[libRETS-users] Question about SAML enabled technology

[Agustin Garzon]

Hi there, I'm a librets.net user working for a company which connects with index providers in order to offer properties search to end users. 

I was sent a "vague" email from a project manager asking me if we are "SAML ENABLED" to which I replied I have no clue, so probably not. 

What the heck ! Could you give me some advise please ? 

Is this (being SAML enabled) something that involves / affects us, as the middle tier ? (the connection between the provider and the end user)

Is this something intrinsic to the rets protocol or standard that we don't need to care about ? 

Is this something that should only involve the MLS vendors ?

Thanks in advance for your support :)

Cordiallly, Agustín.

--

Agustin.

"You only need to change your direction," said the cat, and ate it up.

[Rob Overman]

They are talking about Single Sign On (SSO) using SAML. So this would be an authentication process for your client application. The RETS transport and related methods do not come into play in this situation.

The concern is usually about controlling access to the data through the third-party products.

Related links that may be helpful:

https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

https://clareitysecurity.com/

Good luck,

Rob

Rob Overman

http://twitter.com/roverman

[Michael Sparr]

Rob is correct. 

In layman’s terms what it means is that your application has to accept an alternate form of login (instead of just user/pass).  SAML is a very complicated form of single sign on (SSO) and there are others more widely accepted, but not fully supported by all vendors.

In SAML2 (the current supported standard by compliant vendors), an authentication request is typically initiated when a user clicks a link in another application. That application will indicate the user’s intent to log into your application. Your application will send an authentication request to the calling application to verify they are actually logged into that system and if it sends you a correct response (along with an identifier for that user), then you look that user up in your system by that ID and grant them access, trusting the partner system has already vetted them.

To implement this, your application needs to be able to generate a metadata file, auth certificate, and able to parse the same from the other party. You will need to work with the other party and share metadata files that contain signing certificates, register theirs in your system and vice versa. From there you can trust and decrypt the messages sent back/forth in the Login, Logout, etc. workflow you initiate between systems.

Many vendors also support what we call a one-way-link which is much simpler so you might inquire as to that vendors’ ability to support an alternate form of single sign on (OAuth, OpenID Connect, one-way link, etc.). The one-way link is simply sharing some secret key or phrase that is used to encode some parameters in a URL (usually a user ID). When the link is clicked the caller passes needed information for you to verify the user and the calling system, then you permit access.

Enjoy and hope Rob’s links and my explanation help you out…

- Mike

[Agustin Garzon]

Thanks you all for your replies, I kind of understand what you are saying, OAUTH alone is a difficult enough for me to implement when it comes up from time to time v_v

I still don't visualize where are we exactly located on the authentication process ! And therefore the implications / consequences of this.

Let me describe what we do, we connect to FLEXMLS via librets.net, authenticating by configuring the necessary librets.net classes with a user / password / agent / agent pass

Once we are logged in, we crawl and store certain information that is later exploited in numerous ways. 

In this scene, what is the party that needs to be SAML enabled and why ? 

Thanks once again, and sorry about my poor understanding on the subject.

Agustín. 

[Michael Sparr]

Agustin,

The RETS data feed you mention is completely separate from the inquiry about SAML. RETS authentication is usually basic or digest and using credentials you mention. That is how you get data into your system or query the RETS server in real time. Think of that as part 1 of providing a service using real estate data.

Part 2 is access to your product or service itself (what you serve up to users). The inquiry you received is related to accessing your product or service, but without requiring your user to log in.  Assume they are already logged into FlexMLS and it can verify the user. They are asking if you would trust their system to tell you “yes, this user is logged into our system, so please let them into your system without having to log in again.” The user clicks a link in Flexmls (example only) and it triggers an SSO start with a mutually-agreed URL on your side. Your system then sends a request to theirs to verify the user is logged in and their system sends back a response to tell you “yes” (with user id) or “no”.  If “yes” you match that ID to your system and start a session for user without them manually logging in.

You can read online with the articles Rob shared. The bottom line is your RETS data feed using librets is completely separate. Once you have the data in your system, and offer some value-added service using it, you will at some point require users to log into your system to access it.  SSO is merely a way to grant access without requiring them to log in, and trusting a link from another system they already authenticated with.

Mike

[Tony Russo]

Hi Agustin,

 

We use an outside independent security developer who is very knowledgeable with SAML, OAUTH etc.

 

If you are looking for a SAML/OAUTH developer send me a brief description of your project along with your contact info in a private email .

 

I’ll forwarded it to him and to get you two in contact with each other.

 

 

Best Regards,

 

Tony Russo

[Agustin Garzon]

Thanks guys. Mike, in the way you put it, it all finally adds up now ! 

Now I have to figure out why (if) are we required to implement SAML, and if really necessary, the implementation itself is going to be a challenge beyond the scope of this group ^_^

[Michael Sparr]

Agustin,

No problem and glad to have helped. Yes the request is beyond the scope of this group and unrelated to your use of librets.  

Typically it’s not a requirement of working with an MLS system, just a convenience for the users. The easier it is for users to access/use your product, the more value you deliver and potentially justify ongoing cooperating from their organizations. Many products do not offer SSO so it’s your choice, unless contractually obligated in some way.

Best of luck!

Mike