Customize the Login Portal

The Login Portal is the portal that appears when authentication is required to access websites or web applications. Administrators can require authentication to all users and groups that are associated with an identity provider (IdP). You can also define the specific users and groups who are allowed to access websites for a specific AUP category.

When you configure an IdP, you define the appearance and language of these Login Portal pages:

  • Login. If an authentication policy is enabled, this is where users enter their login credentials. A user is presented with the login page when authentication is required or optional. If the authentication mode is optional, a user can choose to skip authentication or see this login page.

  • Password. If users are allowed to change their password, this page appears. For more information on password requirements that you can configure for the Login Portal, see Password complexity for Login Portal.

  • Settings. If MFA is configured, users can define how they want to receive authentication codes. Depending on the IdP configuration, users can select to receive authentication codes by email or SMS. If an administrator sets up or configures these authentication methods, a user can also enter a Duo passcode or enter an time-based TOTP from a mobile device application such as Google Authenticator and Microsoft Authenticator.

  • Admin. Allows users to contact their administrators.

Configure appearance and language of the Login Portal

You can configure the appearance and language of the Login Portal.

To configure the Login Portal:

  1. Create or edit an IdP to define the Login Portal settings for the IdP that you want. See Add an identity provider and Edit an identity provider.

  2. In the Login Portal, select a page of the Login Portal that you want to customize.

  3. To add graphics for the logo, favicon, or a background image, see Add logos and images to the Login Portal login page.

  4. To add a language, see Add a language for the login portal.

  5. Click Save.

Next steps

Deploy the IdP configuration. For more information, see Deploy configuration changes.

Add logos and images to the Login Portal login page

While all of these graphics are part of the login page, the logo and favicon are visible in the other Login Portal pages as well.

The logo and background image files cannot exceed 10 MB. If you submit a favicon, make sure the graphic does not exceed 10 KB.

To customize the Login Portal with a specific logo, background image, and favicon:

  1. In the Enterprise Center navigation menu, select Identity & Users > Identity Providers.

  2. To customize the login portal of an existing IdP, click the name of the IdP that you want to modify. Otherwise, create an IdP to define Login Portal settings associated with a new IdP. For more information, see Add an identity provider.

  3. Click the Login Portal tab.

  4. For the Logo, Background Image, and Favicon, click the Choose File icon and select an image for each.

  5. To save the changes, click Save.

Next Steps
Deploy the IdP configuration. For more information, see Deploy configuration changes.

Login Portal languages

An ETP administrator can configure the text that appears in the Login Portal's welcome banner, legal disclaimer, and username hint. ETP supports text in English, German, French, Spanish, Japanese, Italian, and Chinese.

The Login Portal communicates with the end user's browser to determine the language to display. If this language is not configured in ETP for the Login Portal, the language and the text provided for the primary language appears in the Login Portal.

You can configure multiple languages for these Login Portal elements. You can also select a primary or default language to display.

This applies:

  • The Login Portal communicates with the user's browser to determine the language to display. If the browser language is not available, the Login Portal shows content in the language that is set as the primary or default language.

  • If one language is configured, this language is considered the primary language.

  • If no languages are configured for the Login Portal, the welcome banner, legal disclaimer, and username hint appears in English.

Add a language for the login portal

You can configure the text and the language for these areas of Login Portal:

  • Welcome banner
  • Legal disclaimer
  • Hint for the username

To add a language for the login portal:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. To customize the login portal of an existing IdP, click the name of the IdP that you want to modify. Otherwise, create an IdP to define Login Portal settings associated with a new IdP. For more information, see Add an identity provider.

  3. Click the Login Portal tab.

  4. Click add language and complete these steps:

    1. In the Language menu, select a language.

    2. In the Welcome field, enter the text for the Welcome banner.

    3. In the Legal Disclaimer field, enter text that you want to appear as a legal disclaimer on the login portal page.

    4. In the Username Hint field, enter text for the username field.

    5. To configure the language as the primary one, enable Primary.

  5. Click Save.

Next steps

Deploy the IdP configuration. For more information, see Deploy configuration changes.

