To achieve the configuration, refer to the following steps:

On FortiAuthenticator(IDP (FortiAuthenticator as SAML server):

• Enable the SAML IDP and configure the IDP settings.
• Create local users and add them to the groups.
• On the FortiAuthenticator admin port enable IDP services.

Go to user management, create local users, and add the users to the user groups:

Go to Authentication -> SAML IDP -> General and configure the server address which is FortiAuthenticator's management IP and select the user group configured locally under the realms.

After this step, navigate to SAML IDP -> Service providers.

Configure the SP IP as FortiGates IP, near the IDP prefix select the '+' icon to generate a prefix that will be later used on the FortiGate.

Once the prefix is generated configure the user attributes and save, it should be possible to see the IDP URLs and SP settings.

Enable the IdP services on the admin port.

On the FortiGate (SP):

Go to Security Fabric -> Fabric connector -> Security fabric setup -> Select Single sign-on settings, select SP, fill in the IdP details copied from the FortiAuthenticator, and fill in the SP details copied from the FortiGate to FortiAuthenticator.

For the IdP certificate, export the default server CRT from FortiAuthenticator and upload it to FortiGate as a remote certificate.

Go to Certificate Management -> End entities -> Local Services -> Export certificate and download it.

Once downloaded, on the FortiGate go to System -> Certificates -> Create/import -> Remote and Import the IDP certificate and use it in the IdP settings on the FortiGate.

After these steps, log out from FortiGate, it should be possible to see the following page:

Select Sign in with Security Fabric, and use the login credentials created on the SAML server (FortiAuthenticator) to log in after the SAML IdP redirection happens, it should be successful to log in, and once logged in it should be possible to see the SSO admin.

SAML overview:

SAML

Verify the SAML redirection with the given commands: