Self-service portal
Configure general self-service portal options, including access control settings, self-registration options, replacement messages, and device self-enrollment settings.
General
To configure general self-service portal settings, go to Authentication > Self-service Portal > General.
The following settings can be configured:
Default portal language | Select from several default portal language packs from the dropdown menu. | |
Add a Language Pack |
Upload a different language pack. Obtain additional translation packs from the Fortinet Support website if you need to translate to your local language. |
|
Site name | Enter a name that is used when referring to this site. If left blank, the default name is the site DNS domain name or IP address. | |
Email signature | Add a signature that is appended to the end of outgoing email messages. | |
Allow users to change their password | Enable to allow local and/or remote users the ability to change their own password. |
Access control
To configure self-service portal access settings, go to Authentication > Self-service Portal > Access Control.
The following settings can be configured:
Self-registration
When self-registration is enabled, users can request registration through the FortiAuthenticator login page. Self-registration can be configured so that a user request is emailed to the device administrator for approval.
When the account is ready for use, the user receives an email or SMS message with their account information.
To enable self-registration:
- Go to Authentication > Self-service Portal > Self-registration.
- Select Enable to enable self-registration.
- Optionally, configure the following settings:
- Select OK to apply your changes.
Require administrator approval | Select to require that an administrator approves the user. | |
Enable email to freeform addresses | Select to send self-registration requests to the email addresses entered in the Administrator email addresses field. | |
Select User Groups allowed to approve new user registrations | Select to send self-registration requests to specific user groups. Select the required approvers from the Available groups box and move them to the Chosen groups box. If enabled, the guests are given a dropdown list of approvers to choose from on the self-registration page. The FortiAuthenticator sends an approval request to that approver's email address. The list of approvers is the union of all the users/administrators who are members of the specified groups. Local, remote LDAP, and remote RADIUS groups are supported. |
|
Account expires after | Enable to specify an expiration for self-generated accounts after they are generated. | |
Use mobile number as username | If enabled, after a successful registration, the user’s password is sent to them via SMS to confirm their identity. | |
Place registered users into a group | Select a group into which self-registered users are placed. | |
Password creation |
Select how a password is created, either User-defined or Randomly generated. |
|
Send account information via |
Choose how to send account information to the user, either SMS, Email, or Display on browser page. The Display on browser page option is only available if administrator approval is not required. |
|
SMS gateway |
Select an SMS gateway from the dropdown menu. See SMS gateways for more information. |
|
Required Field Configuration |
Select the fields that the user is required to populate when self-registering. Options include: First name, Last name, Email, address, Address, City, State/Province, Country, Phone number, Mobile number, Custom field 1, Custom field 2, and Custom field 3. See Custom user fields for more information. |
Self-registration approval
The self-registration page is a customizable replacement message. The default replacement message contains a new optional field for the self-registering guest to select an approver. The list of approvers comes from the groups specified in the configuration. The dropdown list is populated with the explicit list of group members for local groups, remote RADIUS groups, and remote LDAP groups.
Each approver in the dropdown list is designated as "Lastname, Firstname". In cases where first and last name are not available, an approver is designated as "username" instead. Disabled user accounts are excluded from the list. User accounts without a configured email address are also excluded from the list.
To approve a self-registration request:
- Select the link in the Approval Required for... email message to open the New User Approval page in your web browser.
- Review the information and select either Approve or Deny, as appropriate.
Approval is required only if Require administrator approval is enabled in the self-registration settings.
If the request is approved, FortiAuthenticator sends the user an email or SMS message stating that the account has been activated.
How a user requests registration
A user can request registration, or self-register, from the FortiAuthenticator login screen.
To request registration:
- Browse to the IP address of FortiAuthenticator.
- Select Register to open the user registration page.
- Fill in all the required fields and, optionally, fill in the Additional Information fields.
- Select OK to request registration.
Security policies must be in place on the FortiGate unit to establish these sessions.
If administrator approval is not required and Display on browser page is enabled, the account details are immediately displayed to the user.
Token self-provisioning
User token self-provisioning allows users to set up their own FortiTokens without direct intervention of an administrator.
To configure token self-provisioning settings, go to Authentication > Self-service Portal > Token self-provisioning.
