Fortinet black logo

Administration Guide

Self-service portal

Self-service portal

Configure general self-service portal options, including access control settings, self-registration options, replacement messages, and device self-enrollment settings.

General

To configure general self-service portal settings, go to Authentication > Self-service Portal > General.

The following settings can be configured:

Default portal language Select from several default portal language packs from the dropdown menu.
Add a Language Pack

Upload a different language pack.

Obtain additional translation packs from the Fortinet Support website if you need to translate to your local language.

Site name Enter a name that is used when referring to this site. If left blank, the default name is the site DNS domain name or IP address.
Email signature Add a signature that is appended to the end of outgoing email messages.
Allow users to change their password Enable to allow local and/or remote users the ability to change their own password.

Access control

To configure self-service portal access settings, go to Authentication > Self-service Portal > Access Control.

The following settings can be configured:

Username input format Select from the following username input formats: username@realm, realm\username, realm/username. The realm name is optional when authenticating against the default realm.
Realms

Add realms to which the user will be associated.

  • Select a realm from the dropdown menu in the Realm column.
  • Select whether or not to allow local users to override remote users for the selected realm.
  • Edit the group filter to filter users based on the groups they belong to.
  • If necessary, add more realms to the list.
  • Select the default realm for this client.

Self-registration

When self-registration is enabled, users can request registration through the FortiAuthenticator login page. Self-registration can be configured so that a user request is emailed to the device administrator for approval.

When the account is ready for use, the user receives an email or SMS message with their account information.

To enable self-registration:
  1. Go to Authentication > Self-service Portal > Self-registration.
  2. Select Enable to enable self-registration.
  3. Optionally, configure the following settings:
    Require administrator approval Select to require that an administrator approves the user.
    Enable email to freeform addresses Select to send self-registration requests to the email addresses entered in the Administrator email addresses field.
    Select User Groups allowed to approve new user registrations Select to send self-registration requests to specific user groups. Select the required approvers from the Available groups box and move them to the Chosen groups box.

    If enabled, the guests are given a dropdown list of approvers to choose from on the self-registration page. The FortiAuthenticator sends an approval request to that approver's email address. The list of approvers is the union of all the users/administrators who are members of the specified groups. Local, remote LDAP, and remote RADIUS groups are supported.
    Account expires after Enable to specify an expiration for self-generated accounts after they are generated.
    Use mobile number as username If enabled, after a successful registration, the user’s password is sent to them via SMS to confirm their identity.
    Place registered users into a group Select a group into which self-registered users are placed.
    Password creation

    Select how a password is created, either User-defined or Randomly generated.

    Send account information via

    Choose how to send account information to the user, either SMS, Email, or Display on browser page.

    The Display on browser page option is only available if administrator approval is not required.

    SMS gateway

    Select an SMS gateway from the dropdown menu. See SMS gateways for more information.

    Required Field Configuration

    Select the fields that the user is required to populate when self-registering. Options include: First name, Last name, Email, address, Address, City, State/Province, Country, Phone number, Mobile number, Custom field 1, Custom field 2, and Custom field 3.

    See Custom user fields for more information.

  4. Select OK to apply your changes.

Self-registration approval

The self-registration page is a customizable replacement message. The default replacement message contains a new optional field for the self-registering guest to select an approver. The list of approvers comes from the groups specified in the configuration. The dropdown list is populated with the explicit list of group members for local groups, remote RADIUS groups, and remote LDAP groups.

Each approver in the dropdown list is designated as "Lastname, Firstname". In cases where first and last name are not available, an approver is designated as "username" instead. Disabled user accounts are excluded from the list. User accounts without a configured email address are also excluded from the list.

To approve a self-registration request:
  1. Select the link in the Approval Required for... email message to open the New User Approval page in your web browser.
  2. Review the information and select either Approve or Deny, as appropriate.
  3. Approval is required only if Require administrator approval is enabled in the self-registration settings.

    If the request is approved, FortiAuthenticator sends the user an email or SMS message stating that the account has been activated.

How a user requests registration

A user can request registration, or self-register, from the FortiAuthenticator login screen.

To request registration:
  1. Browse to the IP address of FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. Select Register to open the user registration page.
  4. Fill in all the required fields and, optionally, fill in the Additional Information fields.
  5. Select OK to request registration.
  6. If administrator approval is not required and Display on browser page is enabled, the account details are immediately displayed to the user.

Token self-provisioning

User token self-provisioning allows users to set up their own FortiTokens without direct intervention of an administrator.

To configure token self-provisioning settings, go to Authentication > Self-service Portal > Token self-provisioning.

