Parameter:
DEBUG_OIDC_LOGIN_REDIRECTShort description: Enables tracing specifically for the auto-redirect logic for OIDC web login — i.e. whether a request from the old URL
/names.nsf?OIDCLogin is redirected to the new endpoint /auth/protocol/oidc (controlled by OIDC_LOGIN_ENABLE_REDIRECT). Companion to DEBUG_OIDCLogin. Default: disabled (0).Profile
Parameter | DEBUG_OIDC_LOGIN_REDIRECT |
Category | Logging / Debug (OIDC / web SSO) |
Component | Server (HTTP task) |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = redirect tracing disabled (default) 1 = redirect tracing enabled |
Description
With Domino 14.0, the OIDC login endpoint was changed from
/names.nsf?OIDCLogin to the new, more RFC-aligned path /auth/protocol/oidc. So that existing bookmarks, mail links, and IdP-side configured redirect URIs do not break, Domino can automatically redirect from the old to the new URL — controlled by OIDC_LOGIN_ENABLE_REDIRECT (default: enabled).The redirect decision is conditional: it only happens when the requested Internet Site is enabled for web login with OIDC. On a server serving multiple Internet Sites with different auth methods (password, passkey, OIDC) in parallel, the logic must precisely identify which site entry is responsible and whether the redirection fits.
DEBUG_OIDC_LOGIN_REDIRECT=1 writes every redirect decision in detail to the server console:- Incoming URL and host header
- Detected Internet Site and its auth configuration
- Result: redirect, pass-through, or error
- Target URL on redirect
Use cases:
- Login attempts with old bookmarks (
/names.nsf?OIDCLogin) lead to 404 or to the wrong site — tracing reveals whether site detection is failing.
- Multiple sites with OIDC + password mixed — tracing shows which site was chosen for each request.
- Verify that
OIDC_LOGIN_ENABLE_REDIRECT=0actually takes effect when a custom reverse proxy should handle the redirect itself.
For complete OIDC tracing (id_token validation, claims mapping, cookie setting),
DEBUG_OIDCLogin=4 is additionally needed — this parameter (DEBUG_OIDC_LOGIN_REDIRECT) covers only the redirect step.Example configuration
DEBUG_OIDC_LOGIN_REDIRECT=1
Combined with full verbose:
DEBUG_OIDCLogin=4 DEBUG_OIDC_LOGIN_REDIRECT=1
Disable after diagnostics:
set config DEBUG_OIDC_LOGIN_REDIRECT=0
Notes & pitfalls
- Very low-noise — this parameter logs only the redirect decisions, not the entire OIDC flow. Therefore safe to use temporarily even in production.
- For token and claim issues, additionally enable
DEBUG_OIDCLogin=2(or higher).
- Change takes effect immediately via
set config DEBUG_OIDC_LOGIN_REDIRECT=…— no HTTP restart needed.
- Tracing appears both on the live console and in
console.log(Domino data directory).
- Prerequisite: HTTP Bearer Authentication and web login with OIDC are enabled in the relevant Internet Site document.
- Works only on Windows and Linux servers.
- If
OIDC_LOGIN_ENABLE_REDIRECT=0is set together withDEBUG_OIDC_LOGIN_REDIRECT=1, the tracing only shows „Redirect disabled“ entries — pass-through behavior of the old URL is observable, but no actual redirect happens.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html