For MLSs: What is Single Sign-On (SSO)?

Single Sign-On (SSO) allows your MLS subscribers/REALTORS® to enter RPR from a link within your MLS website, without having to sign into RPR. An MLS subscriber/REALTOR® must have an RPR account or will need to create one. Their NRDS ID, MLS, and Agent ID must be on their RPR Profile to work. Single Sign-On (SSO) with RPR requires an MLS or its technology partner to maintain a SAML 2.0-based Identity Provider.

Reach out to your RPR Industry Relations Representative to get started.

How does SSO work?

  • An MLS subscriber/REALTOR® logs into the MLS.

  • The MLS subscriber/REALTOR® clicks an SSO link and is redirected to RPR.

  • RPR calls the MLS Identity Provider and asks if the user is authenticated.

  • The MLS Identity Provider responds with a security assertion.

  • RPR processes the security assertion that checks the MLS subscriber/REALTOR® Agent ID against their RPR Profile and MLS roster and decides if the user is to be granted access.

What is required?

  • The MLS must already utilize a SAML 2.0-based Identity Provider for user authentication.

  • Each MLS subscriber/REALTOR® must have an RPR account for SSO to function (those without accounts will be prompted to create one).

  • The MLS Agent ID is the key to making SSO work. The Agent ID is required to be in:

    • The MLS subscriber/REALTOR® RPR Profile.
    • The MLS agent roster that is sent to RPR.
    • The Identity Provider assertion that is sent in response to an authorization request from RPR.
  • The MLS must be able to add a special “SSO” link to their website. Whenever possible, the display and URL of this link should be configurable so it is not necessary to deploy the MLS website to make changes.

What does an MLS need to provide to RPR?

  • The contact info of the person that manages the Identity Provider for the MLS.

  • Whether the SSO solution is hosted by Clareity Security or is based on another SAML 2.0 product.

  • Where the metadata for the MLS Identity Provider can be seen (URL).

  • Whether the Identity Provider requires credentials for access and, if so, a set of credentials for RPR.

  • Whether RPR is required to digitally-sign the authentication request.

  • The location of the Agent ID in the assertion—is it in the SAMLSubject or somewhere else?

  • The public key for the security certificate used to digitally sign the assertion.

  • A dedicated SSO test account with which we can test SSO. This account must have an AgentID and must appear in the roster data feed.  This must be a persistent account so we can support the SSO mechanism on behalf of our end users and to test future versions of RPR.

    • Website URL
    • Username (we prefer RPR-SSO-TEST, or RPRSSO)
    • Password
    • AgentID associated with the account, if different from Username (we prefer RPR-SSO-TEST, or RPRSSO)

What does an MLS need from RPR?

In most cases, RPR simply needs to provide its metadata file. This should answer all the questions on the MLS side. The RPR metadata file is currently located at this location (copy and paste this entire string into your browser):

With Digital Signing:  http://www.narrpr.com/sso/saml-entitydescriptor.xml

Without Digital Signing:  http://www.narrpr.com/sso/saml-entitydescriptor-no-digital-signing.xml

Frequently Asked Questions

Click on the links below

SAML stands for Security Assertion Markup Language. It’s a powerful, flexible, and secure industry-standard for single sign-on functionality that has been adopted by many MLS organizations and technology vendors such as Clareity Security. It can be adopted to fit many usage scenarios and works without ever sending user credentials between systems.

RPR SSO requires a live account in both systems, and it is only with this RPR account that we can ensure that the MLS member is both a REALTOR® with rights to access RPR (via their NRDS ID) and an active member of the MLS.  This system exists to protect MLS and public records data, and to ensure that Realtors alone gain the differentiating benefit of this valuable resource.                  

RPR will send an authentication request to the IdP, but if it doesn’t respond we will simply display the login form.

Implementing an Identity Provider is not a small project. Authentication must be offloaded to a SAML 2.0-based Identity Provider, which then takes over logins for the host system (MLS) as well as the SSO integration with RPR. Implementing an Identity Provider requires experience with security protocols, encryption, XML and web services.

MLS subscribers of an MLS that has an RPR Co-brand will see the co-branded site when they click the SSO link that includes the proper cbcode.

The link will still function, with the following caveats:

If the user previously logged in directly to RPR on the same machine within the last two weeks and did click the “remember me” checkbox on the login form, the user will be automatically logged into the MLS co-branded RPR just as if s/he had successfully SSO’d into RPR.

If the user previously logged in directly to RPR and did not check the “remember me” checkbox on the login form, or if the user previously SSO’d into the MLS co-branded RPR on the same machine but is now visiting directly without the SSO link, the user will be prompted to login with his/her RPR credentials.

If the user has not logged into RPR previously on the same machine, s/he will see the MLS co-branded Sign Up form (but a Sign In link is clearly visible).

Single Sign-On (SSO) will only work for MLS subscribers/REALTORS® that have their NRDS ID, MLS, and agent ID on their RPR Profile plus are on the agent roster that we receive from the MLS.

This is the format of an SSO link to RPR, with co-branding support.  Your implementation specialist will be able to provide the link for your organization. 

Link Location: The link should be visible only AFTER a user has logged into the MLS website.

Link Text: Realtors Property Resource

Link URL: http://www.narrpr.com/?ssocode=&cbcode=

It is important to make this link configurable in your application, so you can update the link text, the URL and its visibility on-the-fly without deploying a new version of your website. The link is subject to change.

REALTOR® who use dedicated computers to access the MLS can still use the RPR “Remember Me” functionality by checking the “Remember Me” checkbox when they log in. This remembers their login for two weeks, allowing them to link from the MLS to RPR without logging in during that time period. 

Need Help?

If you need additional assistance, contact RPR Member Support at (877) 977-7576 or open a Live Chat from any page of the website.

Share This Story, Choose Your Platform!