Parameter:
OIDC_LOGIN_ENABLE_REDIRECTShort description: Controls whether Domino requests to the old OIDC login URL (
/names.nsf?OIDCLogin) are automatically redirected to the new, recommended endpoint /auth/protocol/oidc. Default: enabled (1).Profile
Parameter | OIDC_LOGIN_ENABLE_REDIRECT |
Category | Security / TLS (OIDC / Web SSO) |
Component | Server (HTTP task) |
Available since | 14.0 |
Supported versions | 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = redirect disabled 1 = redirect enabled (default) |
Description
With the introduction of web login with OIDC in Domino 14.0, the login endpoint was unified: instead of the old URL
https://server.example.com/names.nsf?OIDCLogin, the more modern endpoint https://server.example.com/auth/protocol/oidc is recommended — it is more consistent with other OAuth/OIDC implementations and allows a clearer separation between authentication and application URLs.So that existing bookmarks, mail links, and stored redirect URIs in OIDC provider configurations continue to work, Domino — with
OIDC_LOGIN_ENABLE_REDIRECT=1 (default) — automatically redirects from the old URL to the new endpoint.Important: The redirect happens only if the affected Internet Site is enabled for web login with OIDC. This makes mixed operation on the same server possible: Site A uses classic password/passkey authentication with
/names.nsf?Login, Site B uses OIDC — the redirect logic respects this separation.Set to 0 when:
- The behavior of the old URL should be preserved (legacy integration tests).
- A custom reverse-proxy rule handles the redirect.
- On the server side, only the new URL should be allowed and the old one should return a 404.
Example configuration
OIDC_LOGIN_ENABLE_REDIRECT=0
Notes & pitfalls
- Default is
=1— the parameter only needs to be set explicitly to disable the behavior.
- General prerequisites for web login with OIDC:
- HTTP Bearer Authentication is enabled in the Internet Site document.
- Session authentication is enabled on the "Domino Web Engines" tab.
- The Internet Site is selected in the OIDC Provider document in
idpcat.nsf.
- When configuring the OIDC provider (e.g. Keycloak, Azure AD): register both redirect URIs in the client configuration — the old AND the new form — for as long as the transition phase lasts. Only the new form
/auth/protocol/oidcis recommended.
- For multiple Domino servers behind a web proxy with the same Internet Site: additionally set
DominoSessionCookieUniqueNames=1so that single-server cookies do not overwrite each other.
- With
DEBUG_OIDC_LOGIN_REDIRECT=1, redirect decisions are logged in detail on the server console.
- Change takes effect after a restart of the HTTP task or via
set config OIDC_LOGIN_ENABLE_REDIRECT=….
- Works only on Windows and Linux servers.
- OIDC SSO and SAML SSO are mutually exclusive — only one of the two methods can be active on a given Internet Site.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Configuring OIDC-based SSO for web users: help.hcl-software.com/domino/14.5.1/admin/secu_config_oidc_based_sso_for_web.html