DEBUG_SAML – Enables SAML Debugging (HCL Domino)

Parameter: DEBUG_SAML

Short description: Enables the debug output for SAML authentication on the Domino web server. HCL recommends DEBUG_SAML=31 for general diagnostics and DEBUG_SAML=287 additionally for SSL/TLS certificate errors.

Profile

Parameter	DEBUG_SAML
Component	Server (Domino web server)
Category	Logging / Debug
Available since	Domino 9.0.x; officially documented in KB0086631 (Applies to: 9.0.x, 10.0.x, 11.0.x and higher)
Value format	Bitmask as integer
HCL recommendation general	`DEBUG_SAML=31`
HCL recommendation with SSL/TLS	`DEBUG_SAML=287`

Description

DEBUG_SAML enables SAML tracing of the Domino HTTP component. The console or console.log shows, among other things, details of incoming SAML requests, IdP discovery, assertion contents, signature verification, username mapping, and vault accesses.

According to HCL Customer Support (KB0086631), there are essentially two reasonable levels:

Level 1 – General SAML diagnostics


DEBUG_SAML=31
WEBAUTH_VERBOSE_TRACE=1

Good starting value for new SAML implementations and for all problems around login, username resolution, and IdP integration. WEBAUTH_VERBOSE_TRACE=1 complements the resolution of the Notes/Person name from the SAML assertion.

Level 2 – SAML + SSL/TLS certificate errors


DEBUG_SAML=287
DEBUG_XML_DSIG=65535

If HCL Support is reporting certificate or signature problems between Domino and the IdP, this variant should be chosen. DEBUG_XML_DSIG=65535 enables maximum tracing of XML digital signature processing.

Level 3 – SAML with ID Vault

If the login involves the ID Vault, the following parameters are additionally set on both servers (web server and vault server):


DEBUG_SAML=31
DEBUG_IDV_QVAULT=3
DEBUG_IDV_CONNECT=1
DEBUG_IDV_TRACE=1
DEBUG_IDV_TrustCert=1
DEBUG_IDV_ViewUpdate=1
DEBUG_IDV_API=1
DEBUG_IDV_IDP_CONFIG=1

Adjust console log size

Since the SAML debug output is very verbose, HCL recommends increasing the maximum log file size (default 10 MB):


CONSOLE_LOG_MAX_KBYTES=50000

Example – minimal SAML diagnostics


Console_Log_Enabled=1
DEBUG_THREADID=1
DEBUG_SAML=31
WEBAUTH_VERBOSE_TRACE=1
CONSOLE_LOG_MAX_KBYTES=50000

Notes

For web SSO only – DEBUG_SAML diagnoses SAML-based web login on the Domino HTTP stack. For Notes Federated Login in the Notes client, there are separate debug settings (see HCL KB0038983).

Disable after diagnostics – The SAML debug output is very extensive; in production, set DEBUG_SAML=0 or remove the entry once analysis is complete.

Console command – set config DEBUG_SAML=31 enables the tracing without server restart; set config DEBUG_SAML=0 disables it again.

Files for HCL Support – For a support ticket, KB0086631 lists the following as required: IBM_Technical_Support/console.log, notes.ini, idpcat.nsf, names.nsf (incl. server document, Internet Sites, Web SSO Configuration, Policy/Policy Settings).

Companion parameters – Console_Log_Enabled, Console_Log_Max_Kbytes, DEBUG_THREADID, WEBAUTH_VERBOSE_TRACE, DEBUG_XML_DSIG, DEBUG_IDV_*.

Sources (HCL Product Documentation)

HCL Customer Support – KB0086631 "Debug settings for SAML authentication with Domino web server" (defines DEBUG_SAML=31, DEBUG_SAML=287, ID Vault extensions, and CONSOLE_LOG_MAX_KBYTES=50000; Applies to: Domino 9.0.x, 10.0.x, HCL Domino 11.0.x and higher): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0086631

HCL Customer Support – KB0038983 "Debug settings for Notes Federated Login" (counterpart for the Notes client): support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0038983

HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html