Change effective on 05 December 2018
Enterprise Teams using SSO can now add up to three identity provider certificates to avoid certificate-related downtime. SAML assertions signed under any unexpired SSO certificate are accepted, making it possible to swap out an expired IdP certificate without downtime.
Heroku also now sends email notifications to Enterprise Team admins when an SSO certificate is approaching its expiry date. Notifications are sent thirty days, seven days, and one day before a certificate expires.
Please visit Dev Center for more information on multi-certificate support.