FortiClient SAML (Entra ID) – No login prompt / account selection when using multiple tenants

Hi all,

I’m running into an issue with FortiClient SAML authentication when working with multiple Entra ID tenants and wanted to ask if anyone has faced something similar.

Environment:

FortiClient 7.4.5 with SAML authentication (Azure / Entra ID)
FortiClient EMS 7.4.5
Authentication is handled via embedded WebView (not external browser)
Endpoint is Azure AD joined (Entra ID) with user signed in as `user@tenantA.com`

Scenario:

When connecting to VPN using SAML against tenant A → everything works fine
When connecting to VPN using SAML against tenant B → authentication fails

Observed behavior:

FortiClient does NOT display a login prompt or account selection, instead, it automatically tries to authenticate using the currently logged-in Windows account (`user@tenantA.com`)
Since this user is not present (or not assigned) in tenant B, authentication fails with:

AADSTS50105 (user not assigned / not found)

Key point:
It seems that FortiClient (WebView) is using Windows SSO (WAM) and silently reusing the existing session, without giving the user a chance to select a different account.

What I already tested:

Conditional Access (Sign-in frequency = every time) → no change
User assignment in Enterprise App → expected behavior, but doesn’t solve account selection
Different browsers → not applicable (WebView is used) 
Clearing sessions / tokens → no change

Questions:

1. Is there any way to force FortiClient (WebView) to always show the login prompt or account picker?
2. Is switching to external browser the only reliable solution for multi-tenant scenarios?
3. Any recommended best practice for SAML VPN when users need to authenticate against multiple Entra tenants?

Any insights or real-world experience would be highly appreciated.

Thanks, Jirka