Password complexity for Login Portal

You can configure your AD to allow ETP to manage password complexity of the Login Portal. Every AD has a password complexity requirement. Your business may have other password reset requirements such as:

  • Users may be required to change their password in their first login.

  • Periodic password change, for example every 90 or 180 days, as per your business' security policy. This can be set at the group or individual user level in the AD domain.

    • Change password when it is still valid.
    • Reset password after it has expired.
  • Proactive or at will password change:

    If your AD is using Windows 2008, 2012, or 2016, the secure LDAPS is required for the directory host.

    If your AD is using Open LDAP, LDAP or LDAPS may be used for the directory host.

An administrator can define these password settings in AD, LDAP, and AD LDS directories.

Allow users to change password. Select one of these options to allow users to change their passwords in the Login Portal:

  • For the AD, enable this setting to allow users to change their passwords if their current password is valid and ETP does not require the user to reset the password on their next login.

  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset, provided the grace authentication limit with expired passwords or must-reset passwords has not been exceeded.

By default, this setting is disabled. If disabled, the user cannot change the password through the Login Portal and will need to do so through the native directory outside of ETP.

Allow users to reset password. Select one of these options to allow users to change their passwords in the Login Portal:

  • For the AD, enable this setting to allow users to change their passwords if the ETP administrator requires the user to reset the password on their next login.

  • For the Open LDAP directory, enable this setting to allow users to change expired passwords and passwords that require a reset after the grace authentication limit with expired passwords or must-reset passwords has been exceeded.

To support this capability, ETP needs write privileges on the service account to modify another user's password. This setting only controls whether ETP attempts to handle these use cases, the configuration needed for the service account needs to be configured on the AD or Open LDAP itself. Typically, accounts with administrator privileges also have the permissions to change another user's password. Administrators may want to restrict this privilege for the service account using mechanisms supported by the directory.

By default, allowing users to reset their own password is disabled. If disabled, the user cannot change the password through the Login Portal and will need to do so through the native directory outside of ETP.

Default password policy. This is a required field. It is automatically completed by the Microsoft AD. If you are using Open LDAP as your directory host, enter the default password policy for the directory.

Password expiry warning threshold (in seconds). This setting allows ETP to provide a password change reminder message to users when they login to the Login Portal that encourages them to change their password before it expires. ETP can determine the age of the user's current password during login and if it exceeds the configured warning threshold, the password change reminder displays.

To support password changes from the Login Portal, ETP needs write privileges on the service account to modify another user's password. If write privileges are not granted to ETP, the warning message may help to reduce administrative support for expired user passwords. Enter the amount of time, in seconds, before the password expires to display the password change reminder message.

By default this threshold is set to zero (0). When set to zero (0), no warning messages display.

Password force change threshold (in seconds). This setting allows ETP to force a password change to users when they log in to the Login Portal before they can access a website. This threshold should be greater than the warning threshold and less than the maximum age of the password in the AD. Enter the amount of time, in seconds, before the password expires to force a password change from the Login Portal.

By default this threshold is set to zero (0). When set to zero (0), ETP will not attempt to force a change of current valid passwords.

Password complexity. To provide a message for users to read in the Login Portal, enter information about the password requirements in the Password complexity field.

Manage password complexity for the Login Portal from the Active Directory (AD)

Before you begin

See Password complexity for Login Portal.

In ETP, you can configure your AD to allow ETP to manage password complexity of the Login Portal.

To manage password complexity for the Login Portal from the AD:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

  2. Click a directory name.

  3. Click the Password Management settings tab.

  4. Select Allow users to change password.

  5. To allow users to reset their password, enable Allow users to reset passwords.

  6. In the Default password policy field, enter a name for the password policy.

  7. In the Password expiry warning threshold (in seconds) field, enter the time in seconds after ETP warns users that the password is about to expire.

  8. In the Password force change threshold (in seconds) field, enter the time in seconds after ETP forces the user to change their password.

  9. In the Password complexity field, enter the text that appears in the UI and indicates password requirements or criterion for setting a password.

  10. Complete the fields that apply to your password policy.

  11. Click Save.


Did this page help you?