Similar to SSL VPN SAML-based authentication, FortiOS 7.2 onwards IPsec VPN also supports SAML-based authentication.

The full configuration for the same is listed in IPsec VPN SAML-based authentication and SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Things to consider for this configuration to work:

1. FortiClient should be installed in a non-domain joined device or if domain joined, the device should not be part of the network that FortiGate is on. This is because the device should be on a remote network to connect to IPSec VPN as a remote device.
2. This configuration is only possible with FortiClient as the remote dialup client and not for other devices.
3. When using FortiAuthenticator as the IdP, refer to FortiAuthenticator as an IdP to configure SAML IdP on FortiAuthenticator
4. Use the Test Single Sign-On facility in Azure to check if the Single Sign-On works as expected - Test Single Sign-On 
5. Configure the tunnel with IKEv2 instead of IKEv1. FortiGate does not support SAML-based authentication for IPsec VPN with IKEv1. SAML authentication requires an interactive login process (browser-based authentication flow), which is not supported in IKEv1. 

Note: Remote access IPsec VPN user or admin user login authentication to FortiGate using SAML Single Sign-On (SSO) fails after firmware upgrade on FortiGate to v7.6.4.

Troubleshooting Tip: SAML Authentication fails after firmware upgrade to 7.6.4