The class profile::idp::client::httpd currently does not have an $ensure class parameter.
So it can add Apache config (load the auth_cas module, configure it, install the libapache2-mod-auth-cas package and create Apache sites, but it can not remove them.
If you run into a situation where you want to remove an existing site that uses IDP from server (like right now removing racktables from miscweb* servers) and you stop including this profile in your role, your apache service can break because
/etc/apache2/mods-enabled/auth_cas.conf and /etc/apache2/mods-enabled/auth_cas.load are still links to mods-available
but the site setting variables for it is removed, leading to:
MOD_AUTH_CAS: CASLoginURL or CASValidateURL not defined
and then failed apache service.
Also the libapache2-mod-auth-cas package won't be removed this way.
So in an ideal world the profile::idp::client::httpd should be entire absentable and remove the module config and the package cleanly.
Then on the other hand I am not sure how likely this will happen again and it's not hard to do manually.. as long as you expect it to happen and are not suprised by it.