concerto_saml_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b6ebfa7bb437454efca0513642b2bfbf5464e5f2
+  data.tar.gz: 59ac1d64b4f418bc48019657687edc7bb94ddc98
+SHA512:
+  metadata.gz: 2e16f9fa978ded9c51250f5a3e2b2aee663db06cceabd22a2ae1c5068b9c2e1e667d91e1acc5879d3f8c1d319e39a1408dfbcbb2199270ef3969a827f0c73ede
+  data.tar.gz: 6d466a2c368cd922ec36fb2d7cc6d0d8249ba5dfef681d03f211905fd1f2e387239febe9bef305e756db91e1a25a57e25255f9baaefd4bcba9c03cbf05b94cb8

data/LICENSE

@@ -0,0 +1,14 @@
+  Copyright 2014 Concerto Authors
+  Copyright 2017 Thorben Dahl
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,64 @@
+Concerto SAML Auth
+=====================
+
+Authenticate Concerto users through your own [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) deployment. 
+
+Please note that this project is not affiliated with or endorsed by the Concerto Digital Signage project.
+
+The aim of this project is to customize the Concerto CAS Auth plugin so it works with `omniauth-saml` instead of `omniauth-cas`.
+
+Installing the plugin
+----------------------
+
+1. Log in using a system admin account in your Concerto deployment. You should have set up your Concerto installation already.
+2. Click on the "plugins" button on the top navigation bar under the admin section.
+3. On the right side of the page, click on the "new plugin" button.
+4. With Git Repository selected as the source, write `concerto_saml_auth` as the Gem Name, and this repository's clone URL as the Source URL. 
+5. Click save, you will now stop your Concerto web server, run the ```bundle``` command (while in the Concerto directory), and start your web server again.
+6. Since the SAML plugin is not configured yet, you can log back into your Concerto accounts by visiting the ```your.concerto.url/users/sign_in``` route, using
+   any user that was not created using through SAML login. 
+7. If the plugin was installed successfully, you will see a new "SAML User Authentication" settings tab under the "settings" page. This page can be found by clicking the "settings" button on the top navigation bar under the admin section.
+8. Configure the plugin and restart the web server, as explained below.
+9. Add your Service Provider's metadata to the Identity Provider. You can find your metadata at `your.concerto.url/auth/saml/metadata`.
+
+Configuring the plugin
+----------------------
+
+**The details of how to configure this plugin are not finalized.**
+
+1. Log in using a system admin account in your Concerto deployment
+2. Click on the "settings" button on the top navigation bar under the admin section.
+3. Click on the "SAML User Authentication" tab.
+4. Configure the different values (see explanation below).
+7. After saving these settings, you will need to restart your Concerto web server.
+8. Your log in links at the top of the page should now point to your CAS authentication. 
+
+Explanation of the configuration parameters:
+
+**Saml Idp Metadata**: URL to the Identity Provider's metadata. For a simpleSAML installation, this could be `https://idp.example.com/simplesaml/saml2/idp/metadata.php`. All information about the Identity Provider is gathered through this.
+
+**Saml Issuer**: Unique identification of this application, used by the Identity Provider to separate different Service Provider. It is normal to use an URL you control, so there is no chance of collision. Example: `https://concerto.example.com/saml2`.
+
+The rest of the configuration items maps information received from the Identity Provider to fields in Concerto.
+
+**Saml Uid Key**: Name of field containing user ID, used to map between users logging in and the local Concerto user they should log in as.
+
+**Saml Email Key**: Name of field containing the user's email address.
+
+**Saml First Name Key**: Name of field containing the user's first name.
+
+**Saml Last Name Key**: Name of field containing the user's last name.
+
+**Saml Member Of Key**: Name of fields containing the groups the user is a member of, as expressed by LDAP's memberOf field. You can leave this out to not synchronize groups.
+
+**Saml Member Of Filter**: Comma-separated list of case-insensitive assertions. A group must match at least one of those assertions in order to be included in Concerto. You can use the common name to whitelist groups, like `CN=Administrators, CN=Graphics`.
+
+**Saml Admin Groups**: Comma-separated case-insensitive list of groups whose members should be made admin when they log in through SAML.
+
+note: This plugin is essentially a wrapper around [omniauth-saml](https://github.com/omniauth/omniauth-saml) with added logic for creating Concerto user accounts with the returned SAML information and synchronize privileges. Feel free to follow the omniauth-saml link and see a more detailed description of the configuration items. 
+
+Known Issues
+------------
+
+* Localization is not a thing with this plugin. All error messages and changes made to interface are in English only.
+* Somewhat specific: This plugin was made to fit the needs of Studentmediene i Trondheim AS. Some details of its operation may not be suitable for others.

