In the example above, FortiGate A is the root of the security fabric, and FortiGate B is one of the members joining the Security Fabric as a downstream device.

Navigate to System-> Fabric Connectors-> Security Fabric Setup. Enable Security Fabric on FortiGate B and authorize FortiGate B on FortiGate A in root fabric.

On FortiGate B when SAML single sign-on is set as auto mode, the mode shows 'Pending' status and gives the following error: 'Waiting for the root FortiGate in the Security Fabric to automatically set this device to be in Service Provider mode. The root FortiGate must be configured as Single Sign-On Identity Provider'.

While the above error shows up on FortiGate B, it is caused by following the SAML SSO settings on FortiGate A. Navigate to System -> Fabric Connectors -> Security Fabric Setup-> SAML Single Sign-On Advanced Option.

To resolve this configure FortiGate A as an IDP for SAML SSO.

If a downstream FortiGate needs to be configured through root FortiGate for single sign-on using Security Fabric, the root FortiGate (FortiGate A) must be set to be the identity provider(IDP) and not configured as a service provider(SP).

Navigate to System -> Fabric Connectors -> Security Fabric Setup -> SAML Single Sign-On Advanced Option.

Once the root FortiGate is set as the identity provider, the downstream FortiGate (FortiGate B) is automatically set to be a SAML service provider and redirects login to the IDP when doing an HTTPS administrative login. It will no longer show a pending status error.

Related document: 

Configuring single-sign-on in the Security Fabric