Video Transcript


Improving the SSO Experience: CLI Login and Certificate Management

We are happy to announce two major improvements to our SSO experience for Heroku Enterprise customers: easier SSO login for users via the Heroku CLI, and the ability for admins to add more than one certificate at the Enterprise Team level.

Logging into all your different cloud applications can be a pain. We know that many of you like to use Heroku via the command line interface and in your web browser side-by-side, and until now that has meant logging in via SSO separately to each interface. You'll now be redirected from the CLI to the Dashboard to complete your SSO login to Heroku, after which your SSO credentials will be synced.

We've also made the administrative experience for changing SSO certificates even easier; previously admins could add only one certificate at the Enterprise Team level, and updating or changing it required downtime. Now admins can add up to three certificates at the Enterprise Team level to ensure zero downtime, and receive multiple, automated email notifications when their team's certificates approach expiry dates.

New SSO Login Experience


We wanted to reduce the time that developers spend validating credentials so that they can focus on development and innovation. The new SSO login allows a more synchronized experience between the Heroku CLI and Dashboard. Here's how to try it out:

  1. Run heroku update to make sure that you're on the most recent version of the CLI.
  2. Type heroku login and you'll be prompted to type any key to open up a new browser window. There is no need to add an --sso flag (though behavior will be the same if you do include it)
  3. Log in to Heroku in the Dashboard and you will be automatically logged into the CLI as well!

Multi-certificate Management & Expiry Notifications


Previously, changing the certificate used at the Enterprise Team level for SSO required downtime; during this period users wouldn't be able to authenticate with Heroku via SSO. To enable zero-downtime with SSO certificate changes, we have now made it possible to add up to three SSO certificates for Enterprise Teams. SAML assertions signed under any one of the non-expired SSO certificates will be accepted, making it possible to seamlessly switch to a new identity provider certificate without downtime.

In addition, we now send email notifications to Enterprise Team admins when an SSO certificate is approaching the expiry date. Notifications are triggered thirty days, seven days and one day before a certificate expires. Admin users can proactively update expiring certificates so users' ability to login via SSO remains uninterrupted.


With this release, Heroku Enterprise users can login from the CLI and seamlessly complete their login via SSO from the Heroku Dashboard; developers stay in context and remain focused on delivering features. Heroku Enterprise admins can ensure zero downtime for their SSO users with an easy-to-use interface for managing multiple certificates.

Heroku Enterprise provides secure, isolated environments for teams of all sizes. Admins can set up the required identity and security measures, while developers can innovate and focus on their apps in an easy-to-use, collaborative environment. With these two features, we continue to make the Heroku Enterprise experience simpler and more secure for developers and admins.

Originally published: December 05, 2018

Browse the archives for news or all blogs Subscribe to the RSS feed for news or all blogs.