Using Single Sign-On (SSO) Services with Heroku, for Administrators
Last updated 15 September 2018
Table of Contents
SSO for Heroku is currently available only to Heroku Enterprise customers.
Heroku easily integrates with your existing identity provider (IdP) so you can provide your employees with single sign-on to Heroku using the same credentials and login experience as your other service providers (such as Slack and Dropbox).
Using SSO, your employees will be able to log into Heroku using the familiar identity provider interface, instead of the Heroku login page. The employee’s browser will then forward them to Heroku, authenticated and ready to go. The IdP grants access to Heroku when SSO is enabled and Heroku’s own login mechanism is deactivated. In this way, authentication security is shifted to your IdP and coordinated with your other service providers.
Heroku does not email your employees when SSO is set up, changed, or deactivated.
You might want to recommend the Using Single Sign-on (SSO) Services with Heroku, for End Users article in your rollout announcements.
Prerequisites for SSO with Heroku
- Your company’s identity provider (IdP) must support the SAML 2.0 standard.
- You must have administrative permissions on the IdP.
Built-in SSO support for Heroku from major identity providers (IdPs)
The following major IdPs provide built-in support for Heroku. To set up SSO for these IdPs, follow the instructions on the vendor’s site.
- Ping Federate
- Ping Identity (administrator login required, then search ‘Heroku’ in application catalog)
- Salesforce Identity
SSO set up for Microsoft identity products
- Microsoft Active Directory (use SAML 2.0 instructions below now)
SSO set up for other SAML 2.0 compliant IdPs
Most SAML 2.0 compliant identity providers require the same information about the service provider for set up. (Heroku is the service provider.) These values are specific to your Heroku Enterprise Team(s) and are available in the “Settings” tab of the Heroku Enterprise Team(s) where you want to enable SSO.
Heroku Organizations are now called Heroku Enterprise Teams. It’s a name change only. All settings/configurations remain the same way as they were with Heroku Organizations (Orgs).
You must have admin permissions on the Enterprise Team to see this information and to enable SSO for the team.
After configuring SSO on your IdP, you will be able to upload or enter metadata manually. When setup is successful, administrators will see a confirmation dialog and the the URL of the SSO login for end users will be displayed. Heroku does not send announcement emails when set up is complete. It is the responsibility of the administrator to notify company employees (and convey the login URL to them) so they can access Heroku via SSO.
End user account creation and removal
Creating end-user account
To add end-users, create accounts for these users in the IdP. The first time each new user logs in to Heroku via the IdP, a Heroku account will be created for each of them via automatic IdP provisioning. User’s access to Enterprise Team’s resources and settings depends on the default role selected under the Settings tab of the Enterprise Team by admin(s). Default is “Member” but admins can change these settings to provide higher or lower default permissions when new users are added:
After the account is provisioned the end-user will receive a verification email and will need to click the acknowledgement link.
Make sure to create an admin user account directly with Heroku (not via the IdP), so you are still able to access Heroku if/when the IdP isn’t working properly.
Create an integrations user account directly with Heroku (not through the IdP) in case you need to set up integrations that require a Heroku API key.
Removing end-user accounts
Removing an end-user from the IdP will prevent the user from being able to login to the corresponding Heroku account, but will not remove the account from Heroku. To insure against possible API access to Enterprise Team resources before API keys time out, we advise removing the end-users account from the Heroku Enterprise Team associated with IdP as well.
To remove an end-user account from Heroku that was created via automatic IdP provisioning, the Identity Administrator can contact Heroku Support.