The class profile::idp::client::httpd currently does not have an $ensure class parameter.

So it can add Apache config (load the auth_cas module, configure it, install the libapache2-mod-auth-cas package and create Apache sites, but it can not remove them.

If you run into a situation where you want to remove an existing site that uses IDP from server (like right now removing racktables from miscweb* servers) and you stop including this profile in your role, your apache service can break because

/etc/apache2/mods-enabled/auth_cas.conf and /etc/apache2/mods-enabled/auth_cas.load are still links to mods-available

but the site setting variables for it is removed, leading to:

MOD_AUTH_CAS: CASLoginURL or CASValidateURL not defined

and then failed apache service.

Also the libapache2-mod-auth-cas package won't be removed this way.

So in an ideal world the profile::idp::client::httpd should be entire absentable and remove the module config and the package cleanly.

Then on the other hand I am not sure how likely this will happen again and it's not hard to do manually.. as long as you expect it to happen and are not suprised by it.