The following settings can be configured:

Token Self-registration
Allow FortiToken Hardware self-provisioning Enable this option if you want to allow users to self-provision their own FortiToken Hardware tokens.
Allow FortiToken Mobile self-provisioning Enable this option if you want to allow mobile users to self-provision their FortiToken Mobile.
Allow Email self-provisioning Enable this option if you want to allow users to self-provision their FortiToken Mobile via email.
Allow SMS self-provisioning Enable this option if you want to allow users to self-provision their FortiToken Mobile via SMS.
Allow user to request a token from Administrator at this email address Enable this option if you want to allow users to request a new token using an email address.
Restrict token self-provisioning to members of specific groups Enable this option if you want to restrict token self provisioning only to members of selected user groups.
Token Self-revocation
Allow users to report a lost token to the Administrator at this email address Enable this option if you want to allow users to report a lost token to a specific email address.
Allow users to temporarily use SMS token authentication if a mobile number was pre-configured Enable this option if you want to allow users to switch to temporary SMS based authentication. The administrator will also be notified.
Allow users to temporarily use email token authentication if an email was pre-configured Enable this option if you want to allow users to switch to temporary email based authentication. The administrator will also be notified.
Allow users to re-provision their FortiToken Mobile Enable this option if you want to allow mobile users to re-provision their token.

How a user registers a token

If enabled, a user can self-register a token from the user portal screen.

To self-register:
  1. Browse to the IP address of the user portal and log in.
  2. Go to My Account > User > Register Token to open the token registration options.
  3. Fill in all the required fields.
  4. Only options that the administrator has configured under the Token Self-registration options are available.

  5. Select OK to register token.

If a token is already assigned to the user, the token registration page will display the token along with its serial number.

How a user reports a lost token

A user can report a lost token (mobile or physical) from the user portal screen.

To report lost token:
  1. Browse to the IP address of the user portal.
  2. Select I lost my token.
  3. The user is directed to a page warning them that their account will be locked and the administrator will be notified. Select OK to continue.

  4. Select the preferred option.
  5. Only options that the administrator has configured under the Token Self-revocation options are available.

  6. Select OK to continue.

Replacement messages

The replacement messages list lets you view and customize replacement messages, and manage images.

Go to Authentication > Self-service Portal > Replacement Messages to view the replacement message list.

The replacement messages are divided into seven categories: Account, Authentication, Device Certificate Enrollment, Password Reset, User Registration, SAML SP (FSSO), and System.

To view and customize SAML IdP replacement messages, go to Authentication > SAML IdP > Replacement Messages.

note icon

The two pre-authentication replacement messages under Authentication are only available after pre-authentication has been enabled under System > Administration > System Access.

Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.

Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.

To edit a replacement message:
  1. Select a message in the replacement message list.
  2. Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
  3. To insert custom images into the replacement message, see Manage Images.

  4. When you are finished editing the message, select Save to save your changes.
  5. If you have made an error when editing the message, select Restore Default to restore the message to its default value.

Manage Images

Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.

To add an image:
  1. From the Manage Images window, select Create New to open the Create New Image window.
  2. In the Name field, enter a name for the image.
  3. Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
  4. Note: The maximum image size is 1000 kB.

  5. Select OK to add the image.
  6. To insert the image into a replacement message, add the following HTML code:

    <img src={{:image/<image_name>}}>

    Where <image_name> is the name entered for the image. For example, the HTML code for an image named Acme_logo is <img src={{:image/Acme_logo}}>

To delete an image:
  1. From the Manage Images window, select an image, then select Delete.
  2. Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:

In the manage images screen, select an image, then select Edit.

  1. From the Manage Images window, select an image, then select Edit.
  2. In the Edit Image window, edit the image name and file as required.
  3. Select OK to apply your changes.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For example:

  • A user brings their tablet to a BYOD organization.
  • They log in to FortiAuthenticator and create a certificate for the device.
  • With their certificate, username, and password they can authenticate to gain access to the wireless network.
  • Without the certificate, they are unable to access the network.
EAP-TLS is a bidirectional certificate authentication method; the client and the FortiAuthenticator EAP need to have matching certificates from the same CA.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable user device certificate self-enrollment.

SCEP must be enabled to activate this feature, see SCEP.

The following settings can be configured:

SCEP enrollment template Select a SCEP enrollment template from the dropdown menu. SCEP can be configured in Certificate Management > SCEP.
Maximum devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
Note that iOS devices only support 1024 and 2048.
Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.
This requires that a Device FQDN be configured (in the System Information widget under System > Dashboard > Status), as it is used in the CRL Distribution Points (CDPs) certificate extension.

Select OK to apply any changes you have made.

Self-service portal

Configure general self-service portal options, including access control settings, self-registration options, replacement messages, and device self-enrollment settings.

General

To configure general self-service portal settings, go to Authentication > Self-service Portal > General.

