Parameter:
DEBUG_SSO_TRACE_LEVELShort description: Trace level for diagnosing LTPA/SSO token decoding and validation in the HTTP stack.
Profile
Parameter | DEBUG_SSO_TRACE_LEVEL |
Category | Logging / Debug |
Component | Server |
Available since | 9.0.1 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off, 1 = basic trace, 2 = verbose (incl. token contents) |
Description
Verify spelling. No direct HCL KB confirmation exists for this exact switch name with values 0..2. In the SAML/SSO context,
WEBAUTH_VERBOSE_TRACE=1 is the better-documented switch (see xpagedeveloper.com 'Debugging SAML setups'). Verify spelling and value range with HCL Support or KB0086631 before production use.DEBUG_SSO_TRACE_LEVEL enables debug output around web SSO using LTPA tokens (LtpaToken / LtpaToken2). Logged items include reading the token from the cookie, decryption with the configured SSO key, validation of the realm and expiration, and the resolution of the contained user against the Domino Directory. Very helpful for "SSO failed" / "Cannot decrypt LTPA token" errors in heterogeneous Domino/WebSphere environments.Example configuration
DEBUG_SSO_TRACE_LEVEL=1
Notes & pitfalls
- At level
2, the token contents are logged – this is security-sensitive, treat logs as confidential.
- Works only in combination with an SSO configuration document in the Domino Directory; without an SSO document the log stays empty.
- Takes effect after
restart task http.
- For IdP-based SSO (SAML), additionally enable
DEBUG_SAML.