Parameter:
DEBUG_SAMLShort description: Logs the complete SAML federated login flow (metadata, assertion validation, signature/encryption check, attribute mapping).
Profile
Parameter | DEBUG_SAML |
Category | Logging / Debug |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off, 1 = basic, 2 = verbose (incl. assertion XML – temporary only, contains sensitive data) |
Description
DEBUG_SAML enables diagnosis of Domino's SAML-based federated login implementation. Among other things, the loading and parsing of IdP metadata, the validation of the incoming assertion (signature, encryption, NotBefore/NotOnOrAfter, audience, AuthnContext), and the mapping of SAML attributes to the Notes user are logged. At level 2, the complete assertion XML is additionally written to the console or log – for analyzing "Signature validation failed" or "No matching user" errors, this is often the only reliable source.Example configuration
; Standard debug for federated login problems DEBUG_SAML=1 ; Verbose – short-term only, writes assertion XML DEBUG_SAML=2
Notes & pitfalls
- Level
2contains the complete SAML assertion (user attributes, groups, possibly tokens) – treat logs as confidential and delete them after error analysis.
- Takes effect only after a restart of the HTTP task (
restart task http).
- Works only if
idpcat.nsfis correctly configured and the IdP is enabled in the server document.
- For certificate errors, additionally enable
DEBUG_SSL=2to separate TLS issues from SAML errors.