A few years ago when I was working for a university and we were rolling out CAS authentication for our apps. I headed to the internet to read up on anything I could find about CAS. Unfortunately, what I did find was a jumbled and overly complex mess of documentation. So, for the sake of those who will come after me, I'm going to do my best to explain, in as simple terms as possible, how CAS client authentication works. I'm assuming you have at least a basic understanding of HTTP requests, responses and cookies.