A quick use case walkthrough where profiles provided by external identity providers to CAS need to be looked up by an identifier in internal databases before CAS can successfully establish an authenticated subject.
An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.
An overview of how a CAS overlay prepped for deployment can tap into internal components, altering logic and behavior for good and evil...but mostly evil.
An overview of the shib-cas-authn3 project and its support for the REFEDS MFA profile with both the Shibboleth Identity Provider and Apereo CAS lending a hand.
Discourse on supporting forced authentication with the Apereo CAS server from the perspective of an application protected with mod-auth-cas, the Apache httpd module for CAS.