| Inside Enterprise Applications on the Azure portal, follow the steps below: - Create a new FortiGate VPN SSL-type application.
Note: Do not be misled by the name of the application, 'FortiGate SSL VPN' - it is applicable for IPsec remote access VPN as well. 
- Rename the application as desired and select the Create button.
- When the application is created, go into it and add the users who can connect to the VPN.
- Select single sign-on in the left menu and then in SAML to start the basic SAML configuration.
- Edit the Basic SAML Configuration panel.
- Copy the pattern on Identifier ID https://*.FORTIGATE-FQDN.com/remote/saml/metadata, change it with the VPN address, remove https, replace it with HTTP, and add a / into the field. See the example below: http://*.FORTIGATE-FQDN.com/remote/saml/metadata/.
Do not forget to add the VPN port to the pattern. For example: http://vpnnamehere.com:10443/remote/saml/metadata/. Do the same to the reply URL, Sign-on URL, and logout URL. For these three fields, it is not necessary to change https to HTTP and add a / at the end of the URL. 
- Inside Attributes & Claims, perform the following steps:
- Delete the claim user.groups [SEcurityGroups].
- Add a new claim called username with value user.userprincipalname.
- Add a new group claim, choose the All groups option, and the source attribute as Group ID.
- In advanced options still inside the group claim, select the option 'Customize the name of the group claim' and add the name as 'group' without quotes.
The Attribute and Claim configuration needs to be like the ones in the following image: 
Come back to the single sign-on configuration. - Download the Certificate (Base64) and import it into the FortiGate as a Remote Certificate.
It is possible to rename this certificate in the CLI to make it easier to identify it through the following command: config vpn certificate remote
rename <old_name> to <new_name>
- In the FortiGate configuration, navigate to User & Authentication > Authentication Settings to modify the certificate to the wildcard or use the Fortinet_Factory. An error may be displayed indicating the certificate in use is not trusted if the 'Fortinet_Factory' certificate is enabled. Below are the CLI commands to assign the certificate.
config user setting
set auth-cert "Fortinet_Factory"
end
- Go to Single Sign-on, select Create New, and follow the steps below:
- In the address field, use the same address that was used in the Azure single sign-on configuration. vpnnamehere.com:10443
- On the certificate, use Fortinet_Factory and select Next.
- On the identity provider details, select the custom option.
- See the table below to fill in the correct fields by just copying the information into the fields.
- Use the certificate that was imported before.
- In the attributes, use the username and groups for the respective fields.
- Create a group inside the User Groups, like the picture below.
Use the remote server, the single sign-on server that was created before, and choose the option any for the groups. 
- Create a VPN IPsec tunnel as a dial-up tunnel.
Add the following commands inside the phase1-interface configuration: config vpn ipsec phase1-interface edit "IPSEC_SAML_HOME" set eap enable
set eap-identity send-request
set authusrgrp "GR-VPN-SAML"
end -
The daemon authd has been updated to support SAML authentication and now listens for local-in traffic from FortiClient on the TCP port defined in the auth-ike-saml-port setting (range 0–65535, default 1001). At this time, this setting can only be configured through the CLI, from version 7.2.x onwards:
config system global
set auth-ike-saml-port <integer>
end
-
Inside the link interface that will receive the connections, add the command to set ike-saml-server to 'SINGLE SIGN-ON PROFILE'. config system interface
edit <name>
set ike-saml-server <saml_server>
next
end
If IPsec is configured on the loopback interface, then the IKE SAML server must also be enabled on the loopback. If the user is internal to the FortiGate and IPsec is configured on the external interface, the command should be enabled on both the internal and external interfaces.
Note: The above settings are important, if the ike-saml-server is not configured on the interface, running the flow debug on the SAML traffic destined towards the port defined in 'set auth-ike-saml-port <integer>' will cause the following error to appear as the SAML traffic is destined to a local interface on the FortiGate and without 'ike-saml-server' this port will be implicitly blocked on the interface traffic arrives on. The message is: 'policy-4294967295 is matched, act-drop'.
The message is: 'iprope_in_check() check failed on policy 0, drop'. On the client, the SAML authentication page keeps loading for a while and eventually displays a timeout message. - Create a firewall policy as required to control the traffic.
Note: Configure the user group either in the Phase 1 VPN settings (authusrgrp) or in the firewall policy, but not both.
For additional information, consult the FortiGate Administration Guide, which provides detailed instructions on configuring and using User Groups for IPsec VPNs: Using single or multiple user groups for user authentication - Configure the remote access profile in the FortiClient and fill in the information as configured in the VPN configuration.
(Note: For certain configurations of IPsec VPN with SAML (or for compatibility reasons), ensure that the option 'Use external browser as user‑agent' in FortiClient is unchecked. This ensures that FortiClient uses its built‑in browser component rather than redirecting to the system default browser.
- Check the connectivity as per the policy that was created before.
- Use the troubleshooting commands below to check the SAML and IKE logs during the connection.
diagnose debug reset diagnose debug console timestamp enable diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is client public IP. diagnose debug app authd 255 diagnose debug application samld -1 diagnose debug app fnbamd -1 diagnose debug application eap_proxy -1 diagnose debug application ike -1 diagnose debug enable To stop debugging:
diagnose debug disable Notes: - FortiClient's free version on macOS does not support IKEv2. This will require an EMS license for v7.2.3 and above. For more information, see Technical Tip: FortiClient Mac does not support IKE v2 in IPsec.
- FortiClient v7.2.4 or later supports SAML with Dial-up IPsec VPN. This requires IKEv2.
- Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.4.9 and v7.6.1, FortiClient versions v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.
- Remote Gateway in the FortiClient VPN configuration must be FQDN or IP address only and should not include port or '/remote/saml/login'.
- After upgrading FortiGate to v7.2.12, v7.4.9, or v7.6.4, the Azure IDP configuration must be updated to 'Sign SAML response and assertion, see Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.
- When configuring multiple Dial-Up IPsec tunnels with SAML authentication on the same FortiGate, it is important to consider the behavior of the following parameter: set auth-ike-saml-port.
This command defines the local TCP port that the FortiGate will use to handle the SAML authentication process. - IPsec over TCP can be configured following the article: Technical Tip: How to configure IPsec over TCP
Related documents: IPsec VPN SAML-based authentication Troubleshooting Tip: Authentication Keepalive causing IPSEC VPN with SAML Authentication to fail Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local) SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
Troubleshooting Tip: How to resolve FortiClient untrusted Certificate Errors with SAML authentication | 