The following settings can be configured:

Default portal language Select from several default portal language packs from the dropdown menu.
Add a Language Pack

Upload a different language pack.

Obtain additional translation packs from the Fortinet Support website if you need to translate to your local language.

Site name Enter a name that is used when referring to this site. If left blank, the default name is the site DNS domain name or IP address.
Email signature Add a signature that is appended to the end of outgoing email messages.
Allow users to change their password Enable to allow local and/or remote users the ability to change their own password.

Access control

To configure self-service portal access settings, go to Authentication > Self-service Portal > Access Control.

The following settings can be configured:

Username input format Select from the following username input formats: username@realm, realm\username, realm/username. The realm name is optional when authenticating against the default realm.
Realms

Add realms to which the user will be associated.

  • Select a realm from the dropdown menu in the Realm column.
  • Select whether or not to allow local users to override remote users for the selected realm.
  • Edit the group filter to filter users based on the groups they belong to.
  • If necessary, add more realms to the list.
  • Select the default realm for this client.

Self-registration

When self-registration is enabled, users can request registration through the FortiAuthenticator login page. Self-registration can be configured so that a user request is emailed to the device administrator for approval.

When the account is ready for use, the user receives an email or SMS message with their account information.

To enable self-registration:
  1. Go to Authentication > Self-service Portal > Self-registration.
  2. Select Enable to enable self-registration.
  3. Optionally, configure the following settings:
    Require administrator approval Select to require that an administrator approves the user.
    Enable email to freeform addresses Select to send self-registration requests to the email addresses entered in the Administrator email addresses field.
    Select User Groups allowed to approve new user registrations Select to send self-registration requests to specific user groups. Select the required approvers from the Available groups box and move them to the Chosen groups box.

    If enabled, the guests are given a dropdown list of approvers to choose from on the self-registration page. The FortiAuthenticator sends an approval request to that approver's email address. The list of approvers is the union of all the users/administrators who are members of the specified groups. Local, remote LDAP, and remote RADIUS groups are supported.
    Account expires after Enable to specify an expiration for self-generated accounts after they are generated.
    Use mobile number as username If enabled, after a successful registration, the user’s password is sent to them via SMS to confirm their identity.
    Place registered users into a group Select a group into which self-registered users are placed.
    Password creation

    Select how a password is created, either User-defined or Randomly generated.

    Send account information via

    Choose how to send account information to the user, either SMS, Email, or Display on browser page.

    The Display on browser page option is only available if administrator approval is not required.

    SMS gateway

    Select an SMS gateway from the dropdown menu. See SMS gateways for more information.

    Required Field Configuration

    Select the fields that the user is required to populate when self-registering. Options include: First name, Last name, Email, address, Address, City, State/Province, Country, Phone number, Mobile number, Custom field 1, Custom field 2, and Custom field 3.

    See Custom user fields for more information.

  4. Select OK to apply your changes.

Self-registration approval

The self-registration page is a customizable replacement message. The default replacement message contains a new optional field for the self-registering guest to select an approver. The list of approvers comes from the groups specified in the configuration. The dropdown list is populated with the explicit list of group members for local groups, remote RADIUS groups, and remote LDAP groups.

Each approver in the dropdown list is designated as "Lastname, Firstname". In cases where first and last name are not available, an approver is designated as "username" instead. Disabled user accounts are excluded from the list. User accounts without a configured email address are also excluded from the list.

To approve a self-registration request:
  1. Select the link in the Approval Required for... email message to open the New User Approval page in your web browser.
  2. Review the information and select either Approve or Deny, as appropriate.
  3. Approval is required only if Require administrator approval is enabled in the self-registration settings.

    If the request is approved, FortiAuthenticator sends the user an email or SMS message stating that the account has been activated.

How a user requests registration

A user can request registration, or self-register, from the FortiAuthenticator login screen.

To request registration:
  1. Browse to the IP address of FortiAuthenticator.
  2. Security policies must be in place on the FortiGate unit to establish these sessions.

  3. Select Register to open the user registration page.
  4. Fill in all the required fields and, optionally, fill in the Additional Information fields.
  5. Select OK to request registration.
  6. If administrator approval is not required and Display on browser page is enabled, the account details are immediately displayed to the user.

Token self-provisioning

User token self-provisioning allows users to set up their own FortiTokens without direct intervention of an administrator.

To configure token self-provisioning settings, go to Authentication > Self-service Portal > Token self-provisioning.

The following settings can be configured:

Token Self-registration
Allow FortiToken Hardware self-provisioning Enable this option if you want to allow users to self-provision their own FortiToken Hardware tokens.
Allow FortiToken Mobile self-provisioning Enable this option if you want to allow mobile users to self-provision their FortiToken Mobile.
Allow Email self-provisioning Enable this option if you want to allow users to self-provision their FortiToken Mobile via email.
Allow SMS self-provisioning Enable this option if you want to allow users to self-provision their FortiToken Mobile via SMS.
Allow user to request a token from Administrator at this email address Enable this option if you want to allow users to request a new token using an email address.
Restrict token self-provisioning to members of specific groups Enable this option if you want to restrict token self provisioning only to members of selected user groups.
Token Self-revocation
Allow users to report a lost token to the Administrator at this email address Enable this option if you want to allow users to report a lost token to a specific email address.
Allow users to temporarily use SMS token authentication if a mobile number was pre-configured Enable this option if you want to allow users to switch to temporary SMS based authentication. The administrator will also be notified.
Allow users to temporarily use email token authentication if an email was pre-configured Enable this option if you want to allow users to switch to temporary email based authentication. The administrator will also be notified.
Allow users to re-provision their FortiToken Mobile Enable this option if you want to allow mobile users to re-provision their token.

How a user registers a token

If enabled, a user can self-register a token from the user portal screen.

To self-register:
  1. Browse to the IP address of the user portal and log in.
  2. Go to My Account > User > Register Token to open the token registration options.
  3. Fill in all the required fields.
  4. Only options that the administrator has configured under the Token Self-registration options are available.

  5. Select OK to register token.

If a token is already assigned to the user, the token registration page will display the token along with its serial number.

How a user reports a lost token

A user can report a lost token (mobile or physical) from the user portal screen.

To report lost token:
  1. Browse to the IP address of the user portal.
  2. Select I lost my token.
  3. The user is directed to a page warning them that their account will be locked and the administrator will be notified. Select OK to continue.

  4. Select the preferred option.
  5. Only options that the administrator has configured under the Token Self-revocation options are available.

  6. Select OK to continue.

Replacement messages

The replacement messages list lets you view and customize replacement messages, and manage images.

Go to Authentication > Self-service Portal > Replacement Messages to view the replacement message list.

The replacement messages are divided into seven categories: Account, Authentication, Device Certificate Enrollment, Password Reset, User Registration, SAML SP (FSSO), and System.

To view and customize SAML IdP replacement messages, go to Authentication > SAML IdP > Replacement Messages.

note icon

The two pre-authentication replacement messages under Authentication are only available after pre-authentication has been enabled under System > Administration > System Access.

Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the content pane.

Selecting Toggle Tag List will display a table of the tags used for that message atop the message’s HTML or plain text box.

To edit a replacement message:
  1. Select a message in the replacement message list.
  2. Edit the plain text or HTML code in the lower right pane, or select Open in new window to edit the message in a new browser window.
  3. To insert custom images into the replacement message, see Manage Images.

  4. When you are finished editing the message, select Save to save your changes.
  5. If you have made an error when editing the message, select Restore Default to restore the message to its default value.

Manage Images

Images can be managed by selecting Manage Images in the Replacement Messages window. Images can also be added, deleted, and edited.

To add an image:
  1. From the Manage Images window, select Create New to open the Create New Image window.
  2. In the Name field, enter a name for the image.
  3. Select Choose File, find the GIF, JPEG, or PNG image file that you want to add, and then select Open.
  4. Note: The maximum image size is 1000 kB.

  5. Select OK to add the image.
  6. To insert the image into a replacement message, add the following HTML code:

    <img src={{:image/<image_name>}}>

    Where <image_name> is the name entered for the image. For example, the HTML code for an image named Acme_logo is <img src={{:image/Acme_logo}}>

To delete an image:
  1. From the Manage Images window, select an image, then select Delete.
  2. Select Yes, I’m sure in the confirmation window to delete the image.
To edit an image:

In the manage images screen, select an image, then select Edit.

  1. From the Manage Images window, select an image, then select Edit.
  2. In the Edit Image window, edit the image name and file as required.
  3. Select OK to apply your changes.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For example:

  • A user brings their tablet to a BYOD organization.
  • They log in to FortiAuthenticator and create a certificate for the device.
  • With their certificate, username, and password they can authenticate to gain access to the wireless network.
  • Without the certificate, they are unable to access the network.
EAP-TLS is a bidirectional certificate authentication method; the client and the FortiAuthenticator EAP need to have matching certificates from the same CA.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable user device certificate self-enrollment.

SCEP must be enabled to activate this feature, see SCEP.

The following settings can be configured:

SCEP enrollment template Select a SCEP enrollment template from the dropdown menu. SCEP can be configured in Certificate Management > SCEP.
Maximum devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
Note that iOS devices only support 1024 and 2048.
Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.
This requires that a Device FQDN be configured (in the System Information widget under System > Dashboard > Status), as it is used in the CRL Distribution Points (CDPs) certificate extension.

Select OK to apply any changes you have made.