Colm, great advice. It turns out I was making a stupid configuration mistake: I had etc/cas/config instead of /etc/cas/config.
I am now getting a new warning: WARN [org.apache.cxf.sts.token.validator.SAMLTokenValidator] - <> org.apache.wss4j.common.ext.WSSecurityException: No message with ID "certpath" found in resource bundle "org/apache/xml/security/resource/xmlsecurity". Original Exception was a java.security.cert.CertPathValidatorException and message signature check failed at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:933) ~[wss4j-ws-security-common-2.1.7.jar:2.1.7] ... Caused by: java.security.cert.CertPathValidatorException: signature check failed at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:1.8.0_144] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223) ~[?:1.8.0_144] at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_144] -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html