For MLSs: What is Single Sign-On (SSO)?

Single Sign-On (SSO) allows your MLS subscribers/REALTORS® to enter RPR from a link within your MLS website, without having to sign into RPR. An MLS subscriber/REALTOR® must have an RPR account or will need to create one. Their NRDS ID, MLS, and Agent ID must be on their RPR Profile to work. Single Sign-On (SSO) with RPR requires an MLS or its technology partner to maintain a SAML 2.0-based Identity Provider.

Reach out to your RPR Industry Relations Representative to get started.

How does SSO work?

  • An MLS subscriber/REALTOR® logs into the MLS.

  • The MLS subscriber/REALTOR® clicks an SSO link and is redirected to RPR.

  • RPR calls the MLS Identity Provider and asks if the user is authenticated.

  • The MLS Identity Provider responds with a security assertion.

  • RPR processes the security assertion that checks the MLS subscriber/REALTOR® Agent ID against their RPR Profile and MLS roster and decides if the user is to be granted access.

What is required?

  • The MLS must already utilize a SAML 2.0-based Identity Provider for user authentication.

  • Each MLS subscriber/REALTOR® must have an RPR account for SSO to function (those without accounts will be prompted to create one).

  • The MLS Agent ID is the key to making SSO work. The Agent ID is required to be in:

    • The MLS subscriber/REALTOR® RPR Profile.
    • The MLS agent roster that is sent to RPR.
    • The Identity Provider assertion that is sent in response to an authorization request from RPR.
  • The MLS must be able to add a special “SSO” link to their website. Whenever possible, the display and URL of this link should be configurable so it is not necessary to deploy the MLS website to make changes.

What does an MLS need to provide to RPR?

  • The contact info of the person that manages the Identity Provider for the MLS.

  • Whether the SSO solution is hosted by Clareity Security or is based on another SAML 2.0 product.

  • Where the metadata for the MLS Identity Provider can be seen (URL).

  • Whether the Identity Provider requires credentials for access and, if so, a set of credentials for RPR.

  • Whether RPR is required to digitally-sign the authentication request.

  • The location of the Agent ID in the assertion—is it in the SAMLSubject or somewhere else?

  • The public key for the security certificate used to digitally sign the assertion.

  • A dedicated SSO test account with which we can test SSO. This account must have an AgentID and must appear in the roster data feed.  This must be a persistent account so we can support the SSO mechanism on behalf of our end users and to test future versions of RPR.

    • Website URL
    • Username (we prefer RPR-SSO-TEST, or RPRSSO)
    • Password
    • AgentID associated with the account, if different from Username (we prefer RPR-SSO-TEST, or RPRSSO)

What does an MLS need from RPR?

In most cases, RPR simply needs to provide its metadata file. This should answer all the questions on the MLS side. The RPR metadata file is currently located at this location (copy and paste this entire string into your browser):

With Digital Signing:  http://www.narrpr.com/sso/saml-entitydescriptor.xml

Without Digital Signing:  http://www.narrpr.com/sso/saml-entitydescriptor-no-digital-signing.xml