data/Rakefile

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ConcertoSamlAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/app/assets/javascripts/concerto_saml_auth/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/concerto_saml_auth/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/concerto_saml_auth/application_controller.rb

@@ -0,0 +1,190 @@
+module ConcertoSamlAuth
+  class ApplicationController < ::ApplicationController
+
+    # Used to map a user id with a corresponding authentication provider in the
+    #   database (in this case it's SAML)
+    require 'concerto_identity'
+
+    # Find or create a new user based on values returned by the SAML callback
+    def find_from_omniauth(saml_hash)
+      # Get configuration options for customized SAML return value identifiers
+      omniauth_config = ConcertoSamlAuth::Engine.config.omniauth_config
+      uid = saml_hash[:uid]
+      uid = uid.downcase
+
+      # Check if an identity records exists for the user attempting to sign in
+      if identity = ConcertoIdentity::Identity.find_by_external_id(uid)
+        # Return the matching user record
+        user_existed = true
+        user = identity.user
+      else
+        # Add a new user via omniauth SAML details
+        user_existed = false
+        user = User.new
+      end
+
+      # Set user attributes
+
+      # First name is required for user validation
+      if !saml_hash[:info][:first_name].nil?
+        user.first_name = saml_hash[:info][:first_name]
+      else
+        user.first_name = uid
+      end
+
+      if !saml_hash[:info][:last_name].nil?
+        user.last_name = saml_hash[:info][:last_name]
+      end
+
+      # Email is required for user validation
+      if saml_hash[:info][:email].nil?
+        flash.notice = "No email was provided by the identity provider"
+        return nil
+      else
+        user.email = saml_hash[:info][:email]
+      end
+
+
+      # Set user password and confirmation to random tokens
+      user.password,user.password_confirmation=Devise.friendly_token
+
+      # Attempt to save our new user
+      if user.save
+        # Saved
+
+        if omniauth_config[:member_of_key].present?
+          synchronize_group_membership(user, saml_hash, omniauth_config)
+        end
+
+        if omniauth_config[:admin_groups].present?
+          synchronize_is_admin(user, omniauth_config)
+        end
+
+        user.save!
+
+        if !user_existed
+          # Create a matching identity to track our new user for future
+          #   sessions and return our new user record
+          ConcertoIdentity::Identity.create(provider: "saml",
+                                            external_id: uid,
+                                            user_id: user.id)
+        end
+
+        return {user: user, existed: user_existed}
+      else
+        # User save failed, an error occurred
+        flash.notice = "Failed to sign in with SAML.
+          #{user.errors.full_messages.to_sentence}."
+        return nil
+      end
+    end
+
+    def synchronize_group_membership(user, saml_hash, omniauth_config)
+      desired_group_names = find_user_groups(saml_hash, omniauth_config)
+      existing_group_memberships = Membership.where(user: user)
+      existing_group_names = existing_group_memberships.map do |membership|
+        membership.group.name
+      end
+      groups_to_add = desired_group_names - existing_group_names
+      groups_to_remove = existing_group_names - desired_group_names
+      add_user_to(groups_to_add, user)
+      remove_user_from(groups_to_remove, user)
+    end
+
+    def find_user_groups(saml_hash, omniauth_config)
+      member_of_key = omniauth_config[:member_of_key]
+      member_of_lines = saml_hash[:extra][:response_object].attributes.multi(member_of_key)
+      if member_of_lines.nil?
+        Rails.logger.debug "No user groups found"
+        return nil
+      end
+      # Go from array of "CN=Broadcast Engineer,OU=Commission,OU=Groups,DC=example,DC=com"
+      # to array of ["CN=Broadcast Engineer", "OU=Commission", "OU=Groups", "DC=example", "DC=com"]
+      groups_splitted = member_of_lines.map do |single_member_of_line|
+        single_member_of_line.split(",")
+      end
+      # Downcase every string
+      groups_splitted.map! do |single_splitted_group|
+        single_splitted_group.map do |group_part|
+          group_part.downcase
+        end
+      end
+      Rails.logger.debug "Interpreting the memberOf field:"
+      Rails.logger.debug groups_splitted
+      # Remove elements which are not matched by the filter
+      if !omniauth_config[:member_of_filter].blank?
+        filter = omniauth_config[:member_of_filter]
+        filter = (filter.strip).downcase
+        filter_list = filter.split(",")
+        Rails.logger.debug filter_list
+        matching_groups = groups_splitted.select do |single_splitted_group|
+          # Check if the intersection of single_splitted_group and filter_list has elements
+          # (meaning that at least one element in single_splitted_group matches one element
+          # in filter_list)
+          !(single_splitted_group & filter_list).empty?
+        end
+      else
+        matching_groups = groups_splitted
+      end
+      Rails.logger.debug matching_groups
+      # Go to array of {:cn => ["broadcast engineer"], :ou => ["commission", "groups"], :dc => ["example", "com"]}
+      group_hashes = matching_groups.map do |single_splitted_group|
+        # Create a hash which returns new Arrays for missing entries
+        resulting_group_hash = Hash.new{|h,k| h[k] = []}
+        single_splitted_group.each do |single_group_attribute|
+          key_and_value = single_group_attribute.split("=")
+          key = key_and_value.first
+          value = key_and_value.second
+          resulting_group_hash[key].push(value)
+        end
+        resulting_group_hash
+      end
+      Rails.logger.debug group_hashes
+      # Go to array of "broadcast engineer", but ensure all CNs are included
+      common_names = []
+      group_hashes.each do |single_group_hash|
+        single_group_hash["cn"].each do |group_name|
+          common_names.push(group_name)
+        end
+      end
+      Rails.logger.debug common_names
+      # Go to array of "Broadcast engineer" (normalizing names)
+      common_names.map do |single_common_name|
+        single_common_name.capitalize
+      end
+    end
+
+    def add_user_to(all_groups, user)
+      all_groups.each do |group_name|
+        group = Group.where(:name => group_name).first_or_create!
+        membership = Membership.create!(:user_id => user.id, :group_id => group.id, :level => Membership::LEVELS[:regular])
+        membership.perms[:screen] = :all
+        membership.perms[:feed] = :all
+        membership.save!
+      end
+    end
+
+    def remove_user_from(all_groups, user)
+      all_groups.each do |group_name|
+        group = Group.where(:name => group_name).first!
+        Membership.where(:user_id => user.id, :group_id => group.id).destroy
+      end
+    end
+
+    def synchronize_is_admin(user, omniauth_config)
+      admin_group_string = omniauth_config[:admin_groups]
+      admin_group_names = admin_group_string.split(",")
+      admin_group_names.map! do |group|
+        (group.strip).capitalize
+      end
+
+      user_groups = Membership.where(:user_id => user.id)
+      user_group_names = user_groups.map do |membership|
+        membership.group.name
+      end
+      should_be_admin = admin_group_names & user_group_names
+      user.is_admin = !should_be_admin.empty?
+    end
+
+  end
+end

