IPSEC SAML VPN... SSO works but then does not start the VPN connection

Hi all,

I've been working with support on this without any success so far (and they've confirmed all the setup is correct) but I'm trying to move from SSL VPN to IPSEC and have setup SAML with EntraID and this works fine when using the Apple App on iPads but I cannot get it going on a Windows machine. When I try to connect it prompts me to log into Azure and then says "you have successfully logged in" but that window just stays there and the FortiClient just shows as "Disconnect" but it's not actually connected whereas on the iPads it does the Azure bit and then that window disappears and the VPN starts to connect.

I've tried it with Windows 10 and 11 and also server 2016 and also with various versions of FortiClient and although I can see the SAML connecting in the logs on the FortiGate there is nothing after that i.e. it doesn't then start to connect the VPN, it's as though whatever should happen after that just doesn't happen.

I've got a feeling this is more of a Microsoft thing rather than a Fortinet thing so can I simply ask if anyone has got a Windows users connecting to a FortiGate using Entra SSO and IPSEC and if so then what version/release of Windows and FortiClient are you using so I can mirror it (we're not using EMS by the way just the free VPN) and also am I correct in thinking that when the SSO completes then should the "You have successfully logged on" window disappear and the VPN start to connect or is the process slightly different as it might help to know what I "should" be expecting ?

Any helps would be great.