Parameter:
DEBUG_SSO_TRACE_LEVELShort description: Trace level for diagnosing LTPA/SSO token decoding and validation in the HTTP stack.
Profile
Parameter | DEBUG_SSO_TRACE_LEVEL |
Category | Logging / Debug |
Component | Server |
Available since | 9.0.1 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = off, 1 = basic trace, 2 = verbose (incl. token contents) |
Description
DEBUG_SSO_TRACE_LEVEL enables debug output around web SSO using LTPA tokens (LtpaToken / LtpaToken2). Logged items include reading the token from the cookie, decryption with the configured SSO key, validation of the realm and expiration, and the resolution of the contained user against the Domino Directory. Very helpful for "SSO failed" / "Cannot decrypt LTPA token" errors in heterogeneous Domino/WebSphere environments.Example configuration
DEBUG_SSO_TRACE_LEVEL=1
Notes & pitfalls
- At level
2, the token contents are logged – this is security-sensitive, treat logs as confidential.
- Works only in combination with an SSO configuration document in the Domino Directory; without an SSO document the log stays empty.
- Takes effect after
restart task http.
- For IdP-based SSO (SAML), additionally enable
DEBUG_SAML.