data/app/controllers/concerto_saml_auth/omniauth_callback_controller.rb

@@ -0,0 +1,35 @@
+require_dependency "concerto_saml_auth/application_controller"
+
+module ConcertoSamlAuth
+  class OmniauthCallbackController < ApplicationController
+
+    # We will be receiving a POST request initiated by the identity provider.
+    # To check its authenticity, OneLogin SAML will check its signature.
+    # Therefore, we must skip the CSRF protection, since it interferes with
+    # normal operation (it disconnects us from the session, basically).
+    skip_before_action :verify_authenticity_token
+
+    def saml_auth
+      saml_hash = request.env["omniauth.auth"]
+      result = find_from_omniauth(saml_hash)
+
+      if !result
+        # Redirect showing flash notice with errors
+        redirect_to "/"
+      else
+        user = result[:user]
+        user_existed = result[:existed]
+        session["devise.user_attributes"] = user.attributes
+        sign_in user
+        if user_existed
+          flash[:notice] = "Signed in as #{user.first_name} #{user.last_name}"
+          redirect_to "/"
+        else
+          flash[:notice] = "Welcome to Concerto, #{user.first_name} #{user.last_name}! Have a look at the options"
+          redirect_to "/manage/users/#{user.id}/edit"
+        end
+      end
+    end
+
+  end
+end

