When connecting to a SAML IPsec VPN with DUO MFA, after inputting SAML username + password + DUO MFA, FortiClient Windows shows '403 Forbidden error' and is unable to proceed:

With FortiClient EMS subscription:

This is due to incorrect [After Logon SAML Authentication Framework] settings.

1. In FortiClient EMS, go to Endpoint Profile -> Remote Access -> (select profile) -> Edit -> After Logon SAML Authentication Framework -> Microsoft Edge Webview 2 -> Save.
   
   

2. Wait for a minute for the endpoint to sync the profile.
3. In the endpoint FortiClient, go to Settings -> Advanced -> Clear Cookies.

4. Reattempt to connect to the SAML IPsec VPN. It should be successful.

Note:

Without a FortiClient EMS subscription, enabling the 'Use external browser as user-agent for SAML user authentication' option also resolves this error. If the issue is on v7.2.9 or v7.2.10, the solution is to upgrade to v7.4 to use the external browser option.

Dialup IPsec VPN with SAML using an external browser for authentication is supported starting from FortiOS v7.6.1, FortiClient (Windows) and (macOS) v7.2.5 and v7.4.1, and FortiClient (Linux) 7.4.3. If the FortiOS version is below this version, disable the 'Use external browser as user-agent for saml user authentication' option in the FortiClient.