This way, Bluewin will be able to offer single sign-on for service providers within the circle.



Similar documents
Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone

Managing Trust in e-health with Federated Identity Management

Improving Security and Productivity through Federation and Single Sign-on

Authentication Integration

White paper December Addressing single sign-on inside, outside, and between organizations

An Oracle White Paper Dec Oracle Access Management Security Token Service

HP Software as a Service. Federated SSO Guide

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Evaluation of different Open Source Identity management Systems

The Primer: Nuts and Bolts of Federated Identity Management

IDDY. Case Study: ConAgra Deploys SSO for Travel Planning

SAML SSO Configuration

The Role of Federation in Identity Management

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Biometric Single Sign-on using SAML

LIBERTY ALLIANCE. Case Study: Aetna Enhances Secure Provider Portal with SSO and SAML 2.0. The Company. Key Objectives

Single Sign-On Toolkit. The National Association of REALTORS Center for REALTOR Technology

The Primer: Nuts and Bolts of Federated Identity Management

Federated Identity in the Enterprise

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

The Top 5 Federated Single Sign-On Scenarios

Federated Identity Management Solutions

SAML-Based SSO Solution

Privacy, Security, and Trust with Federated Identity Management

Federated Identity Management

managing SSO with shared credentials

HP Software as a Service

Auth0 SSO Drives B2B Expansion

Introduction to SAML

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Biometric Single Sign-on using SAML Architecture & Design Strategies

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

SECUREAUTH IDP AND OFFICE 365

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

Information Security Group Active-client based identity management

The increasing popularity of mobile devices is rapidly changing how and where we

Google Identity Services for work

Perceptive Experience Single Sign-On Solutions

Extend and Enhance AD FS

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Flexible Identity Federation

How To Use Saml 2.0 Single Sign On With Qualysguard

Enhancing Web Application Security

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Copyright: WhosOnLocation Limited

An Oracle White Paper July Oracle Identity Federation

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

OpenSSO: Cross Domain Single Sign On

Agenda. How to configure

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

SAML-Based SSO Solution

TRUSTED IDENTITIES, MANAGED ACCESS Implementing an Identity and Access Management Strategy for the Mobile Enterprise. Introduction.

Interoperate in Cloud with Federation

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Getting Started with AD/LDAP SSO

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

How to Implement Enterprise SAML SSO

Single Sign-On: Reviewing the Field

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Cyber Security Competency Center

Identity. Provide. ...to Office 365 & Beyond

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Security Services. Benefits. The CA Advantage. Overview

Addressing threats to real-world identity management systems

Identity Federation Broker for Service Cloud

Research and Implementation of Single Sign-On Mechanism for ASP Pattern *

Open Source Identity Integration with OpenSSO

Vidder PrecisionAccess

Connected Data. Connected Data requirements for SSO

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Trend of Federated Identity Management for Web Services

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Swivel Secure and the Cloud

Federated AAA middleware and the QUT SSO environment

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Getting Started with Single Sign-On

OSOR.eu eid/pki/esignature Community Workshop in Brussels, 13. November 2008 IT Architect Søren Peter Nielsen - spn@itst.dk

Cybersecurity and Secure Authentication with SAP Single Sign-On

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

An Oracle White Paper August Oracle OpenSSO Fedlet

Transcription:

