Similar to SSL VPN SAML-based authentication, FortiOS 7.2 onwards IPSEC VPN also supports SAML-based authentication.

The full configuration for the same is listed in IPsec VPN SAML-based authentication and SAML-based authentication for FortiClient remote access dialup IPsec VPN clients

Things to consider for this configuration to work:

1. EMS has to be added to the Security Fabric on FortiGate.Refer to: Add EMS to Security Fabric 

CLI commands for the same:

config endpoint-control fctems
    edit <name>
        set server <IP of the server on which EMS is installed>
        set serial-number <S/N number of the EMS (optional)>
        set https-port <Port used by EMS (listed under System Settings on EMS)>
        set admin-username <admin username>
    end

1. FortiClient should be installed in a non-domain joined device or if domain joined, the device should not be part of the network that FortiGate is on. This is because the device should be on a remote network to connect to IPSec VPN as a remote device.
2. This configuration is only possible with FortiClient as the remote dialup client and not for other devices.
3. When using FortiAuthenticator as the IdP, refer to FortiAuthenticator as an IdP to configure SAML IdP on FortiAuthenticator
4. Use the test Single Sign On facility in Azure to check if the Single Sign-on works as expected - Test Single Sign on 
5. Configure the tunnel with IKEv2 instead of IKEv1. FortiGate does not support SAML-based authentication for IPsec VPN with IKEv1. SAML authentication requires an interactive login process (browser-based authentication flow), which is not supported in IKEv1.