Parameter:
DEBUG_OIDCLOGINShort description: Enables debug output for OIDC login (web login via external IdP) on the Domino web server. Higher values = more detail.
Profile
Parameter | DEBUG_OIDCLOGIN |
Category | Logging / Debug |
Component | Server |
Available since | 12.0.2 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off (default) to 4 = maximum trace |
Description
Since 12.0.2, Domino supports OIDC-based web login: instead of a classic Domino login, the browser is redirected to an external Identity Provider (e.g. Entra ID, Okta, Keycloak), authenticated there, and returns with an ID token.
DEBUG_OIDCLOGIN writes detailed trace output for this flow on the HTTP/web server side – authorization request, redirect URI, state/nonce validation, token validation, mapping IdP subject → Notes user, and setting the Web SSO cookie (LTPA).Ideal for topics such as login loop after IdP redirect, state/nonce mismatch, user lands on the wrong person, cookie is not set, or HTTP error after returning from the IdP.
Example configuration
DEBUG_OIDCLOGIN=3 Debug_Outfile=/local/notesdata/IBM_TECHNICAL_SUPPORT/oidclogin_debug.log
Notes & pitfalls
- High levels can log ID tokens – enable only temporarily.
- Takes effect immediately via
set config DEBUG_OIDCLOGIN=...; a restart of the HTTP task is not strictly required.
- Entries appear in
console.logand inDebug_Outfile.
- Complementary to
DEBUG_OIDC,DEBUG_OIDC_VAULT,DEBUG_HTTPINOUT,DEBUG_LTPA.
- For mapping problems, check the IdP catalog document and the Web SSO configuration.