[blasdel]

CAS is definitely somewhat less of a clusterfuck than OpenID, and actually gets the SSO cookie-handling part right.

But it's still a pile of redirects where the net result is that you can tie a user to their identifier and nothing more — it's mostly useless without implementing it paired with an LDAP/AD backend to get group membership and whatnot.

Just not storing a password field in your backend does nothing — you really have to get rid of the per-app account models entirely. WebFinger is a nice step along these lines, but it layers on top of OpenID and even then still doesn't provide the complete picture.

[jasonjei]

We have the CAS server return a hash in extraAttributes called "MemberOf" that returns every group the user is a member of. I do feel that the next version of CAS should formally address this as part of the main spec. But our MemberOf is paired to AD; but I'm sure it could be configured to work with a non-AD data store.