Parameter:
DEBUG_OIDC_VAULTShort description: Enables debug output for OIDC authentication against the ID Vault – e.g. for Notes Federated Login with Azure AD/Entra ID or Keycloak.
Profile
Parameter | DEBUG_OIDC_VAULT |
Category | Logging / Debug |
Component | Server |
Available since | 12.0.2 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default) to 5 = maximum trace |
Description
Notes Federated Login (NFL) lets Notes clients authenticate via OIDC/OAuth against an external Identity Provider and, on that basis, obtain their Notes ID from the ID Vault.
DEBUG_OIDC_VAULT writes detailed trace output for exactly this flow – OIDC discovery, token validation, JWKS lookups, mapping IdP subject → Notes user, vault request, and return of the ID file.Ideal for topics such as NFL login throws an error, token is rejected, user receives wrong/no ID from vault, audience/issuer mismatch, vault returns HTTP error to the OIDC module.
Example configuration
DEBUG_OIDC_VAULT=3 Debug_Outfile=/local/notesdata/IBM_TECHNICAL_SUPPORT/oidc_vault_debug.log
Notes & pitfalls
- High levels (
4,5) can log tokens – enable only temporarily.
- Takes effect immediately via
set config DEBUG_OIDC_VAULT=...; a restart is not strictly required.
- Entries appear in
console.logand inDebug_Outfile.
- Complementary to
DEBUG_OIDC,DEBUG_OIDCLOGIN, the IdP catalog document, and the ID Vault configuration.
- Enable on both the ID Vault server and the login server when both sides need to be investigated.