This article describes how to hide the Username and Password fields, as well as the Login button prompts, on the SSL-VPN Web Mode login page without impacting SSL-VPN functionality.
This might be done by an administrator if:
- Web Mode SSL-VPN users should only have the option of logging in via SAML authentication, but:
- Tunnel Mode (i.e. FortiClient) SSL-VPN users still need the option to login with Local/LDAP/RADIUS/etc. authentication.
This article assumes that the reader has some familiarity with HTML/CSS and is comfortable making these adjustments.
Fortinet TAC does not otherwise provide technical assistance with customizing the HTML for Replacement Messages
Step 1: In the FortiGate GUI, go to System > Replacement Messages > SSL-VPN and edit the SSL-VPN Login Page.
Step 2: From there, it is possible to add the CSS property style=”display:none” to hide any element from user-view without needing to delete/remove it entirely.
The following image shows the mapping between common buttons/fields on the SSL-VPN Web Mode portal and their HTML code equivalents:
This next image shows the results of applying style=”display:none” to hide the ‘Name’, ‘Password’, and ‘Login’ elements:
It is important to note that by default, the buttons/prompts shown on the SSL-VPN are dynamically shown/hidden based on the User Groups configured on the SSL-VPN Firewall Policies.
For example, if an administrator configures firewall policies with a User Group containing Local Users, as well as a User Group containing a SAML User object, then both options will appear in the SSL-VPN Web Login page.
The same is true if LDAP/RADIUS is used instead of Local Users.
If the administrator removes the Local User Group from their Firewall Policies (i.e. they are only using SAML for authentication), then the Username, Password, and Login elements are removed from view and the SSL-VPN will instead automatically send users directly to the SAML IdP for authentication.
As well, admins should be aware that there are elements contained within the SSL-VPN Login Page that are required for the SSL-VPN to function properly, such as the %%SSL_HIDDEN%% and %%SSL_LOGIN%% variables, and as such we do not recommend deleting/altering these on the login page.
Applying the above changes results in a low-impact, visual-only change to the SSL-VPN login page that is sufficient for stopping end-users from trying to login with the wrong fields.