We're starting to put some real effort into combining our separate systems under a central authentication system and i have a lot of random thoughts. 

1. Rubycas server code is readable and very easy to understand. I had issues with gems and conflicts, though and ended up spending a bunch of time upgrading to RubyEE, paths, reinstalling gems, and then upgrading passenger.  Once I had everything back to normal, I installed rubycas-server 0.7.1 with picnic 0.7.0.  No other configuration would work for me on either Leopard or Debian.

2. Unless I'm doing something stupid, it looks like there's a bug in either the way rubycas-server picks up the referring URL/Protocol or in the way rubycas-client is sending it.  I need to dig in a little more, but under Merb I kept getting a camping error complaining about the url.  The simple temporary fix while I look into things was to edit merb/filter.rb and edit this line in read_service_url:

service_url = request.protocol + '://' + request.host / controller.url(params.to_hash.symbolize_keys!)

3. Getting single-sign-out working looks tricky, but I'm going to spend a little time on it and see what happens.  It looks like there are several options that look pretty much reasonable.

4. It's not good to authenticate every request, especially if you think about things like handling uploads and ajax actions. I made a quick modification to filter.rb to add a 'force_cas_check' method that I use on specific actions that I definitely want checked.  For example... I'll use the regular cas_filter on 99% of my actions, but on the primary landing pages or on the first steps of certain processes, I'm going to use this force_cas_check method to make sure they haven't logged out somewhere.

5. OAuth looks like a good option to allow API requests across my aps, but I havent tried anything with it yet.