The following settings can be configured:
Token Self-registration | |
---|---|
Allow FortiToken Hardware self-provisioning | Enable this option if you want to allow users to self-provision their own FortiToken Hardware tokens. |
Allow FortiToken Mobile self-provisioning | Enable this option if you want to allow mobile users to self-provision their FortiToken Mobile. |
Allow Email self-provisioning | Enable this option if you want to allow users to self-provision their FortiToken Mobile via email. |
Allow SMS self-provisioning | Enable this option if you want to allow users to self-provision their FortiToken Mobile via SMS. |
Allow user to request a token from Administrator at this email address | Enable this option if you want to allow users to request a new token using an email address. |
Restrict token self-provisioning to members of specific groups | Enable this option if you want to restrict token self provisioning only to members of selected user groups. |
Token Self-revocation | |
---|---|
Allow users to report a lost token to the Administrator at this email address | Enable this option if you want to allow users to report a lost token to a specific email address. |
Allow users to temporarily use SMS token authentication if a mobile number was pre-configured | Enable this option if you want to allow users to switch to temporary SMS based authentication. The administrator will also be notified. |
Allow users to temporarily use email token authentication if an email was pre-configured | Enable this option if you want to allow users to switch to temporary email based authentication. The administrator will also be notified. |
Allow users to re-provision their FortiToken Mobile | Enable this option if you want to allow mobile users to re-provision their token. |
How a user registers a token
If enabled, a user can self-register a token from the user portal screen.
To self-register:
- Browse to the IP address of the user portal and log in.
- Go to My Account > User > Register Token to open the token registration options.
- Fill in all the required fields.
- Select OK to register token.
Only options that the administrator has configured under the Token Self-registration options are available.
If a token is already assigned to the user, the token registration page will display the token along with its serial number.
How a user reports a lost token
A user can report a lost token (mobile or physical) from the user portal screen.
To report lost token:
- Browse to the IP address of the user portal.
- Select I lost my token.
- Select the preferred option.
- Select OK to continue.
The user is directed to a page warning them that their account will be locked and the administrator will be notified. Select OK to continue.
Only options that the administrator has configured under the Token Self-revocation options are available.
Replacement messages
The replacement messages list lets you view and customize replacement messages, and manage images.
Go to Authentication > Self-service Portal > Replacement Messages to view the replacement message list.
The replacement messages are divided into seven categories: Account, Authentication, Device Certificate Enrollment, Password Reset, User Registration, SAML SP (FSSO), and System.
To view and customize SAML IdP replacement messages, go to Authentication > SAML IdP > Replacement Messages.
The two pre-authentication replacement messages under Authentication are only available after pre-authentication has been enabled under System > Administration > System Access. |
Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.
Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.
To edit a replacement message:
- Select a message in the replacement message list.
- Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
- When you are finished editing the message, select Save to save your changes.
- If you have made an error when editing the message, select Restore Default to restore the message to its default value.
To insert custom images into the replacement message, see Manage Images.
Manage Images
Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.
To add an image:
- From the Manage Images window, select Create New to open the Create New Image window.
- In the Name field, enter a name for the image.
- Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
- Select OK to add the image.
Note: The maximum image size is 1000 kB.
To insert the image into a replacement message, add the following HTML code:
<img src={{:image/<image_name>}}>
Where <image_name>
is the name entered for the image. For example, the HTML code for an image named Acme_logo is <img src={{:image/Acme_logo}}>
To delete an image:
- From the Manage Images window, select an image, then select Delete.
- Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:
In the manage images screen, select an image, then select Edit.
- From the Manage Images window, select an image, then select Edit.
- In the Edit Image window, edit the image name and file as required.
- Select OK to apply your changes.
Device self-enrollment
Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For example:
- A user brings their tablet to a BYOD organization.
- They log in to FortiAuthenticator and create a certificate for the device.
- With their certificate, username, and password they can authenticate to gain access to the wireless network.
- Without the certificate, they are unable to access the network.
EAP-TLS is a bidirectional certificate authentication method; the client and the FortiAuthenticator EAP need to have matching certificates from the same CA. |
To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable user device certificate self-enrollment.
SCEP must be enabled to activate this feature, see SCEP. |
The following settings can be configured:
Select OK to apply any changes you have made.