloud resources. Without automated deprovisioning, former employees may retain access to critical infrastructure, violating compliance requirements and creating potential security vulnerabilities. The manual overhead of tracking and removing users from Heroku teams becomes unmanageable as development organizations scale.
The strategic alternative
Heroku has no native SCIM. Automate offboarding, user access reviews, and license workflows across every app, including the ones without APIs. We maintain the integration layer underneath. You focus on judgment, not plumbing.
Quick SCIM facts
| SCIM available? | No |
| SCIM tier required | N/A |
| SSO required first? | No |
| SSO available? | Yes |
| SSO protocol | SAML 2.0 |
| Documentation | Not available |
Supported identity providers
| IdP | SSO | SCIM | Notes |
|---|---|---|---|
| Okta | Via third-party | ❌ | Heroku SAML integration in OIN. Supports SP and IdP-initiated SSO with JIT provisioning. No SCIM. |
| Microsoft Entra ID | Via third-party | ❌ | SSO with JIT provisioning. User created on first authentication if doesn't exist. No SCIM provisioning. |
| Google Workspace | Via third-party | ❌ | No native support |
| OneLogin | Via third-party | ❌ | No native support |
The cost of not automating
Without SCIM (or an alternative like Stitchflow), your IT team manages Heroku accounts manually. Here's what that costs:
The Heroku pricing problem
Heroku gates SCIM provisioning behind premium plans, forcing significant cost increases for basic user management.
Tier comparison
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Eco | $5/month (shared 1000 hrs) | ||
| Basic | $7/dyno/month | ||
| Standard | $25-50/dyno/month | ||
| Performance | $500/dyno/month | ||
| Teams | $10/user/month (5+ users) | ||
| Enterprise | $15,000+/year |
Pricing and provisioning options
| Plan | Price | SSO | SCIM |
|---|---|---|---|
| Eco | $5/month (shared 1000 hrs) | ||
| Basic | $7/dyno/month | ||
| Standard | $25-50/dyno/month | ||
| Performance | $500/dyno/month | ||
| Teams | $10/user/month (5+ users) | ||
| Enterprise | $15,000+/year |
What this means in practice
No automated deprovisioning: When developers leave your organization, their Heroku access remains active until manually removed. There's no SCIM endpoint to automatically disable accounts or remove team memberships when users are deprovisioned in your IdP.
Manual team management: Adding users to specific Heroku teams and apps requires manual configuration by admins. Even with SSO enabled, newly provisioned users land in a basic state and need manual assignment to the right teams and permissions.
Email verification friction: JIT-provisioned users receive email verification requests on first login, creating an additional step in the onboarding process that can't be bypassed programmatically.
Additional constraints
Summary of challenges
- Heroku does not provide native SCIM at any price tier
- Organizations must rely on third-party tools or manual provisioning
- Our research shows teams manually provisioning this app spend significant hidden costs annually
What Heroku actually offers for identity
SAML SSO with JIT Provisioning (Team Plans)
Heroku provides SAML 2.0 integration starting with Team plans ($10/user/mo for 5+ users):
| Feature | Details |
|---|---|
| Protocol | SAML 2.0 |
| Supported IdPs | Okta, Entra ID, OneLogin, PingOne, PingFederate, Salesforce Identity |
| User creation | JIT provisioning on first SSO login |
| Certificate support | Up to 3 SSO certificates |
| Access flows | Both SP-initiated and IdP-initiated |
The JIT limitation: Users are automatically created when they first authenticate through your IdP, but there's no automated deprovisioning. When someone leaves your organization, you must manually remove them from Heroku teams and applications.
What's Actually Missing
| SCIM Capability | Heroku Status |
|---|---|
| Automated user provisioning | ❌ JIT only |
| Automated deprovisioning | ❌ Manual removal required |
| Group/team sync | ❌ No group mapping |
| Attribute updates | ❌ No ongoing sync |
| Bulk operations | ❌ Not supported |
Real-world impact: For development teams using Heroku, you get basic SSO but lose the security benefit of automated deprovisioning. Former employees retain access until manually removed from each Heroku team and app - a significant security gap for platform access.
Heroku's documentation explicitly recommends keeping at least one admin account outside of SSO for backup access, acknowledging the limitations of their JIT-only approach.
What IT admins are saying
Heroku's JIT-only provisioning creates ongoing administrative overhead for platform teams:
- Manual deprovisioning required when developers leave the company
- No automated group/team assignments through SCIM
- User verification emails on first login can confuse new team members
- Admin accounts must be kept outside SSO for emergency access
User receives verification email on first JIT login
Keep admin account outside SSO for backup access
MFA must be enforced at IdP
The recurring theme
While JIT gets users in the door, IT teams are left manually cleaning up when developers leave and can't automate team assignments. For dev platforms handling sensitive deployments, the lack of proper deprovisioning automation is a significant security gap.
The decision
| Your Situation | Recommendation |
|---|---|
| Small dev team (<10 developers) | Manual management with SSO is acceptable |
| Stable development team with low turnover | Manual management with JIT provisioning |
| Large engineering organization (25+ developers) | Use Stitchflow: manual deprovisioning is a security risk |
| Enterprise with compliance requirements | Use Stitchflow: automated lifecycle management essential |
| Multi-team platform with frequent role changes | Use Stitchflow: manual team management doesn't scale |
The bottom line
Heroku provides solid SAML SSO with JIT provisioning, but zero automation for user lifecycle management. When developers leave or change teams, IT has to manually remove access—a significant security and operational burden for larger organizations. Stitchflow eliminates this manual overhead with full provisioning automation.
Make Heroku workflows AI-native
Heroku has no native SCIM. We build complete offboarding, user access reviews, and license workflows across every app, including the ones without APIs.
Technical specifications
SCIM Version
Not specifiedSupported Operations
Not specifiedSupported Attributes
Plan requirement
Not specifiedPrerequisites
Not specifiedKey limitations
- No SCIM provisioning
- JIT provisioning on first SSO login
- MFA must be enforced at IdP
- Keep admin account outside SSO for backup access
- User receives verification email on first JIT login
Documentation not available.
Configuration for Okta
Integration type
Okta Integration Network (OIN) app
Where to enable
Docs
Heroku SAML integration in OIN. Supports SP and IdP-initiated SSO with JIT provisioning. No SCIM.
Use Stitchflow for automated provisioning.
Configuration for Entra ID
Integration type
Microsoft Entra Gallery app
Where to enable
SSO with JIT provisioning. User created on first authentication if doesn't exist. No SCIM provisioning.
Use Stitchflow for automated provisioning.
Unlock SCIM for
Heroku
Heroku has no native SCIM. We still automate end-to-end workflows across every app, including the ones without APIs.
See how it works
