When connecting to a SAML IPsec VPN with DUO MFA, after inputting SAML username + password + DUO MFA, FortiClient Windows shows '403 Forbidden error' and is unable to proceed:

With an EMS subscription:

This is due to incorrect [After Logon SAML Authentication Framework] settings.

1. In FortiClient EMS, go to Endpoint Profile -> Remote Access -> (select profile) -> Edit -> After Logon SAML Authentication Framework -> Microsoft Edge Webview 2 -> Save.
   
   

2. Wait for a minute for the endpoint to sync the profile.
3. In the endpoint FortiClient, go to Settings -> Advanced -> Clear Cookies.

4. Reattempt to connect to the SAML IPsec VPN. It should be successful.

Note:

Without an EMS subscription, enabling the 'Use external browser as user-agent for saml user authentication' option also resolves this error. If the issue is on v7.2.9 or v7.2.10, the solution is to upgrade to v7.4 to use the external browser option.