When configuring FortiAuthenticator as an IDP two timers should be taken into consideration.

1. FortiGate auth timeout.
2. Login session timeout.

The timer configured on FortiGate is as below

config user group
    edit <group name>
        set authtimeout <value>
end

Once gstatic packet comes to FortiGate, it redirects it to IDP, but before redirecting, it checks the firewall auth list, if user-IP mapping is present it evaluates the configured group-based policy.

If user-ip mapping is not present it redirects to IDP. IDP keeps track of the IDP session ID if it is already present on Fortiauthenticator it will not trigger the authentication page and directly send an IDP response.

By default login session timeout on the FortiAuthenticator found under SAML Idp -> General settings page is 480 minutes and can be modified with a minimum value of 5 minutes.

If auth time out is set to 5 minutes on FortiGate this can be considered as a redirection time if there is no traffic for 5 minutes it will remove the entry from FortiGate and redirect if a new packet comes

IDP receives the request and checks the SAML IDP session if it is valid, the authentication page will not be triggered.

Verify the SAMA session under Authentication -> SAML IDP session.