Example:

FortiGate SAML configuration:

config user saml
    edit "SAML_Auth"
        set entity-id "http://10.201.4.1:1003/remote/saml/metadata/"
        set single-sign-on-url "https://10.201.4.1:1003/remote/saml/login/"
        set single-logout-url "https://10.201.4.1:1003/remote/saml/logout/"
        set idp-entity-id "https://sts.windows.net/55822b01-86f6-457c-b3f9-7544a45bb192/"
        set idp-single-sign-on-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-single-logout-url "https://login.microsoftonline.com/55822b01-86f6-457c-b3f9-7544a45bb192/saml2"
        set idp-cert "REMOTE_Cert_3"
        set user-name "name"
        set group-name "group"
        set digest-method sha1
    next
end

config user group

    edit "SAML_Auth"
        set member "SAML_Auth"
    next

config firewall policy

    edit 11
        set name "Azure" <----- This policy will allow MS connectivity for the Authentication.
        set uuid c0f5d968-e019-51ed-5236-b6dc3ba0b637
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set internet-service enable
        set internet-service-name "Microsoft-Azure"
        set schedule "always"
        set logtraffic all
        set nat enable
        set comments " (Copy of internet_Windows_Server)"

        set captive-portal-exempt enable <-- This is to ensure that traffic to Microsoft for SAML authentication will not be subjected to a captive portal check
    next
    edit 10
        set name "internet_Windows_Server"
        set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "SAML_Auth" <----- SAML user group.
        set users "PHOTON-BB"
    next

end

When the user tries to access the internet it will redirect to the Microsoft login.

 To see the Captive portal page with the SAML option create a dummy local user group:

config user group

    edit "Captive_portal"
        set member "Captive_portal"
    next

config firewall policy
    edit 10
        set name "internet_Windows_Server"
        set uuid 05941810-d9b6-51ed-7ac3-1e53c651b2df
        set srcintf "port4"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set groups "SAML_Auth" "Captive_portal" <----- Local dummy group and SAML group.
    next
end

Note: If there are any firewall policies below the authentication policy that can allow the same traffic without authentication, FortiGate will not force authentication by default. Setting auth-on-demand to 'always' will force the authentication to always take place. Refer to Technical Tip: Active authentication firewall policy fall-through changes:

After adding a local group when the user tries to access the captive portal page with the SAML login option will be visible:

Select SAML Identity Provider to use the SAML login. to have a user local user login, then select continue:

To configure SAML with Azure IDP use the below-related documents:

Outbound firewall authentication with Azure AD as a SAML IdP

Troubleshooting Tip: How to troubleshoot SAML authentication