All the systems needs to have a login link, where the users can enter their credentials
The systems needs to call on every single request an authentication url, which will return true or false indicating that the user has been authenticated
The CAS needs to do the session idle timeout. As soon as the request is answered the idle timeout is refreshed
The logout URL logs the user out of all the systems.
The CAS shall send a cookie with a ticket for authentication, and then all systems must send this ticket back to CAS. The purpose of the cookie is automatic re authentication. This cookie must not be a persistent cookie, i.e. it expires as soon as the user closes the browser. Also called in-memory cookie
It is with help of this cookie that CAS will achieve single sign on across multiple applications without prompting the user to enter the log in details again and again. Without the cookie the user enters the username and password again and again, whenever he is redirected to CAS.
The cookie expire time is reset whenever it is send back to the server. And hence the session is maintained for 20 minutes or so. As soon as the cookie is expired the session is timed out. This will take care of the inactivity timeouts.
When CAS receives the authentication ticket through the validation URL, it checks to see in its internal database if it issued this ticket in the past.