Configure HA management interface reservation in the HA settings:

• Primary firewall management IP: '10.20.1.1'.
• Secondary firewall management IP: '10.20.1.2'.
• FortiAuthenticator as IdP: '10.9.11.41'.
  
  

On the FortiGate (SP), go under Security Fabric -> Fabric connector -> Security fabric setup -> Select Single sign-on settings, select SP, fill in the IdP details copied from the FortiAuthenticator, fill in the SP details copied from the FortiGate to FortiAuthenticator, and import IDP cert from IDP server.

Configure the same on the secondary firewall with the secondary firewall IP. Example: '10.20.1.2'.

Configure Vdom-exception setting on FortiGate in HA cluster:

config system vdom-exception

    edit 1

        set object system.saml <----- To configure different attributes on SAML for Primary and Secondary FortiGate in HA cluster.

    next

end

Configuration of IdP on FortiAuthenticator, which will act as the IdP server.

Configuring IdP attributes on FortiAuthenticator:

Configuration of SP for the primary FortiGate on FortiAuthenticator:

Configuration of SP for secondary on FortiAuthenticator:

Go to user management and create a local user and user to the user group:

After configuration, log out and re-login to the FortiGate with Sign with Security Fabric for the Primary or secondary firewall.

Verify the SAML redirection and troubleshoot SAML with the given commands:

diagnose debug application httpsd -1

diagnose debug application samld -1

diagnose debug console timestamp enable 

diagnose debug enable

To disable the debug, run the following command:

diagnose debug disable