We have a deployment of FortiAuthenticator where we use it as our SAML IDP for all services and platforms, including portal and various FortiNet products.
We are using the self-registration portal of FortiAuthenticators for user self-registration and at the same time the SAML portals are enabled to allow users to navigate to various services. The issue we are phasing is on the self-registration portal if a user tries to reset their password at the end they get redirected to the SAML Login page. Instead of the page loading they are presented with a 403 Forbidden message.
It looks like the issue is related to the sessionid and cookiesession1 cookies set by FortiAuthenticator on the user browser.
Has anyone came across this issue before? Is there any known workaround for this?
I guess you have Authentication/Portals/Portals and there is defined some Portal for self-service. Not quite sure if you have Pre-Login / Password Reset, or Post-Login / Password Change actually enabled and used. It depends on what you want to allow to your users, and if they'd be allowed to reset password even without any previous authentication.
Is it pointing to realm which is SAML based or to local users ? My guess from what you wrote is that you allow your users to self-register as local users. And then those are served to SAML SPs set/allowed via Authentication / SAML IdP. However Identity Source realm in SAML IdP / General as well as in Portals / Policy is realm pointing to local users, right ?
Maybe that is a bit on the edge of forum and you might consider to open technical ticket on Fortinet to provide your configuration privately and maybe to demonstrate the issue on remote session to some of my fellow engineers.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.