not sure I completely understand it, but ...
I guess you have Authentication/Portals/Portals and there is defined some Portal for self-service. Not quite sure if you have Pre-Login / Password Reset, or Post-Login / Password Change actually enabled and used. It depends on what you want to allow to your users, and if they'd be allowed to reset password even without any previous authentication.
Then I guess you have that Portal used in Authentication/Portals/Policies .. and policy type is on top-right corner set as Self-Service Portal. So you have URL like https://<FQDN-of-your-FAC>/portal/selfservice/<policy-name>/ And there your users can do the changes.
Then what is the Identity Source of that policy ?
Is it pointing to realm which is SAML based or to local users ?
My guess from what you wrote is that you allow your users to self-register as local users. And then those are served to SAML SPs set/allowed via Authentication / SAML IdP. However Identity Source realm in SAML IdP / General as well as in Portals / Policy is realm pointing to local users, right ?
Maybe that is a bit on the edge of forum and you might consider to open technical ticket on Fortinet to provide your configuration privately and maybe to demonstrate the issue on remote session to some of my fellow engineers.
Tom xSilver, planet Earth, over and out!