One of the big buzzwords going around for the past year has been Single Sign-On, or SSO. Its been making its presence felt so hard that CRT felt we should help sponsor and provide hosting for open source implementation of one flavor of it, even if we weren’t going to contribute any code.
The ‘one flavor’ I mention above is going down the path of using the SAML standard. SAML is an OASIS standard with some work contributed by the Liberty Alliance. For some reason, within the Real Estate community, SAML has caught on THE WAY TO DO IT. You can see working implantations of SAML in real estate used by CAR, Rapattoni, and Clareity Security. However, like anything related to technology There Is More Than One Way To Do ItTM.
Recently, the OpenID Foundation announced that Google, IBM, Microsoft, VeriSign, and Yahoo! have joined their board. That’s a lot of big weight going with OpenID. Many of those companies already accept OpenID as a form of authentication or are OpenID providers themselves. Yahoo! is a prime example of a large OpenID provider. It seems like momentum is certainly gaining on OpenID, which is pretty impressive for something that just started in 2005. (In full disclosure, it should be noted that CRT had David Recordon from the OpenID and SixApart as a panel member at the last NAR Annual convention.)
In looking at OpenID’s web site I found a quote from Brad Fitzpatrick, the father of OpenID, to a philosophy I really like and I think is important for a shared resource this like:
Nobody should own this. Nobody’s planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there’s no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we’re all a part of the community.
Obviously, a lot of this follows CRT’s general open-source philosophy which I’ve alwasy been a big fan of. However, I think this contrasts with some of what we see in our market. This is something I’ve been hearing saying we all need, that its not a competitive advantage.
In any case, given the philosophy behind it and where we need to go in real estate, I think its time to give OpenID another look, especially given the added weight it received this week.
No matter the technology the future is an exciting place. Imagine using your MLS id as a your way to get onto realtor.org. Or maybe NAR is the ID provider that allows you to access your MLS, gmail account, and your favorite blog?
(Just a quick final note: It should be noted that just because you have can share a common piece of authentication, it doesn’t mean a user of that authentication system will allow full access to anyone. There is still authorization levels at each site. This is the same between both models discussed here.)
OpenID appears to be getting some significant traction. AOL and Plaxo are also players in the OpenID space.
We’re fans of OpenID here at Rapattoni, as well as SAML, and support both standards as of last December.
http://www.rapattoni.com/news/pr/07_12_03SSO.asp
You know, Tim, you had mentioned that to me back then and I completely forgot! It’s good to see there is already some traction in our corner of the world.
Given my new ‘post my random thoughts’ mode that I’m switching into, this post was to promote discussion and awareness. But its even better when there is practicle experience to point to!
OpenID assumes you/your application will trust whatever identity provider and authentication method the user will choose. This simply won’t be feasible for any application that even wants to pretend to be secure – UNLESS there emerges a class of TRUSTED OpenID authentication provision companies that offer the level/type of authentication required by specific applications and the authentication strength is verified to the trusting application. It can’t just be one (such as NAR) or the “Open” in Open ID isn’t very meaningful, but if it’s only a few, SAML and federation methods such as circles of trust get the job done.
Keith,
Please openid2-enable a wiki at NAR/CRT. (The RETS wiki might be a good candidate.) Perhaps add authenticated comments to the CRT blog site, in order to also easily leverage openid.
Rapattoni is ready to run a trial of its openid1/openid2 services, for any Rapattoni supported Realtor with a 2 factor token that wishes to engage in the trial.
The Rapattoni openid service includes support for the so-called directed identity model of OpenID, that allows for pseudonymous login to the wiki sits. This is sometimes preferred, when a user seeks to retain some browsing/commenting privacy.
The service is built entirely on top of Rapattoni’s standard SAML2 infrastructure. It can even cooperate with other vendor’s SAML2 infrastructure, including those parties using the NAR/CRT/Clarity SAML2 toolkit.
We will run this trial for 3 months, before deciding what to do next -in consultation with the NAR family.