Using Single Sign-On (SSO) Services with Heroku, for Administrators
Last updated 10 August 2016
Table of Contents
Heroku easily integrates with your existing identity provider (IdP) so you can provide your employees with single sign-on to Heroku using the same credentials and login experience as your other service providers (such as Slack and Dropbox).
Using SSO, your employees will be able to log into Heroku using the familiar identity provider interface, instead of the Heroku login page. The employee’s browser will then forward them to Heroku, authenticated and ready to go. The IdP grants access to Heroku when SSO is enabled and Heroku’s own login mechanism is deactivated. In this way, authentication security is shifted to your IdP and coordinated with your other service providers.
Heroku does not email your employees when SSO is set up, changed, or deactivated.
You might want to recommend the Using Single Sign-on (SSO) Services with Heroku, for End Users article in your rollout announcements.
Prerequisites for SSO with Heroku
- Your company’s identity provider (IdP) must support the SAML 2.0 standard.
- You must have administrative permissions on the IdP.
Built-in SSO support for Heroku from major identity providers (IdPs)
The following major IdPs provide built-in support for Heroku. To set up SSO for these IdPs, follow the instructions on the vendor’s site.
- Ping Federate
- Ping Identity (administrator login required, then search ‘Heroku’ in application catalog)
- Salesforce Identity
SSO set up for Microsoft identity products
- Microsoft Active Directory (coming soon, or use SAML 2.0 instructions below now)
- Azure Identity (coming soon)
SSO set up for other SAML 2.0 compliant IdPs
Most SAML 2.0 compliant identity providers require the same information about the service provider for set up. (Heroku is the service provider.) These values are specific to your Heroku Organization and are available in the “Settings” tab of the Heroku Organization where you want to enable SSO.
You must be an organization admin to see this information and to enable SSO for your Heroku Organization.
After configuring SSO on your IdP, you will be able to upload or enter metadata manually. When setup is successful, administrators will see a confirmation dialog and the the URL of the SSO login for end users will be displayed. Heroku does not send announcement emails when set up is complete. It is the responsibility of the administrator to notify company employees (and convey the login URL to them) so they can access Heroku via SSO.
Users of OneLogin may need to specify the recipient URL to successfully login.
End user account creation and removal
Creating end-user account
To add end-users, create accounts for these users in the IdP. The first time each new user logs in to Heroku via the IdP, a Heroku account will be created for each of them via automatic IdP provisioning. The user will have access to organization resources as an organization Member.
After the account is provisioned the end-user will receive a verification email and will need to click the acknowledgement link.
Set-up requires lower case email addresses. Do not use mixed case email addresses.
Removing end-user accounts
Removing an end-user from the IdP will prevent the user from being able to login to the corresponding Heroku account, but will not remove the account from Heroku. To insure against possible API access to org resources before API keys time out, we advise removing the end-users account from the Heroku org associated with IdP as well.
To remove an end-user account from Heroku that was created via automatic IdP provisioning, the Identity Administrator can contact Heroku Support.