I work for a huge company in Germany (not the one currently listed in my profile), with 300k+ eployees. We use CAS for a number of applications but our main strategy is SAML. The main reason for SAML is the "front channel" - you can reliably pass assertions via browser.
This has huge advantages in a large enterprise since very often parts of the network are firewalled so the "back channel" solutions (like CAS) don't always work.
With SAML, you could for instance use a completely external service like Salesforce with your company's SAML identity provider. Almost out of the box.
Please note that my production knowledge of CAS is ~4 years old. I might be wrong about the "back channel" for CAS, please recheck that.
Ok, few further insight related to your question update.
- We use AD as user directory too.
- Our identity provider (basically where you login) implements x-factor auth (SMS and token services).
- We use standard SAML solutions, we don't implement proprietary things.
- Sorry I did not mention it before - I'm not in finance/banking but we have apps in a very wide range of security requirements.
- I know peopla who use CAS in the financial sector. Howere, it's not the subject area that matters, it's seqcurity requirements that matter.
- I have had positive experience with Spring Security in the past, but it is not the tech of choice in the current company (more JBoss).
CAS is surely a good thing and will definitely work. However it's normally not the technology which fails it's how you use it in context. If you don't have extensive experience, in the area, get a consulting or a professional pentest. Too many things can be done "a little bit wrong" and lead to severe consequences.
I'm writing all this - and I'm even not a security professional, I'm an architect who designs these apps to fulfill (among magnitude of other things) their security requirements.