Clareity Security and The National Association of Realtors Develop a SAML Toolkit for the Real Estate Industry Ask any REALTOR about the systems they use and the passwords they deploy. The word mess will likely come up. But thanks to Clareity Security, the work of real estate professionals is about to get a whole lot easier and more secure. As part of a program that is supported and partially funded by the National Association of REALTORS (NAR), Clareity has developed an SAML 2.0 based toolkit designed to help real estate professionals deploy Single Sign-On (SSO). This free open-standard reference implementation can be used by real estate software vendors, brokers, and MLS systems to incorporate SSO into their products for the benefit of real estate professionals everywhere. The toolkit may even find wider application, as it is free for use by software companies and others outside of the real estate industry. eliminate the need for users to input multiple pieces of Vendors cooperation on open standards is the key to industry-wide adoption, said Mark Lesswing, NAR chief technology officer and senior vice president. This toolkit will help software and solution vendors concentrate on features that will help REALTORS do their jobs better, instead of spending time on the organizational entities, as well as making access to nuances of SAML 2.0. With open standards, vendors have a great amount of choice. The standards can be implemented as a part of existing products or using one of the dozens of commercial products on the market, or even using open- source solutions. Again, it is not necessary for technology vendors to standardize on a single product, because a product that implements a standard can work with any other product that implements that standard. Gregg Larson, CEO of Clareity Security The State of Real Estate Within the real estate industry, the demand for an SSO solution that works for everyone has been steadily functionality in an internal development project based building. In the United States, there are close to 1.3 million REALTORS, and probably 2 million people or more who collaborate on real estate related Web applications. Adding to this complexity are more than a thousand associations, 700-plus multiple listings services, membership management systems, and transaction management systems. That s not to mention the software used by agents and brokers. When a REALTOR gets on his computer, he is typically signing in to five or more things at a time, said Matt Cohen, Clareity s CTO. I recently spoke with a group of local REALTORS and when I explained what SSO would accomplish, they started jumping out of their seats saying, When can I get this? When can I get this? - 1 -

Leveraging Open Source for the Toolkit When it came time to put together a in toolkit Switzerland for SSO and a that fully owned was free subsidiary and of the open telecommunications to everyone, company Clareity SwissCom. took a careful Bluewin is look among around the first to Internet see what service providers could be leveraged and what needed to and be businesses. written. What Clareity found and used as one of the building blocks of the toolkit was the OpenSAML project (www.opensaml. org) sponsored by Internet2. As part Bluewin of their sought Shibboleth to simplify single project, sign-on and the eliminate OpenSAML the need toolkit for users implements to input multiple pieces of the information XML objects in order that to enter represent password the protected sites. protocol elements of SAML. From In order this to meet foundation, these goals, the the toolkit challenges puts extended the to pieces areas including together managing and shows user identity a developer exactly how to make There were a variety of opinions, and lots of back and forth, things organizational work. entities, The developer as well as making can use access to but it was clear that most vendors had a strong bias towards it online at a services high level as user-friendly without having as possible. to the use of open standards. So the group decided to support understand the intricacies of SAML, SAML 2.0. or they can delve as deep as their The software providers that were in the room really did interests and needs dictate. their homework. They wanted to know: What gives us the capabilities Bluewin that has implemented we need? What the identity has the provider most traction? What The Federation SSO software specifications. toolkit In this is new available standards environment, functionality don t have in an internal any intellectual development property project baggage? based And SAML on 2.0 Open seemed Source to Framework be the direction Source ID. that Bluewin made is the also most for free NAR s Web site, at: sense, collaborating said Matt with Cohen. different IT integrators to enable a http://code.crt.realtors.org/ projects/websso. In March, This way, Clareity Bluewin brought will be the able group to offer back single again sign-on after for everyone multiple had Swiss a chance sites and to go will back store to attributes their own only organizations once. and share what was learned. The group then crafted a statement The Bluewin clarifying identity and provider confirming supports their Liberty s support Identity for SAML and intra-industry Federation Framework cooperation. specifications. Attribute sharing will SSO is a new initiative for Clareity. For the past several years, Clareity has worked with real estate industry firms and organizations on security. Much of their work focused on strong authentication as well as security assessments. There was a certain point at which some of our clients asked us about Single Sign-On, and we looked around out there and saw how complicated the terrain was, said Matt Cohen. We also knew that if the software vendors in our industry were not coordinated in some way, there would be many different versions and approaches, and true SSO among real estate applications would be limited. Bringing Vendors Together to Talk about Standards In December 2005, Clareity brought together real estate software vendors, MLS vendors, transaction management/ association management vendors, public records providers, franchise and other major real estate organization CTOs, as as well as organizations such as the National Association of REALTORS and CREA, the Canadian Real Estate Association. We put all these people together and we rented a large conference room in Las Vegas, Matt Cohen said. We discussed the various options for Single Sign-On. - 2 -

