Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bondata.ai/llms.txt

Use this file to discover all available pages before exploring further.

BonData uses Descope as its identity provider. Two separate Descope projects are maintained, one for the user-facing application and one for the management application, so that administrative access is operationally distinct from end-user access.

Sign-in methods

Enterprise SSO is the only supported sign-in method. The customer’s IdP is the sole entry point: authentication, MFA policy, and session controls all flow from the IdP, and revoking a user in the IdP revokes their BonData access on the next token refresh.
  • SAML 2.0: connect to Okta, Azure AD / Entra ID, Google Workspace, Ping, OneLogin, or any SAML 2.0 IdP.
  • OpenID Connect (OIDC): connect to any OIDC IdP.

Active Directory and LDAP

Customers running on-premise Active Directory or LDAP federate to BonData through their existing identity provider over SAML 2.0 or OIDC. Descope explicitly documents integrations with Microsoft Entra ID (Azure AD), Okta, and Google Workspace; any other standards-compliant SAML 2.0 or OIDC IdP, including ADFS, Ping Identity, OneLogin, and JumpCloud: works the same way. The IdP authenticates the user against the customer’s directory; BonData receives the federated identity. Users get true single sign-on with the credentials they already use in the customer’s environment.

User provisioning and deprovisioning

User lifecycle, joiners, movers, leavers, is synchronized from the customer’s IdP via SCIM 2.0. Descope’s published SCIM setup guides cover Okta and Microsoft Entra ID; other SCIM-2.0-compliant IdPs (Ping Identity, and others) integrate the same way. When a user is disabled in the IdP or removed from a group, the change propagates to BonData on the user’s next sign-in or token refresh, and their access is revoked. Group memberships in the IdP are mapped to BonData roles, so a user moving between teams in the directory automatically picks up the right permissions on next sign-in.

Multi-factor authentication

MFA is enforced according to the policy configured for the tenant. When SSO is used, MFA is delegated to the IdP and inherits whatever step-up policies the customer has configured there.

Session handling

After a successful sign-in, Descope issues a short-lived JWT. The BonData applications validate this JWT locally on every request, so transient Descope outages do not log out active sessions. Sessions are refreshed automatically through the standard OIDC refresh-token flow until the configured idle timeout is reached. Sessions can be revoked centrally, an administrator removing a user in the IdP causes the user’s next refresh attempt to fail, ending the session.

What customers can configure

  • The IdP and protocol (SAML or OIDC).
  • Idle session timeout.
  • MFA policy at the IdP (BonData inherits whatever the IdP enforces).
Configuration is done through the management application; changes take effect immediately for subsequent sign-ins.