Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Extending Heroku
  • Building Add-ons
  • Add-on Guidelines & Requirements
  • The Add-on Ownership Model and User Authentication Guidelines for Add-on Partners

The Add-on Ownership Model and User Authentication Guidelines for Add-on Partners

English — 日本語に切り替える

Last updated July 13, 2020

Table of Contents

  • Representing add-on ownership in your infrastructure
  • Authenticate via SSO only
  • Customizing your add-on SSO dashboard
  • Use the Platform API for Partners to fetch lists of users

Heroku add-ons are owned by the Heroku application they’re provisioned for, not the Heroku user that provisioned them. This article describes the implications of this add-on ownership model and provides guidelines for correctly authenticating Heroku users that log in to your add-on’s dashboard via SSO.

Representing add-on ownership in your infrastructure

Because an add-on is owned by the Heroku application it’s provisioned for, its dashboard should be accessible by all Heroku users that are admins, owners, or collaborators for that application. An add-on’s dashboard should not be accessible by a Heroku user that does not have any of these roles, even if that user originally provisioned the add-on.

Consequently, when you create an account in your system to correspond to a newly provisioned add-on instance, do not associate the provisioning Heroku user’s information with any fields related to authentication. Instead, create a “shadow user” for each provisioned add-on instance. This user is not associated with any individual person, and it can only be authenticated via add-on SSO (not via username and password).

Authenticate via SSO only

When Heroku app users open your add-on’s web dashboard, they authenticate via add-on SSO. This is the only authentication method that your web service should allow for Heroku app users.

  • Do not create a username and password (i.e., an alternate authentication method) in your system for the account of a Heroku add-on user.
  • Do not persist any authentication privileges for the specific email address included in an add-on SSO request.
  • Do not cache lists of authorized users for a particular add-on. If this causes performance issues, invalidate cache entries at least once every five minutes.

These guidelines are important because the owners of a Heroku app might change at any time. Only a valid SSO request guarantees that a user attempting to log in on behalf of a Heroku app is indeed authorized to do so.

Customizing your add-on SSO dashboard

Your SSO dashboard should not have functions that allow an authenticated Heroku customer to:

  • Modify usernames or passwords
  • Deactivate an account
  • Add additional user accounts to your add-on installation
  • Take other actions that might modify authentication or authorization.

These functions are handled by Heroku and your SSO integration. When you detect that a user has authenticated via Heroku, you should disable and hide these functions in your dashboard.

Use the Platform API for Partners to fetch lists of users

You can use the Platform API for Partners to obtain owner, team, and collaborator information for an app that has your add-on attached. This API requires that your add-on uses v3 of the Add-on Partner API. See Syncing User Access as an Ecosystem Partner for details.

Keep reading

  • Add-on Guidelines & Requirements

Feedback

Log in to submit feedback.

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences