FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asoni
Staff
Staff
Article Id 309870
Description This article describes an option to remove the username and password field from the SSL VPN web portal login page and only keep the Single Sign-On option as an available login method.
Scope FortiGate.
Solution

There might be scenarios where the administrator wants to keep the SSL VPN web mode active but only allow the login option via Single Sign-On, to prevent local or malicious login attempts.

Removing the login option does not impact FortiClient and the end user can still authenticate against either SSO, local, or remote server via FortiClient. 

 

By default, if Single Sign-on is being used, the following SSL VPN web mode login page will be visible.

ssl vpn login page default.JPG

 

To remove the option for credentials, it is possible to edit the SSL VPN replacement message script to only show Single Sign-On as an available option.

 

The path for SSL VPN replacement message is System -> Replacement messages -> SSL VPN login page.

 

ssl vpn login page script.JPG

 

Select the SSL VPN Login Page and select 'edit'. It will look like the following:

 

ssl vpn script.JPG

 

It is possible to change the script to the following in order to only display the Single Sign-On option:

 

<!DOCTYPE html>
<html lang="en" class="main-app">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=8; IE=EDGE">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="apple-itunes-app" content="app-id=1475674905">
<link href="/styles.css" rel="stylesheet" type="text/css">
<link href="/css/legacy-main.css" rel="stylesheet" type="text/css">
<title>
Please Login
</title>
</head>
<body>
<div class="view-container">
<form class="prompt legacy-prompt" action="%%SSL_ACT%%" method="%%SSL_METHOD%%" name="f" autocomplete="off">
<div class="content with-header">
<div class="header">
<f-icon class="ftnt-fortinet-grid icon-xl">
</f-icon>
<div id="login-login">
Please Login
</div>
</div>
<button id="saml-login-bn" class="primary" type="button" name="saml_login_bn" onClick="launchSamlLogin()" style="display:none">
SSO Login
</button>
</div>
</div>
</div>
</form>
</div>
</body>
%%SSL_HIDDEN%%
</html>

 

Once saved and after checking the login page again, it will look like the following (the replacement message preview page will not show the Single Sign-On option to search the SSL VPN web portal URL on the web browser):

ssl vpn SSO.JPG

Note:

To revert, it is possible to select the 'restore default' option under the SSL VPN replacement message page and then save it.

Currently, the end user will only see the login option for Single Sign-On. Once users select Single Sign-On, it will redirect them to the SSO page. 

 

If only SSO user groups are in all SSL VPN policies: when the user searches for the web portal URL, it will automatically redirect to the SSO page and will not even show the web mode login page. In this case, it is not necessary to edit the script. 

 

Note that TAC can only help to remove some portions of the script or restore the default script. Further change or modification of the script is outside of TAC's scope.

 

Related article:

Technical Tip: Technical support on customization on various Fortinet products.