Janine Sieja - Release Mgr
posted this on October 05, 2010 11:36 am
PLEASE NOTE: SSO with RPR requires that your MLS or its technology partner maintain a SAML 2.0-based Identity Provider; other SSO solutions will not work with RPR. SAML 2.0 is an industry standard, is robust, secure and is already in use by many large real estate technology platforms. Please speak with your technology provider to determine if you are able to use SAML 2.0 solutions. If not, please remember that the RPR "Remember Me" functionality allows a user to stay logged in for two weeks from their dedicated machines; this nearly eliminates the "separate login" requirement when linking to RPR.
What is Single Sign-On?
Single sign-on (SSO) allows a user who is already authenticated (logged in) to a participating MLS website to seamlessly transition to RPR without requiring a second login, with credentials, to RPR. RPR has chosen to implement this functionality with a technology standard called SAML 2.0.
Is SSO available for Brokers or end users?
Unfortunately, no. SSO is only available for MLS organizations and their agents who are REALTORS. However, the RPR "Remember Me" functionality allows end users on dedicated computers to "remember" their logins for up to two weeks, so they do not need to login each time they link over to RPR.
What is SAML 2.0?
SAML stands for Security Assertion Markup Language. It's a powerful, flexible and secure industry-standard for single sign-on functionality that has been adopted by many MLS organizations and technology vendors such as Clareity Security. It can be adopted to fit many usage scenarios, and works without ever sending user credentials between systems.
How does SSO work in RPR?
The conversation between an MLS Identity Provider and RPR is generally seamless and fast for end users: They click a link on the MLS and are presented with their customized RPR homepage. Here are the underlying mechanics of the process:
A user logs into the MLS (this user must already have a login to RPR, and an AgentID associated with his/her profile).
The user clicks an SSO link and is redirected to RPR.
RPR calls the MLS Identity Provider and asks if the user is authenticated.
The MLS Identity Provider responds with a security assertion.
RPR processes the security assertion (checking the AgentID against our roster and the AgentID in the user profile) and decides if the user is to be granted access.
Does this mean MLS users don't need to sign up for RPR accounts?
No. True SSO requires a live account in both systems, and it is only with this RPR account that we can ensure that the MLS member is both a REALTOR with rights to access RPR and an active member of the MLS. This system exists to protect MLS and public records data.
What are the MLS requirements for using SSO with RPR?
The MLS must already utilize a SAML 2.0-based Identity Provider for user authentication. SSO solutions based on other technologies are not supported.
Each MLS user must first Sign Up (create an account) on RPR for SSO to function (those without accounts will be prompted to sign up).
AgentID is the key used to link MLS users to RPR users, and ensures that former agents of the MLS cannot see MLS data. The AgentID is required in:
the user's profile on RPR.
the agent roster that is sent to RPR.
the Identity Provider assertion that is sent in response to an authorization request from RPR.
The MLS must be able to add a special “SSO” link to their website so users can navigate into RPR. Whenever possible, the display and URL of this link should be configurable so it is not necessary to deploy the MLS website to make changes.
What pieces of information does RPR need to configure SSO?
This is the information we collect via the SSO Configuration Questionnaire:
The contact info of whomever manages the Identity Provider for the MLS.
Whether the SSO solution is hosted by Clareity Security or is based on another SAML 2.0 product.
Where the metadata for the MLS Identity Provider can be seen (URL).
Whether the Identity Provider requires credentials for access and, if so, a set of credentials for RPR.
Whether RPR is required to digitally-sign the authentication request.
The location of the AgentID in the assertion—is it in the SAMLSubject or somewhere else?
The public key for the security certificate used to digitally sign the assertion.
A test account with which we can test SSO. This account must have an AgentID and must appear in the roster data feed. Please provide the following information to us:
Username (we prefer RPR-SSO-TEST, or RPRSSO)
AgentID associated with the account, if different from Username (we prefer RPR-SSO-TEST, or RPRSSO)
What pieces of information does RPR need to provide to the MLS to configure SSO?
In most cases, RPR simply needs to provide its meta data file. This should answer all the questions on the MLS side. The RPR metadata file is currently located at this location (cut and paste this entire string into your browser):
Is it difficult to implement Single Sign-On with SAML 2.0?
Implementing an Identity Provider is not a small project. Authentication must be offloaded to a SAML 2.0-based Identity Provider, which then takes over logins for the host system (MLS) as well as the SSO integration with RPR. Implementing an Identity Provider requires experience with security protocols, encryption, XML and web services.
What link do I need to use for SSO to RPR? This is the format of an SSO link to RPR, with co-branding support. Your implementation specialist will be able to provide the link for your organization.
Link Location: The link should be visible only AFTER a user has logged into the MLS website.
It is important to make this link configurable in your application, so you can update the link text, the URL and its visibility on-the-fly without deploying a new version of your website. The link is subject to change.
What happens if I have the link, but SSO is not configured or is broken?
The link will still function, with the following caveats:
If the user previously logged in directly to RPR on the same machine within the last two weeks and did click the "remember me" checkbox on the login form, the user will be automatically logged into the MLS co-branded RPR just as if s/he had successfully SSO'd into RPR.
If the user previously logged in directly to RPR and did not check the "remember me" checkbox on the login form, or if the user previously SSO'd into the MLS co-branded RPR on the same machine but is now visiting directly without the SSO link, the user will be prompted to login with his/her RPR credentials.
If the user has not logged into RPR previously on the same machine, s/he will see the MLS co-branded Sign Up form (but a Sign In link is clearly visible).
We have users who aren't in the roster. Can they use SSO?
Unfortunately, no. We use the AgentID to link the user account in your system to the user account in our system (which we receive via the agent roster feed). In these circumstances, these users will not be able to SSO into RPR but they can still login directly and "remember" their RPR login for two weeks.
What happens if the MLS Identity Provider is down?
RPR will send an authentication request to the IdP, but if it doesn't respond we will simply display the login form.
Does SSO support Co-branding?
Absolutely. Users of an MLS that has an RPR Co-brand will see the co-branded site when they click the SSO link that includes the proper cbcode.
What if I don't meet the SSO requirements?
If the cost and effort of implementing a SAML 2.0-based identity provider to enable SSO support with RPR exceeds the benefit, don't worry. Your users who use dedicated computers to access the MLS can still use the RPR "Remember Me" functionality by checking the "Remember Me" checkbox when they login. This remembers their login for two weeks, allowing them to link from the MLS to RPR without logging in during that time period. This largely offsets much of the utility lost by not supporting true SSO. These users can still be linked to the RPR homepage or select interior pages like search results, property details and reports-- and those links can still be co-branded.