FortiOS only allows SAML groups that are tied to the same SAML application to be added into the same firewall policy. SAML applications are the entries configured in the GUI under User & Authentication -> Single Sign-On (FortiOS 7.0.2 and above) or in the CLI under config user saml. There is no limitation to adding multiple SAML groups tied to the same SAML application into the same firewall policy.

For an example, see the following configuration:

show user saml

config user saml

    edit "SAML-Application-A"

        set entity-id "http://10.21.7.43:10443/remote/saml/metadata/"

        set single-sign-on-url "https://10.21.7.43:10443/remote/saml/login"

        set single-logout-url "https://10.21.7.43:10443/remote/saml/logout"

        set idp-entity-id "https://a.com"

        set idp-single-sign-on-url "https://a.com"

        set idp-cert "REMOTE_Cert_1"

        set user-name "username"

        set digest-method sha1

    next

    edit "SAML-Application-B"

        set entity-id "http://10.21.7.43:10443/remote/saml/metadata/"

        set single-sign-on-url "https://10.21.7.43:10443/remote/saml/login"

        set single-logout-url "https://10.21.7.43:10443/remote/saml/logout"

        set idp-entity-id "https://b.com"

        set idp-single-sign-on-url "https://b.com"

        set idp-cert "REMOTE_Cert_2"

        set user-name "username"

        set digest-method sha1

    next

end

show user group

config user group

    edit "SAML-A-Group-1"

        set member "SAML-Application-A"

        config match

            edit 1

                set server-name "SAML-Application-A"

                set group-name "Group-1"

            next

        end

    next

    edit "SAML-A-Group-2"

        set member "SAML-Application-A"

        config match

            edit 1

                set server-name "SAML-Application-A"

                set group-name "Group-2"

            next

        end

    next

    edit "SAML-B-Group-1"

        set member "SAML-Application-B"

        config match

            edit 1

                set server-name "SAML-Application-B"

                set group-name "Group-1"

            next

        end

    next

    edit "SAML-B-Group-2"

        set member "SAML-Application-B"

        config match

            edit 1

                set server-name "SAML-Application-B"

                set group-name "Group-2"

            next

        end

    next

end

In the example configuration, FortiGate has two SAML applications (SAML-Application-A and SAML-Application-B) and two groups tied to each SAML application. FortiOS will allow adding SAML-A-Group-1 and SAML-A-Group-2 into the same firewall policy, but will not allow adding SAML-A-Group-1 and SAML-B-Group-1 into the same firewall policy.

Workaround: to provide the same level of network access to SAML groups tied to different SAML applications, create separate firewall policies.

When using multiple SAML applications for SSL VPN, extra steps must be taken to ensure that the authentication is directed to the correct IdP. This is done using SSL VPN realms. For more information, please see the following Fortinet Community article: Technical Tip: SSL VPN with SAML authentication with multiple IdP's  

Note: There is a bug on older FortiOS firmware versions that prevents SAML groups tied to the same SAML application from being added into the same firewall policy. This bug (tracked under ID 712354) was resolved in FortiOS 6.4.6 and 7.0.1.