There's the 'single sign on' of old ... lan/wan based an began with the workstation 'logging onto the network'.
Then there is the 'single sign on' of new ... internet ... TCP/IP based which, IMHO, is somewhat a mis-nomer, but I guess it's a matter of prior experience/age.
* Is it possible to avoid showing the /cas/login page and to just login into the CAS while on Moodle?
How does either server (cas authentication) or the Moodle know a user has authenticated via CAS?
Now I don't use CAS ... so maybe I shouldn't have responded at all .. but do work with servers that use remote authentications ... LDAP, Oauth2, SAML2 to list them. While they are not CAS, their behaviors are similar in that the Moodle has to communicate with the authenticating server ... AND ... if the data mappings are not correct, one will get different results ... your issues/errors could be coming from the network layer in a login/authentication sequence or attempt. Networking is involved in remote authentication ... period.
Moodle does have a sessions time out that is independent of whatever method one has set to communicate. If the authenticating server is not checked from time to time to see if that user is still authenticated *and* let's Moodle know the users is still authenticated, Moodle session will time out and user will get a notice ... session has timed out.
Work with an entity that uses SAML2. The entire process must be initiated on the SAML2 server OR *begun* from the Moodle. But, the SAML2 plugin, polls back to SAML2 to update the sessions information ... all day long ... all night long ... IF the user is into Moodle once that day.
Does CAS work that way?
* Some valid users on CAS (login works) give an "Invalid Login" message on Moodle? Shouldn't Moodle automatically make a new profile if you successfully login on CAS? That's what it does with some valid users, but then it does nothing with other valid users. I don't get it.
Would hope that whatever one uses to authenticate, a user gets a single account ... one user ID number in the mdl_user table. That ID number actually shown in the URL to editing a profile ties that users enrollments in courses and all their activity with a Moodle. A user that ends up with or more accounts isn't a good thing.
Won't try your number three here ...
Suggestion for you though ...
1. Use something to look at your mdl_user table ... to see what's going on there.
2. turn on debugging ... all the way to developer ... let's see if that will give you some more information about what is going on and why things are behaving the way they are.
No Vulcan Mind Meld is possible in these forums.
Come to think of it ... I shouldn't have responded at all ... but do #1 and #2 suggestions above as an 'Authentications Expert' will hopefully come along and see this thread to 'talk tech' with ya!
Outta here ...
'spirit of sharing', Ken