data/app/helpers/concerto_saml_auth/application_helper.rb

@@ -0,0 +1,4 @@
+module ConcertoSamlAuth
+  module ApplicationHelper
+  end
+end

data/app/views/concerto_saml_auth/omniauth_saml/_signin.html.erb

@@ -0,0 +1 @@
+<%= link_to t('.sign_in'), root_url + 'auth/saml/' %>

data/config/initializers/omniauth.rb

@@ -0,0 +1,123 @@
+require 'omniauth'
+if ActiveRecord::Base.connection.table_exists? 'concerto_configs'
+  # Concerto Configs are created if they don't exist already
+  #   these are used to initialize and configure omniauth-cas
+  # TODO: Finalize which settings are available
+  default_saml_idp_metadata = "https://example.com/auth/saml2/idp/metadata"
+  ConcertoConfig.make_concerto_config("saml_idp_metadata", default_saml_idp_metadata,
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 1,
+    :description =>"URL at which the Identity Provider's metadata can be found.")
+
+  ConcertoConfig.make_concerto_config("saml_issuer", "https://concerto.example.com/SAML2",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 2,
+    :description => "A unique identifier used by this application to identify itself to the identity provider.")
+
+  ConcertoConfig.make_concerto_config("saml_uid_key", "uid",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 3,
+    :description => "SAML field name containing user login names")
+
+  ConcertoConfig.make_concerto_config("saml_email_key", "email",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 4,
+    :description => "SAML field name containing user email addresses. Leave blank if using email_suffix below")
+
+  ConcertoConfig.make_concerto_config("saml_first_name_key", "first_name",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 6,
+    :description => "SAML field name containing first name")
+
+  ConcertoConfig.make_concerto_config("saml_last_name_key", "last_name",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 7,
+    :description => "SAML field name containing last name")
+
+  ConcertoConfig.make_concerto_config("saml_member_of_key", "memberOf",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 8,
+    :description => "SAML field name containing the memberOf attribute, as retrieved from LDAP")
+
+  ConcertoConfig.make_concerto_config("saml_member_of_filter", "OU=Access control",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 9,
+    :description => "Filter determining which groups are made in Concerto. At least one of the assertions provided here, separated by comma, must match a memberOf field for it to be included.")
+
+  ConcertoConfig.make_concerto_config("saml_admin_groups", "administrator group",
+    :value_type => "string",
+    :category => "SAML User Authentication",
+    :seq_no => 10,
+    :description => "Common name of groups, separated by comma, whose members should be granted administrator permission in Concerto")
+
+  # Store omniauth config values from main application's ConcertoConfig
+  saml_idp_metadata = ConcertoConfig[:saml_idp_metadata]
+  if saml_idp_metadata.present? && saml_idp_metadata != default_saml_idp_metadata
+
+    idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
+    begin
+      omniauth_config = idp_metadata_parser.parse_remote_to_hash(saml_idp_metadata)
+    rescue
+      Rails.logger.error "Failed to fetch or parse IDP metadata. Error message: #{$!}"
+      omniauth_config = {}
+    end
+  else
+    omniauth_config = {}
+    Rails.logger.warn "No URL (or default URL) defined for IDP metadata, SAML authentication will not be working."
+  end
+
+  request_attributes = []
+  if ConcertoConfig[:saml_email_key].present?
+    request_attributes.push({:name => ConcertoConfig[:saml_email_key], :friendly_name => "Email", :is_required => true})
+  end
+  if ConcertoConfig[:saml_first_name_key].present?
+    request_attributes.push({:name => ConcertoConfig[:saml_first_name_key], :friendly_name => "First Name", :is_required => true})
+  end
+  if ConcertoConfig[:saml_last_name_key].present?
+    request_attributes.push({:name => ConcertoConfig[:saml_last_name_key], :friendly_name => "Last Name", :is_required => true})
+  end
+  if ConcertoConfig[:saml_member_of_key].present?
+    request_attributes.push({:name => ConcertoConfig[:saml_member_of_key], :friendly_name => "Member Of", :is_required => true})
+  end
+
+  request_attributes.map! do |attr|
+    attr[:name_format] = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
+    attr
+  end
+
+  omniauth_config.merge!(
+    :issuer => ConcertoConfig[:saml_issuer],
+    :uid_attribute => ConcertoConfig[:saml_uid_key],
+    :attribute_statements => {
+        :email => [ConcertoConfig[:saml_email_key]],
+        :first_name => [ConcertoConfig[:saml_first_name_key]],
+        :last_name => [ConcertoConfig[:saml_last_name_key]],
+    },
+    :request_attributes => request_attributes,
+    :member_of_key => ConcertoConfig[:saml_member_of_key],
+    :member_of_filter => ConcertoConfig[:saml_member_of_filter],
+    :admin_groups => ConcertoConfig[:saml_admin_groups],
+    # :callback_url => "/auth/saml/callback"
+  )
+
+  Rails.logger.debug omniauth_config
+
+  # configure omniauth-cas gem based on specified yml configs
+  Rails.application.config.middleware.use OmniAuth::Builder do
+    provider :saml, omniauth_config
+  end
+
+  # save omniauth configuration for later use in application
+  #  to reference any unique identifiers for extra CAS options
+  ConcertoSamlAuth::Engine.configure do
+     config.omniauth_config = omniauth_config
+  end
+end

data/config/routes.rb

@@ -0,0 +1,3 @@
+Concerto::Application.routes.draw do
+  post "/auth/saml/callback", :to => "concerto_saml_auth/omniauth_callback#saml_auth"
+end

data/lib/concerto_saml_auth/engine.rb

@@ -0,0 +1,31 @@
+module ConcertoSamlAuth
+
+  require 'omniauth'
+  require 'omniauth-saml'
+  require 'concerto_identity'
+
+  class Engine < ::Rails::Engine
+    isolate_namespace ConcertoSamlAuth
+    engine_name 'concerto_saml_auth'
+
+    # Define plugin information for the Concerto application to read.
+    # Do not modify @plugin_info outside of this static configuration block.
+    def plugin_info(plugin_info_class)
+      @plugin_info ||= plugin_info_class.new do
+
+        # Add our concerto_saml_auth route to the main application
+        add_route("concerto_saml_auth", ConcertoSamlAuth::Engine)
+
+        # View hook to override Devise sign in links in the main application
+        add_view_hook "ApplicationController", :signin_hook,
+          :partial => "concerto_saml_auth/omniauth_saml/signin"
+
+        # Controller hook to supply a redirect route (example: non public Concerto instances)
+        add_controller_hook "ApplicationController", :auth_plugin, :before do
+          @auth_url = "/auth/saml"
+        end
+      end
+    end
+
+  end
+end

data/lib/concerto_saml_auth/version.rb

@@ -0,0 +1,3 @@
+module ConcertoSamlAuth
+  VERSION = "0.1.0"
+end

data/lib/concerto_saml_auth.rb

@@ -0,0 +1,4 @@
+require "concerto_saml_auth/engine"
+
+module ConcertoSamlAuth
+end

data/lib/tasks/concerto_saml_auth_tasks.rake

@@ -0,0 +1,18 @@
+namespace :concerto_saml_auth do
+  desc "Creates identities from existing user emails"
+  task :identity_from_email => :environment do
+    User.all.each do |u|
+      identity = ConcertoIdentity::Identity.new(
+        user_id: u.id,
+        external_id: u.email[/[^@]+/],
+        provider: "saml"
+      )
+
+      if identity.save
+        puts "Created Identity: #{identity.external_id} -> #{identity.user_id}"
+      else
+        puts "Error creating Identity for User #{identity.user_id}"
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: concerto_saml_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Gabe Perez
+- Thorben Dahl
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-07-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-saml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: concerto_identity
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Authorize Concerto users with SAML
+email:
+- perez283@gmail.com
+- thorben@thorbendahl.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- Rakefile
+- app/assets/javascripts/concerto_saml_auth/application.js
+- app/assets/stylesheets/concerto_saml_auth/application.css
+- app/controllers/concerto_saml_auth/application_controller.rb
+- app/controllers/concerto_saml_auth/omniauth_callback_controller.rb
+- app/helpers/concerto_saml_auth/application_helper.rb
+- app/views/concerto_saml_auth/omniauth_saml/_signin.html.erb
+- config/initializers/omniauth.rb
+- config/routes.rb
+- lib/concerto_saml_auth.rb
+- lib/concerto_saml_auth/engine.rb
+- lib/concerto_saml_auth/version.rb
+- lib/tasks/concerto_saml_auth_tasks.rake
+homepage: http://www.concerto-signage.org
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Provides user authentication using SAML
+test_files: []