Inside Enterprise Applications on the Azure portal, follow the steps below:

1. Create a new FortiGate VPN SSL-type application.

Note: 

Do not be misled by the name of the application, 'FortiGate SSL VPN' - it is applicable for IPsec remote access VPN as well.

2. Rename the application as desired and select the Create button.

3. When the application is created, go into it and add the users who can connect to the VPN.

4. Select single sign-on in the left menu and then in SAML to start the basic SAML configuration.
5. Edit the Basic SAML Configuration panel.
6. Copy the pattern on Identifier ID https://*.FORTIGATE-FQDN.com/remote/saml/metadata, change it with the VPN address, remove https, and replace it with HTTP, and add a / into the field. See the example below: http://*.FORTIGATE-FQDN.com/remote/saml/metadata/

Do not forget to add the VPN port to the pattern. For example: http://vpnnamehere.com:10443/remote/saml/metadata/

Do the same to the reply URL, Sign-on URL, and logout URL. For these three fields, it is not necessary to change https to HTTP and add a / at the end of the URL.

7. Inside Attributes & Claims, perform the following steps:

• Delete the claim user.groups [SEcurityGroups].
• Add a new claim called username with value user.principalname.
• Add a new group claim, choose the All groups option, and source attribute as Group ID.
• In advanced options still inside the group claim, select the option 'Customize the name of the group claim' and add the name as 'group' without quotes.

The Attribute and Claim configuration needs to be like the ones in the following image:

Come back to the single sign-on configuration.

8. Download the Certificate (Base64) and import it into the FortiGate as a Remote Certificate.

It is possible to rename this certificate in the CLI to make it easier to identify it through the following command:

config vpn certificate remote
rename <old_name> to <new_name>

9. In the FortiGate configuration, go to User & Authentication and Authentication Settings. Change the certificate to the wildcard or use the Fortinet_Factory.
   
   
10. Go to Single Sign-on, select Create New, and follow the steps below:

• In the address field, use the same address that was used in the Azure single sign-on configuration. vpnnamehere.com:10443
• On the certificate, use Fortinet_Factory and select Next.
• On the identity provider details, select the custom option.
• See the table below to fill in the correct fields by just copying the information into the fields.

• Use the certificate that was imported before.
• In the attributes, use the username and groups for the respective fields.

11. Create a group inside the User Groups, like the picture below.

Use the remote server, the single sign-on server that was created before, and choose the option any for the groups.

12. Create a VPN IPsec tunnel as a dial-up tunnel.

Add the following commands inside the phase1-interface configuration:

config vpn ipsec phase1-interface

    edit "IPSEC_SAML_HOME"

        set eap enable
        set eap-identity send-request
        set authusrgrp "GR-VPN-SAML"
end

13. Inside the config system global settings, add the command 'set auth-ike-saml-port 9443'. Note that this command is only supported on FortiGate v7.2.0 and later.
    
    
14. Inside the link interface that will receive the connections, add the command to set ike-saml-server to 'SINGLE SIGN-ON PROFILE'.
    
    config system interface
        edit <name>
            set ike-saml-server <saml_server>
        next
    end
    

If IPsec is configured on the loopback interface, then the IKE SAML server must also be enabled on the loopback. If the user is internal to the FortiGate and IPsec is configured on the external interface, the command should be enabled on both the internal and external interfaces.

15. Create a firewall policy as required to control the traffic.

Note: 

Configure the user group either in the Phase 1 VPN settings (authusrgrp) or in the firewall policy, but not both.

16. Configure the remote access profile in the FortiClient and fill in the information as configured in the VPN configuration.

17. Check the connectivity as per the policy that was created before.
18. Use the troubleshooting commands below to check the SAML and IKE logs during the connection.

   diagnose debug reset

   diagnose debug console timestamp enable

diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is client public IP.

   diagnose debug app authd 255

diagnose debug application samld -1

diagnose debug app fnbamd -1

diagnose debug application eap_proxy -1

diagnose debug application ike -1

diagnose debug enable

To stop debugging:

diagnose debug disable

Notes:

• FortiClient's free version on macOS does not support IKEv2. This will require an EMS license for v7.2.3 and above. For more information, see Technical Tip: FortiClient Mac does not support IKE v2 in IPsec.
• FortiClient v7.2.4 or later supports SAML with Dial-up IPsec VPN. This requires IKEv2.
• Dial-up IPsec with SAML using an external browser for authentication is supported starting from FortiOS v7.4.9 and v7.6.1, FortiClient versions v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux.
• Remote Gateway in the FortiClient VPN configuration must be FQDN or IP address only and should not include port or '/remote/saml/login'.
• After upgrading FortiGate to v7.2.12, v7.4.9, or v7.6.4, the Azure IDP configuration must be updated to 'Sign SAML response and assertion, see Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.

Related documents:

IPsec VPN SAML-based authentication 

Troubleshooting Tip: Authentication Keepalive causing IPSEC VPN with SAML Authentication to fail

Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local)