Account Security (SSO, Passwords, Sessions)

To navigate to your personal profile, click on your initials in the upper right corner and select Profile Settings from the dropdown menu. Then navigate to the Security tab.

  1. Single Sign-On
  2. Password Management
  3. Browser Session Management

1. Single Sign-On

Single Sign-On (SSO) is the ability to have a third party service validate your identity. You can enable Google SSO which offers additional security like multi-factor authentication (MFA). Bonsai also supports Okta.
To use this feature, your identity provider must match your Bonsai.io account email address. For example, if your Google email address is "bob.smith@gmail.com," then your Bonsai.io account must use this same email address in order to verify your identity.
Once you have SSO set up, you will no longer be able to log in with your username/password. Logging in will need to be done through the identity provider.

To revert back to username/password authentication, you will need to disable SSO. To do so, simply click on Disable SSO.If you see this section greyed out then your account admin has required that you use SSO.


2. Password Management

To update your password, enter your old password and a new password. Bonsai strongly recommends using a password manager like 1Password or LastPass to keep your passwords secure, and to help randomly generate new passwords.
Protip: Use a strong password
We’re a security-conscious bunch, and we don’t have any arcane rules about what kinds of characters you must use for your password. Why? We’ll let xkcd explain it. Tl;dr: our password policy simply enforces a minimum length of 10 characters. We also reject common passwords that have been pwned. Sadly, correct horse battery staple appears in our blacklist.

Note: updating your password will revoke all of your active sessions and force you to log in again.


3. Browser Session Management

View and revoke your active sessions by scrolling down to Active Sessions. If you have a session on another device, you can see its IP address and information about the device.
You can revoke sessions individually, or revoke all. Revoking all sessions will also revoke your current session that you are using to view your profile, and doing so will require you to log in again.