At that point, basically, the room turned to us and said, Hey these standards are complex and there a lot of moving parts. What we really need is a reference implementation. Something that says: Here are all the pieces and it will work with all applications, explained Matt Cohen. It was then decided that Clareity should build the reference implementation. The National Association of REALTORS (NAR) soon came onboard and supplied some development money toward the goal. The plan was Clareity Security would create this software, but not own it and that it would will be freely available to the real estate technology community and integrated with the RETS standard. NAR also agreed to With market approximately and promote 2 million the customers, project. Bluewin in Switzerland It s an ideal and relationship, a fully owned subsidiary said Amy of Geddes, the Clareity Security s Chief Operating Officer. NAR s role has been telecommunications really to promote company the adoption SwissCom. of the technology and to educate the community at large about what SAML is Bluewin and why is among it s a the good first thing Internet for service the real providers estate space. Clareity s role includes doing those things too as well as to implement developing a Liberty-enabled the technical implementation solution. The company and helping to set initial guidelines within the real estate community. Benefits to Service Providers Bluewin sought to simplify single Cost sign-on savings and on password reset and eliminate the need for users management to input multiple pieces of They also wanted to enhance Open security standards-based improve Easy integration with multiple technologies Freedom to concentrate on enhancements and applications versus standards issues organizational entities, as well as making access to Improved security Benefits to End Users Elimination of password headaches Less systems complexity Faster systems access functionality in an internal development project based Improved security of personal consumer information - 3 -

Technical Issues: The Importance of Security A great deal of study and work was needed to ensure security and meet the particular needs of the real estate industry. For example, a security flaw in the Single Sign-On integration between an MLS and a Transaction Management System could lead to private consumer information being exposed, or to competitors accessing each other s information. Clareity has seen plenty of integration specifications where a user is passed from one system to another using a link looking something like this: http://www.example.foo/index.aspx?userid=123&password=mypassword This example is troublesome in several ways. First, it passes the authentication information using a plain text protocol, so that it may easily be intercepted. Second, the URL parameters are not encrypted, and can be easily scripted or modified, since the security mechanism is exposed to the user for manipulation. Third, this URL can be disseminated and used by others. In the worst case, this URL may be posted in a non-secure location and even indexed by a search engine, or posted on hacking sites or newsgroups (e.g., http://johnny. ihackstuff.com/index.php?module=prodreviews). Using hidden form fields eliminate the need for How users to The input multiple SAML pieces Toolkit of Works to pass this information from site to site does not provide significant additional access to third-party Joe s Web services. 1. Initial Request AcmeMLS protection, and neither does Browser trying to check the referring Web page. organizational Joe s entities, Web as well as making access to The free software toolkit allows software vendors to cooperate efficiently and maintain security using SAML 2.0. The SAML standard enables secure exchange of authentication and authorization information between disparate security domains, making secure Internet e-business transactions possible. With this standard, a user s information is stored on one server when he logs in and is authenticated. As the user moves to other integrated applications he does not have to authenticate himself again. This is not only more convenient for the user, but much more secure. Browser Joe s Web Federation specifications. Browser In this new environment, Joe s Web Browser 2. Redirect to IdP 3. Request to IdP 4. Request Credentials 5. Submit Credentials 6. Respond with SAML Token 7. Accept SAML Token SAML addressed the problem of sending passwords AcmeIdP between applications by simply not doing it. Instead, in the SAML world, an Identity Provider (IdP) constructs an XML assertion that it digitally functionality AcmeIdP signs to prove to the Service in an internal development project based Provider (SP) that the user is authenticated and trusted. By using digitial signatures, trust relationships can be established between AcmeMLS the participating entities without exposing sensitive information like passwords. - 4 -

