This is the SSL VPN sample config:

config vpn ssl settings
    set servercert "fgt.local.cert"
    set login-block-time 0
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set port 44433
    set auto-tunnel-static-route disable
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
        config authentication-rule
            config authentication-rule
                edit 1
                    set groups "FAC-SAML-GROUP1"
                    set portal "full-access"
                next

config user group
    edit "FAC-SAML-GROUP1"
        set member "FAC-SAML-IDP"
    next
end

config user saml
    edit "FAC-SAML-IDP"
        set cert "Fortinet_Factory"
        set entity-id "https://<SP/FGTFQDN>:44433/remote/saml/metadata"
        set single-sign-on-url "https://<SP/FGTFQDN>:44433/remote/saml/login"
        set single-logout-url "https://<SP/FGTFQDN>:44433/remote/saml/logout"
        set idp-entity-id "http://<IDP/FACFQDN>/saml-idp/60f/metadata/"
        set idp-single-sign-on-url "https://<IDP/FACFQDN>/saml-idp/60f/login/"
        set idp-single-logout-url "https://<IDP/FACFQDN>/saml-idp/60f/logout/"
        set idp-cert "FAC-SAML-IDP-cert"
        set user-name "username"
        set group-name "group"
        set digest-method sha1
    next
end

config firewall policy
    edit 15
        set name "FAC-SAML1"
        set srcintf "ssl.root"
        set dstintf "internal"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "FAC-SAML-GROUP1"
        set comments "SSLVPN TO INTERNAL"
    next
end

1. 'config user saml' and 'config user group' can be reused without any changes as long as SSL VPN will be decommissioned. No changes are required on the IDP side either.
   
   
2. Change auth-ike-saml-port (default port is 1001) to the same port SSLVPN is using:

3. Use the IPsec wizard to configure a new IPsec tunnel, Remote Access/Client-Based/FortCllient. Select the interface on which the IPsec tunnel will be published, set a Pre-shared key, and the same user group it was previously used for SSL VPN. Follow the wizard instructions to finish setting up the tunnel.
   
   
4. Return to IPsec Tunnels, 'right-click' on the newly created tunnel and select 'Convert to custom tunnel'. 'Right-click' on the custom tunnel, select 'Edit in CLI', and make sure the highlighted parameters are configured as below:

5. Enable ike-saml-server on the same interface wan1:

6. There are 2 options when it comes to firewall policies. Technical Tip: A guide to Dial-Up IPSec VPN Authentication and Policy Matching

• In case there is only one SSL VPN firewall policy, that can be deleted. The authentication process has been moved in this example to the tunnel level. A firewall policy required for this setup to work was already created by the IPsec wizard.
• If there are several SSLVPN firewall policies, they can be reused by changing the Incoming interface from 'ssl.root' to the newly created IPsec tunnel, 'IPSEC-FAC-SAML' in this case. The newly created IPsec firewall policy by IPSEC Wizard can be deleted. The group set on the tunnel needs to be removed with 'unset authusrgrp' as the group/groups are already present on the reused SSL VPN firewall policies. This second option is recommended.

7. Configure the former SSL VPN server certificate to be used for the SAML authentication pop-up.

8. Configure FortiClient/EMS to match the settings above, phase1 and phase2, enable SSO/SAML, and specify the correct port, 44433 in this case.
   
   
9. Disable SSL VPN service: