...
We consider the future of CAS to include support for SAML. To ensure this, the AuthenticationResult object needs to represent must be capable of representing all information which might be needed for SAML assertions about authentication such as time and context.
...
- In CAS 2 a service can request "renew=true" as part of the redirect to CAS and can ensure that in the process of acquiring a valid ticket the user was required to supply primary credentials.
- In CAS 3 the renew function can be greatly expanded to allow the a more general function allows the target service to request a type of authentication. For example imagine an aplication which only trusts user with client certificates not just those who know their password. In CAS3 the service would have the means through redirect and validate to ensure that its service ticket is derived from an authentication which included a valid client certificate. The AuthenticationResponse would indicate that the authentication context was derived from a client certificate. SAML schemas specify data model for doing this.