Inside Enterprise Applications on the Azure portal, follow the steps below:

1. Create a new FortiGate VPN SSL-type application.

2. Rename the application as desired and select the Create button.

3. When the application is created, go into it and add the users who can connect to the VPN.

4. Select single sign-on in the left menu and then in SAML to start the basic SAML configuration.
5. Edit the Basic SAML Configuration panel.
6. Copy the pattern on Identifier ID https://*.FORTIGATE-FQDN.com/remote/saml/metadata, change it with the VPN address, remove https and replace it with HTTP, and add a / into the field. See the example below.

http://*.FORTIGATE-FQDN.com/remote/saml/metadata/

Do not forget to add the VPN port to the pattern. For example:

http://vpnnamehere.com:10443/remote/saml/metadata/

Do the same to the reply URL, Sign-on URL, and logout URL. For these three fields, it is not necessary to change https to HTTP and add a / at the end of the URL.

7. Inside Attributes & Claims, perform the following steps.

• Delete the claim user.groups [SEcurityGroups].
• Add a new claim called username with value user.principalname.
• Add a new group claim, choose the All groups option, and source attribute as Group ID.
• In advanced options still inside the group claim select the option 'Customize the name of the group claim' and add the name as 'group' without quotes.

The Attribute and Claim configuration need to be like the ones in the following image:

Come back to the single sign-on configuration.

8. Download the Certificate (Base64) and import it into the FortiGate as a Remote Certificate.

It is possible to rename this certificate in the CLI to make it easier to identify it through the following command:

config vpn certificate remote

9. In the FortiGate configuration go to User & Authentication and Authentication Settings. Change the certificate to the wildcard or use the Fortinet_Factory.
10. Go to Single Sign-on, select Create New, and follow the steps below.

• Into the address field use the same address that was used in the Azure single sign-on configuration. vpnnamehere.com:10443
• On the certificate use Fortinet_Factory and select Next.
• On the identity provider details, select the custom option.
• See the table below to fill in correct the fields by just copying the information in the fields.

• Use the certificate that was imported before.
• In the attributes, use the username and groups for the respective fields.

11. Create a group inside the User Groups like the picture below.

Pay attention to using the remote server the single sign-on server that was created before and choose the option any to the groups.

12. Create a VPN IPsec tunnel as a dial-up tunnel.

Add the following commands inside the phase1-interface configuration:

    set eap enable
    set eap-identity send-request

13. Inside the config system global settings, add the command 'set auth-ike-saml-port 9443'. Note that this command is only supported on FortiGate 7.2.0 and later.
14. Inside the link interface that will receive the connections add the command to set ike-saml-server to 'SINGLE SIGN-ON PROFILE'.
15. Create a policy to control the traffic.

16. Configure the remote access profile in the FortiClient and fill in the information as configured into the VPN configuration.

17. Check the connectivity as per the policy that was created before.
18. Use the troubleshooting commands below to check the SAML logs during the connection.

diagnose debug application samld -1

diagnose debug enable

Related document:

IPsec VPN SAML-based authentication