Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Background Jobs in Python
      • Working with Django
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with Spring Boot
      • Java Advanced Topics
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Data For Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Heroku Enterprise
  • Single Sign-on (SSO)
  • Using Single Sign-On (SSO) Services with Heroku, for Administrators

Using Single Sign-On (SSO) Services with Heroku, for Administrators

English — 日本語に切り替える

Last updated November 14, 2022

Table of Contents

  • Prerequisites for SSO with Heroku
  • Identity providers with built-in SSO support for Heroku
  • SSO setup for other SAML 2.0-compliant IdPs
  • Providing multiple IdP certificates
  • End user account creation and removal

SSO for Heroku is currently available only to Heroku Enterprise customers.

Heroku easily integrates with your existing identity provider (IdP) to enable single sign-on (SSO) to Heroku using the same credentials and login experience as your other SSO-enabled service providers (such as Slack and Dropbox).

Using SSO, an employee logs in to Heroku using your identity provider’s interface instead of the Heroku login page. The employee’s browser is then redirected to Heroku, authenticated and ready to go. When SSO is enabled, Heroku’s own login mechanism is disabled, meaning that authentication security is shifted to your IdP and coordinated with your other service providers.

Heroku does not notify your employees when SSO is set up, changed, or deactivated for your organization. Make sure to communicate these changes.

When enabling SSO, include the Using Single Sign-on (SSO) Services with Heroku, for End Users article in your rollout communications.

Prerequisites for SSO with Heroku

  • Your company’s identity provider (IdP) must support the SAML 2.0 standard.
  • You must have administrative permissions on the IdP.
  • You must enforce multi-factor authentication (MFA) at the IdP-level.

Identity providers with built-in SSO support for Heroku

The following major IdPs provide built-in support for Heroku. To set up SSO for these IdPs, follow the instructions on the vendor’s site.

  • Auth0
  • Azure
  • Google Cloud Identity
  • Okta
  • OneLogin
  • Ping Federate
  • Ping Identity (administrator login required, then search ‘Heroku’ in application catalog)
  • Salesforce Identity

To set up SSO with Microsoft Active Directory, use the SAML 2.0 instructions below.

SSO setup for other SAML 2.0-compliant IdPs

Most SAML 2.0-compliant identity providers require the same information about a service provider to set up SSO. In the case of Heroku, relevant values are available in the Settings tab of the Heroku Enterprise Team you want to enable SSO for:

SSO set-up information in settings dialog

Note that you must have admin permissions on an Enterprise Team to see this information (and to enable SSO for it).

SSO enabled on a Heroku Organization

After configuring SSO on your IdP, you can upload or enter metadata manually. When setup is successful, administrators will see a confirmation dialog, and the the URL of the SSO login for end users is displayed. Make sure to share this URL with your organization.

Providing multiple IdP certificates

To enable zero-downtime with SSO certificate changes, we have now made it possible to add up to three SSO certificates for Enterprise Teams. SAML assertions signed under any one of the non-expired SSO certificates will be accepted, making it possible to seamlessly switch to a new identity provider certificate without downtime.

multicert

Heroku also sends email notifications to the admins (users with the admin permission) of an SSO-enabled Enterprise Team, 30 days, 7 days, and one day before a certificate expire. So, they’ll have the chance to update expiring certificates and avoid users from being locked out.

For improved security, configure your IdP to sign both SAML response and assertion using SHA-256 if the IdP supports it

End user account creation and removal

Creating end user accounts

To add end users, simply create accounts for those users in your IdP. The first time a user logs in to Heroku via the IdP, a Heroku account is created for them via automatic IdP provisioning. The user’s access to the Enterprise Team’s resources and settings depends on the default role to assign new users (specified by an admin in the Enterprise Team’s Settings tab):

SSO default role in settings tab

The default role for new users is member.

After the account is provisioned, the end user receives a verification email and needs to click its included acknowledgement link.

Make sure to create an admin user account directly with Heroku (not via the IdP), so you are still able to access Heroku if/when the IdP isn’t working properly.

 

Create an integrations user account directly with Heroku (not through the IdP) in case you need to set up integrations that require a Heroku API key.

Removing end user accounts

Removing an end user from your IdP prevents the user from logging in to their corresponding Heroku account, but it does not remove the account from Heroku. To insure against possible API access to Enterprise Team resources before API keys time out, make sure also to remove the end user’s account from the Heroku Enterprise Team associated with the IdP.

To remove an end user account from Heroku that was created via automatic IdP provisioning, the Identity Administrator can contact Heroku Support.

Keep reading

  • Single Sign-on (SSO)

Feedback

Log in to submit feedback.

Using Single Sign-on (SSO) Services with Heroku, for End Users Using Single Sign-on (SSO) Services with Heroku, for End Users

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences