Single Sign On and Identity Sharing in the Real Estate Industry
By Zach Scott
Director of Systems Development
As a real estate professional you are becoming increasingly reliant on more web sites to access more features and more data in order to stay competitive. Unfortunately, authentication and identity on the web are still very site-centric. Each site requires a new username and password and you find yourself frequently re-entering data.
There is a movement afoot that is shifting the web toward a user identity-centric model that will help organizations to lower their walls and share data and identities with trusted sites in a secure, controlled manner.
Single Sign-On and identity sharing comprise the technology foundation that will facilitate business partnerships and allow users to seamlessly navigate amongst the exploding number of web sites and services they rely on to conduct business.
Single Sign-On (SSO) is a mechanism that enables a user to access more than one web site while only requiring them to login (sign on) once. Once authenticated with one site a user is able to navigate to subsequent trusted sites without authenticating directly. Authentication takes place between the sites in such a way that information about the identity of the user is securely shared without sharing their username and password.
Identity sharing goes one step further and enables the sharing of identity information for the purpose of granting or denying access to restricted features or data. For example, a SSO partner may need to know the authenticated user’s MLS membership information to know whether he or she can access restricted listing data from that MLS.
This white paper describes some of the benefits of Single Sign-On (SSO) and identity sharing to the Real Estate industry and discusses the challenges we have faced at Point2 and how to overcome these challenges.
You probably have a web-based identity that gives you access to sensitive MLS data; furthermore, you have identities at several other real estate, social networking, and blogging web sites. Unfortunately due to the site-centric nature of identity on the web each comes with a separate username and password.
Single Sign-On and identity sharing address many of the problems associated with the site-centric identity model:
Site-centric identity model
Single Sign-On and identity sharing
Valuable information and services related to you and your industry are scattered between many sites and the number of different sites you need to access to effectively do your job is increasing rapidly.
With SSO users can easily and securely navigate from site to site without having more than one account.
The lack of integration between organizations’ sites prevents information from being shared. Users are required to re-enter information that has already been entered elsewhere.
Identity sharing allows organizations to establish trust relationships and data sharing agreements while maintaining fine grained control over who can access that data.
The inability to share identity and establish a user’s right to access restricted data via strong authentication makes it impossible for organizations to establish agreements that allow controlled sharing of sensitive information.
Organizations must establish policies that govern identity sharing. Identity sharing makes this possible by enabling organizations to control how data is shared and who can access it.
With data living in disparate information silos and identities stuck to their respective sites deep integration between services and organizations is impossible dramatically slowing web-based innovation in the real estate industry.
Identity sharing enables policy based data sharing and access. This allows trusted service providers to gain custody of data without owning it thereby enabling them to provide innovative services to users that have the authorization to access that data.
Organizations that provision additional accounts for users at other trusted sites where data is shared are not easily able to control authentication mechanisms.
If your organization requires strong authentication via SecurID or similar technology identity sharing supports the sharing of that strongly established identity with trusted sites rather than relying on their weaker form of authentication such as username and password.
It’s clear to see that the promise of SSO and identity sharing is great, however one need not eat the entire elephant in one bite. At Point2 we recognized the need to first support SSO.
Implementation & Problems
Point2 Technologies is a leading provider of web-based solutions in the real estate industry that strives to make its services as convenient for real estate professionals as possible. As such, we (www.point2nls.com) recognized the need for identity sharing and in 2007 we took the first step by implementing Single Sign-On with RealTown (www.realtown.com) so users of one system could navigate seamlessly to the other without signing up for an additional account.
There are many technology standards available for implementing SSO. Point2 adopted the WS-Federation standard because our web site is built using .NET which afforded us painless integration with Microsoft’s WS-Federation implementation called Active Directory Federation Services (ADFS).
Figure 1 – SSO Integration with RealTown
After successfully integrating with RealTown we were able to integrate with several other service providers using the same technology. However, our progress was eventually delayed by SSO partners that had chosen a different standard, namely SAML2 which is incompatible with WS-Federation. Microsoft’s ADFS solution proved to be limited in that it could not be made to support SAML2 and there were no plans from Microsoft to add this support. Its proprietary nature meant that we couldn’t change it ourselves.
This could have happened to anyone. There are many incompatible SSO standards including: SAML 1.1, SAML2 (which is not backwards compatible with SAML1), WS Security (WS-Federation), Liberty Alliance, and OpenID just to name a few.
To achieve Single Sign-On integration with a broader range of organizations Point2 is faced with replacing ADFS with a more flexible identity solution. We are in the process of evaluating several solutions to determine which to adopt and have decided on the following requirements to guide our selection:
- Must be open source and adaptable to unforeseeable changes in standards unlike ADFS and other proprietary solutions.
- Must support multiple major standards including WS-Federation, SAML2, and OpenID
- Must be extensible should other standards emerge.
- Must be possible to integrate with multiple popular web platforms and databases including Java, .NET, LAMP (Linux, Apache, MySQL, PHP, Python, Perl), MSSQL, Oracle.
- Must facilitate easy identity administration.
Although further research indicates that SAML2 is likely to be the most pervasive standard for Single Sign-On, there will still exist many competing standards. Some organizations will chose other standards regardless of the possibility that SAML2 will dominate and the possibility of new competing and complementary standards can’t be ignored.
Because of the changing landscape and the primary goal of interoperability, we recommend the adoption of technologies that emphasize flexibility and open inclusion rather than proprietary solutions that gamble on one standard over another.
Figure 2 – Single Sign-On and Identity Sharing with Point2 NLS
Point2 plans to continue to leverage SSO and identity sharing technologies to further enable our partners in the real estate industry to benefit. Figure 2 depicts the Point2 NLS platform integrated with an MLS to enable real estate agents to increase listing exposure by syndicating to a variety of sites. In this scenario the agent is able to navigate directly from their online MLS site to Point2 to enhance their listing data and syndicate and advertise listings without re-entering existing data. The MLS is protected from having private data shared inappropriately because Point2 is able to protect access to restricted data by matching access requirements with identity information shared by the MLS.
This is only one scenario. The possibilities are endless and carry benefits for all parties when identity information is properly managed and shared.
The identity-centric web, although not fully realized, is here to stay and Point2 is committed to finding new exciting ways to leverage SSO and identity sharing to help real estate professionals and organizations work together in mutually beneficial ways.
Standards relating to online identity continue to be very volatile however, and although some leaders such as SAML2 appear to be emerging, it will take time for ubiquitous deployment of these standards. In the meantime plan to take a diversified approach to identity standards and choose flexible, open technologies.
Negotiating Tip 114: Retreat Negotiations
March 29, 2019
Negotiating Tip 113: Activating Our Opponent
March 28, 2019
Negotiating Tip 112: Misconceptions
March 27, 2019