The setup involves FortiGate, FortiAuthenticator, and Azure as ID,P where FortiAuthenticator acts as the service provider (SP) and Microsoft Azure AD as the identity provider (IdP).

The first step would be to verify the config as described in the official document: SAML FSSO with FortiAuthenticator and Microsoft Azure AD 

Upon external redirect from FortiGate captive portal, error 404 'The requested URL was not found on this server' was prompted. This normally indicates the URL used on the SP side for IdP single sign-on is wrong or has typos, or is missing values.

HAR would show the GET request and response post redirection from FortiGate.

• The external URL is configured on FortiGate under the captive portal-enabled interface
  set security-external-web:https://fac.fortilab.local/saml-sp/Azure_fac_as_sp/login
• On FortiAuthenticator, Portal URL: https://fac.fortilab.local/saml-sp/Azure_fac_as_sp/login/
• On IDP, https://fac.fortilab.local/saml-sp/Azure_fac_as_sp/login

All FortiGate, FortiAuthenticator and IDP URL should match. In this scenario, removing '/' fromthe  FortiAuthenticator config fixed the issue.