Speeding Industry Adoption of SAML 2.0 The toolkit was formally introduced in the fall of 2007 and now is quickly being adopted by leading software Bluewin vendors Implements and MLS system providers. Liberty Alliance Metropolitan Regional Information Services (MRIS), the largest MLS in the U.S., is incorporating SSO using the toolkit and SAML in conjunction with their rollout of strong authentication. The improved security of strong authentication allowed MRIS to offer an added benefit of SSO to their users. As a result, MRIS subscribers will be able to access several real estate related applications without having to log in multiple times. In addition, Minneapolis-based NorthstarMLS, who provides MLS and property data services to 20,000 real estate professionals in the Twin Cities area, is implementing an Identity Provider (IdP) using the Clareity developed toolkit. This IdP will facilitate current and future SSO needs for NorthstarMLS members. Finally, several leading MLS system vendors, including MarketLinx, Fidelity and Tarasoft, have plans to incorporate support for SSO into their existing applications using the free open-source toolkit developed by Clareity and offered by the National Association of REALTORS. Clareity is also hoping other vertical markets will follow real estate s example and take this code and implement their own products. We ve put many months into producing something which is going to be useful not just inside real estate, but in many other verticals, said Mark Lesswing. We want to help push the adoption of Single Sign-On, secure adoption of Single Sign-On, so we are releasing this with a very open license specifically to drive adoption. eliminate the need for users to input multiple pieces of SSO: Two Approaches Proprietary Portal Open Standards central federation Enables Portals (enables) (requires) organizational entities, as well as making access to Applies to fragmented real estate market (association, MLS, brokers, franchises, lending, title, etc.) Leverages existing SSO Relationships No / Low Cost Free, Open Standards Being Built into RETS Cross-Vendor Support Vulnerable to Denial of Service attack Into the Future with SAML functionality in an internal development project based circle of trust with several participating service providers. Engineers at Clareity are continuing to look at where SAML Federation might Framework take the industry. specifications. The Attribute interesting sharing issue will is not necessarily what the REALTORS are doing today, be but enabled what in SAML the next might phase enable of development. them to do tomorrow around things like workflows between applications and the level of data sharing between applications, said Matt Cohen. There are a lot of capabilities that we haven t even begun to explore that Single Sign-On will enable. - 5 -

Case About Study: The National Associatio REALTORS The National Association of REALTORS is America s largest trade association, representing more than 1.3 million members involved in all aspects of the residential and commercial real estate industries. (www. realtor.org) About Clareity Security Clareity Security, LLC is the leading provider of security products and services for the real estate and mortgage industries, and is now expanding into Financial Services. Its SAFEMLS and SAFEACCESS products help real estate professionals, the mortgage industry, and financial services companies easily and effectively safeguard sensitive consumer information against unauthorized access and provides next generation strong authentication solutions for secure online transactions. Clareity Security also provides network security services including organizational information security assessments, Unified Threat Management (UTM) appliances, and other eliminate the need for users to input multiple pieces of information IT security in order to solutions enter password in protected partnership sites. with companies such as with Secure They also Computing wanted to enhance (NASDAQ: security and SCUR), improve a provider of global security solutions. access to Additional third-party services. information is available at http://www.clareitysecurity.com. organizational About Liberty entities, Alliance as well as making access to Liberty Alliance is the only global identity organization with a membership base that includes technology vendors, consumer service providers and educational and government organizations working together to build a more trusted Internet by addressing the technology, business and privacy aspects of digital identity management. The Liberty Alliance Management Board consists of representatives from AOL, Ericsson, Fidelity Investments, France Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty Alliance works with identity organizations worldwide to ensure all voices are included in the global identity discussion and regularly holds and participates in public events designed to advance the harmonization and interoperability of CardSpace, Liberty Federation (SAML 2.0), Liberty Web Services, OpenID and WS-* specifications. functionality in an internal development project based - 6 -