Palantir is unavailable?

828 views
Skip to first unread message

atilling

unread,
Aug 18, 2025, 10:38:59 PMAug 18
to CAS Community
Trying to use Palantir in CAS 7.2.5 and getting an error
Palantir is unavailable!
Palantir requires a number of actuator endpoints to be enabled and exposed, and your CAS deployment fails to do so.

There is no indication what endpoints aren't enabled
in cas.properties I have the follwoing properties and spring user settings
management.endpoints.web.exposure.include=*management.endpoint.health.show-details=always

cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED

cas.monitor.endpoints.endpoint.samlIdPRegisteredServiceMetadataCache.access=AUTHENTICATED



Ray Bon

unread,
Aug 19, 2025, 12:00:54 PMAug 19
to cas-...@apereo.org
Start with these settings:
management.endpoints.web.exposure.include=*
management.endpoints.access.default=UNRESTRICTED
cas.monitor.endpoints.endpoint.defaults.access=PERMIT

These settings will allow you to access actuator endpoints (list below). Then verify that palantir is working as expected. Then change to cas.monitor.endpoints.endpoint.defaults.access=AUTHENTICATED

I tried using a list of endpoints, but after adding in more than half, palantir still was not working; and since there was no guarantee that the list below was complete, I went with '*'.

For our use case, palantir will be used for service management. We have other systems in place for monitoring performance etc.
We have one server with restricted access for palantir, kept seperate from our authentication servers. On authentication servers, only health endpoint available.

Ray

Here is a list of endpoints I exctracted from actuator/mappings (this actuator will show all of cas enpoints based on config - I think):

#attributeDefinitions
#auditevents
#auditLog
#authenticationHandlers
#authenticationPolicies
#beans
#caches
#casConfig
#casFeatures
#casModules
#casValidate
#conditions
#configprops
#duoAccountStatus
#duoAdmin
#duoPing
#env
#events
#features
#health
#heapdump
#httpexchanges
#info
#integrationgraph
#jwtTicketSigningPublicKey
#loggers
#loggingConfig
#mappings
#metrics
#mfaDevices
#multitenancy
#oauthTokens
#oidcJwks
#passwordManagement
#personDirectory
#quartz
#refresh
#registeredServices
#releaseAttributes
#resolveAttributes
#samlIdPRegisteredServiceMetadataCache
#samlPostProfileResponse
#samlValidate
#sbom
#scheduledtasks
#serviceAccess
#springWebflow
#sso
#ssoSessions
#statistics
#threaddump
#throttles
#ticketExpirationPolicies
#ticketRegistry


From: 'atilling' via CAS Community <cas-...@apereo.org>
Sent: August 18, 2025 09:10
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Palantir is unavailable?
 
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6c8b17b-7dca-4ab0-9b0f-f49e2d0c51b8n%40apereo.org.

Andrew Tillinghast

unread,
Aug 19, 2025, 3:25:04 PMAug 19
to cas-...@apereo.org
Thank you, that made progress. We're able to open Palantir and view/edit services but we can't get to any of the other tabs. Clicking them and nothing happens. The only error in the logs appears to be related to the first tab attempting to load OIDC services, which we don't have enabled.



--

Andrew Tillinghast
Sr. Tech Lead Identity and Access Management 
270 Mohegan Avenue
New London, CT 06320-4196
P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.

Jonathon Taylor

unread,
Aug 19, 2025, 10:20:21 PMAug 19
to cas-...@apereo.org
Hi Andrew,

It's working for us using similar settings to Ray's.  Here's ours for comparison:

spring.security.user.name=admin
spring.security.user.password=***********
spring.security.user.roles=admin

cas.monitor.endpoints.endpoint.defaults.access[0]=AUTHENTICATED
management.endpoints.web.exposure.include=*
management.endpoints.access.default=unrestricted
CasFeatureModule.AccountManagement.enabled=true

We also keep our CAS management system separate and only allow the health endpoint on our user-facing nodes.

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGA6n_%3DFxGKzEdtrZ2TH0DjdqfhaATmGE3aMrr6qXFP9tYutQQ%40mail.gmail.com.


--
Jonathon Taylor (he/him)
Information Security Office

Ray Bon

unread,
Aug 19, 2025, 10:20:41 PMAug 19
to cas-...@apereo.org
Andrew,

If you have any UI customizations, comment them out or remove them while setting up palantir. Our UI caused palantir to behave weird.
Check the mappings actuator and try all the GETs to be sure they are accessible.
Try adding these to build.gradle:
    implementation "org.apereo.cas:cas-server-support-metrics"
   implementation "org.apereo.cas:cas-server-core-monitor"

Ray
From: 'Andrew Tillinghast' via CAS Community <cas-...@apereo.org>
Sent: August 19, 2025 11:12
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] Palantir is unavailable?
 

Andrew Tillinghast

unread,
Aug 20, 2025, 9:56:07 AMAug 20
to cas-...@apereo.org
Can we separate the UI for Palantir from the rest of CAS if it is a problem with our UI?

Ray Bon

unread,
Aug 20, 2025, 10:47:40 AMAug 20
to cas-...@apereo.org
You would need to separate auth and palantir so only one gets the custom ui; in other words, two war files, each with their own config.

Ray
From: 'Andrew Tillinghast' via CAS Community <cas-...@apereo.org>
Sent: August 20, 2025 06:07
Reply all
Reply to author
Forward
0 new messages