1. Specify a TCP port, which should be accepted by FortiGate. This option, for the time being is available via CLI command only. In a VDOM-enabled appliance, the config should be executed on the Global VDOM:
   
   

config system global
    set auth-ike-saml-port 9443
end

2. Specify the certificate that will be presented to the FortiClient. Certificate import guide:

config user setting
    set auth-cert "fgt01.brave.you"
end

3. Right now, it is better to pre-configure a FortiAuthenticator as an IdP because it allows saving settings without some specified fields, which is not possible on the FortiGate side. SAML IdP settings can be found there:

1. SAML IdP settings on the FortiAuthenticator.
2. Service Provided template.
3. Verify if the SAML service is enabled on the particular interface of FortiAuthenticator.

There are already configured settings as a reference:

•  SAML IdP General settings:

• Service Provider settings: As mentioned before, FortiAuthenticator allows saving settings without specified fields. Right now, there are no SP details (as an example):

• For this particular KB article, other SP settings were used. All IdP settings should be configured on FortiGate's 'IdP' settings, and all 'SP Metadata' fields should be taken from the FortiGate's ‘Service Provider’ settings:

• 'Assertion Attributes' also should be the identical:

4. Configure IdP settings on the FortiGate, go to the GUI -> User & Authentication -> Single Sign-on -> Select the 'Create new' button:
                                                      

   

    

5. Adjust settings accordingly (every mentioned attribute underlined in a screenshot below):

   1. The address field should be FortiGate’s SAML IKEv2 listening FQDN/IP and port in step 1.

   2. All other FortiGate’s 'Service Provider Configuration' section is grayed; they are not adjustable. These fields should be copied to the FortiAuthenticator’s Service provider settings (refer to step 3).

   3. There are two options on the 'Identity Provider Configuration' type field. For this article, a type 'Fortinet Product' was selected because the FortiAuthenticator was acting as the IdP server.

       

For this specific option, these three attributes should be configured in the 'Identity Provider Configuration':

1. IdP’s listening interface.
2. Prefix.
3. A certificate has been imported to the FortiGate. The certificate can be found on the FortiAuthenticator’s ‘SAML IdP General settings’ in step 3.1.
4. The 'Additional SAML attributes' section should be the same as on the SAML IdP (refer to step 3):

These settings are also configurable via the CLI console:

config user saml
    edit "FAC-IPSec"
        set entity-id "http://10.191.35.84:9443/remote/saml/metadata/"
        set single-sign-on-url "https://10.191.35.84:9443/remote/saml/login"
        set single-logout-url "https://10.191.35.84:9443/remote/saml/logout"
        set idp-entity-id "http://10.191.36.157/saml-idp/fc87gp0rbb35vu70/metadata/"
        set idp-single-sign-on-url "https://10.191.36.157/saml-idp/fc87gp0rbb35vu70/login/"
        set idp-single-logout-url "https://10.191.36.157/saml-idp/fc87gp0rbb35vu70/logout/"
        set idp-cert "FAC_Idp"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next

end

6. Configure 'ike-saml-server' under the listening interface:

config system interface
    edit "port3"
        set ike-saml-server " FAC-IPSec"
    next

end

7. Create a remote SAML user group:

GUI: Go to the GUI -> User & Authentication -> User Groups -> Select a 'Create New' button. Specify SAML Server and group name under 'Remote Server':

CLI settings:

config user group
    edit "FAC-IPSec-Gr01"
        set member "FAC-IPSec"
    next

end

8. Configure a Dial-up IPsec VPN:

config vpn ipsec phase1-interface
    edit "fac-saml-vpn"
        set type dynamic
        set interface "port3"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha1
        set dpd on-idle
        set eap enable
        set eap-identity send-request
        set authusrgrp "FAC-IPSec-Gr01" <-- SAML group.
        set ipv4-start-ip 10.1.1.1
        set ipv4-end-ip 10.1.1.254
        set dns-mode auto
        set psksecret ENC lxorIx6jKIyKMgONO7xeP23mAmONx/ePNMS4l/ERtkpOaIT2mAm6Ga3OHc8R3t7H8/arJvOBYWvk4J003DwVXqhjeFlGmj

/Tif/46B4fMJloZpyn0XWhE0IjsoBDOIVIVnWdt5PrHsRew0PZ

6U05g6TEWmy99E4qrYpdCPyjzM2A9qzEqoqail3BaaTgfi+7YERI0llmMjY3dkVA
        set dpd-retryinterval 60
    next

end

config vpn ipsec phase2-interface
    edit "fac-saml-vpn"
        set phase1name "fac-saml-vpn"
        set proposal aes128-sha1 aes256-sha256
        set dhgrp 14
        set keylifeseconds 86400
    next

end

Note:

User groups should be defined on the Phase 1 setting or firewall policy.

9. Create a firewall policy for the IPsec traffic:

config firewall policy
    edit 2
        set name "IPSec-vpn"
        set uuid 9c1f013c-eda2-51ed-5c50-93db6dd6a717
        set srcintf "fac-saml-vpn"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "DNS" "NTP"
        set logtraffic all
        set nat enable
    next

end

10. FortiClient configuration on the workstation. Fill the fields in according to the settings:

11. Connecting outcomes. Note that a certificate warning message may appear. Refer to step 2:

Troubleshooting:

For troubleshooting, enable these debug commands on the FortiGate and additionally enable RADIUS to debug on the FortiAuthenticator:

diagnose debug console timestamp enable
diagnose debug app saml -1
diagnose debug app ike -1
diagnose debug app eap_proxy -1
diagnose debug app fnbamd -1
diagnose debug enable

diagnose debug disable  <-- To disable debugs. 

Related documents:

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Сonfigure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN