Thanks I'll looking in the debug.
For CA issue we need to have the external browser for SSO, FortiClientVPN 7.4.0.1658 gives me not this setting for IPsec, so I've installed the latest version FortiClientVPN 7.4.1 but when I select external browser, after clicking connect it directly stop and no browser session opened.

Have you tested with other PC too..from all the system the behaviour is same?

@sjoshi 

yes I have tested it on another Windows 10 device that is not in our corporate environment and I have the same problem. Either nothing happens after clicking on “Connect”, i.e. no browser is opened, or it terminates directly without an error message.
This is the error message. I think its related to the FortiClientVPN 4.1
[2024-12-06 11:43:56.5223774 UTC+02:00] [27948:24992] [guimessenger 238 error] failed to open shared memory. GLE=2
[2024-12-06 11:44:09.4986632 UTC+02:00] [27948:24992] [guimessenger 238 error] failed to open shared memory. GLE=2

In the meantime, I have tested it on my iPhone 18.1.1 with the current FortiClientVPN version 7.4.2.0151
However, I have a few other problems here.
When opening the SSO session via the browser, I get the error message from EntraID that this device is not compliant. I have a conditional access policy in EntraID that only accepts compliant devices. If I exclude myself as a user from this policy, the SSO Auth works.

"AADSTS50005: User tried to log in to a device from a platform (Unknown) that's currently not supported through Conditional Access policy.
Supported device platforms are: iOS, Android, Mac, and Windows flavors."

Same device, same app, If I do the SSO Auth via SSL VPN, the browser session is not blocked bei my Conditional Access in EntraID.

The second problem here is that the VPN connection only works if I do NOT set eap enable for the VPN, if eap is enable, sso works but the vpn negotiation will not done.

@sjoshi 
The issue with the FortiClientVPN 4.1 and the connect issue is solved now. The SSO auth works now.
I've reinstalled the latest Visual C++ Redist
Latest supported Visual C++ Redistributable downloads | Microsoft Learn

So far, when I activate EAP on the Tunnel, I'm not able to connect. 
"Wrong credentials, EAP failing to connection.", when I disable EAP I got "Timeout while connection to..."
I have activated EAP on the VPN Tunnel and selected the SSO group, the same also applies if I do not select an SSO group, but set the group in the policy.
I don't know if it could be related to that.
I use EAP-TLS authentication on our NIC adapters and WiFi Adapters, but this is not forced by Windows.

On my iOS, it works by deactivating EAP on the Tunnel.

But when I activate EAP on the Tunnel, same issue on my phone. I cannot connect, even not when I enable EAP on my FortiClient on my phone.

debug when I connect via Phone, when EAP is enabled on the tunnel:

ike V=root:0:IPsec:178: responder received AUTH msg
ike V=root:0:IPsec:178: processing notify type INITIAL_CONTACT
ike V=root:0:VuWall IPsec:178: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike V=root:0:IPsec:178: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike V=root:0:IPsec:178: processing notify type MOBIKE_SUPPORTED
ike V=root:0:IPsec:178: peer identifier IPV4_ADDR 100.110.233.206
ike V=root:0:IPsec:178: re-validate gw ID
ike V=root:0:IPsec:178: gw validation failed
ike V=root:0:IPsec:178: schedule delete of IKE SA 62ec77d91e82ba00/661417b3f6535b09
ike V=root:0:IPsec:178: scheduled delete of IKE SA 62ec77d91e82ba00/661417b3f6535b09
ike V=root:0:IPsec: connection expiring due to phase1 down
ike V=root:0:IPsec: going to be deleted

[139] __saml_auth_cache_push-Hash bucket 164
[145] __saml_auth_cache_push-Update 'F8B59250-005F-4E35-9E1D-7DAB2629312C', SAML_server='ipsec-azure-saml', vfid=0
[2916] handle_auth_timeout_without_retry-No more retry
[239] fnbamd_comm_send_result-Sending result 10 (nid 0) for req 30030675304449, len=2600
[258] fnbamd_comm_send_result-Failed send reply (-1, errno 111)
[600] destroy_auth_session-delete session 30030675304449
[1431] fnbamd_rads_destroy-
[1884] fnbamd_ldaps_destroy-
[1045] fnbamd_tacs_destroy-
[901] fnbamd_pop3s_destroy-
[1073] fnbamd_ext_idps_destroy-
[2390] handle_req-Rcvd auth_cert req id=11504, len=3711, opt=0
[1189] __cert_auth_ctx_init-req_id=11504, opt=0
[106] __cert_chg_st- 'Init'
[202] fnbamd_cert_load_certs_from_req-2 cert(s) in req.
[842] __cert_init-req_id=11504
[891] __cert_build_chain-req_id=11504
[320] fnbamd_chain_build-Chain discovery, opt 0x13, cur total 1
[338] fnbamd_chain_build-Following depth 0
[367] fnbamd_chain_build-Extend chain by system trust store. (no luck)
[421] fnbamd_chain_build-Extend chain by peer-provided certs. (good)
[338] fnbamd_chain_build-Following depth 1
[373] fnbamd_chain_build-Extend chain by system trust store. (good: 'ISRG_Root_X1')
[338] fnbamd_chain_build-Following depth 2
[352] fnbamd_chain_build-Self-sign detected.
[102] __cert_chg_st- 'Init' -> 'Validation'
[1013] __cert_verify-req_id=11504
[1014] __cert_verify-Chain is complete.
[537] fnbamd_cert_verify-Chain number:3
[551] fnbamd_cert_verify-Following cert chain depth 0
[551] fnbamd_cert_verify-Following cert chain depth 1
[626] fnbamd_cert_verify-Issuer found: ISRG_Root_X1 (SSL_DPI opt 1)
[551] fnbamd_cert_verify-Following cert chain depth 2
[734] fnbamd_cert_check_group_list-Will match any!
[199] __get_default_ocsp_ctx-def_ocsp_ctx=(nil), no_ocsp_query=0, ocsp_enabled=0
[1079] __cert_verify_do_next-req_id=11504
[102] __cert_chg_st- 'Validation' -> 'Done'
[1126] __cert_done-req_id=11504
[1544] fnbamd_auth_session_done-Session done, id=11504
[1172] __fnbamd_cert_auth_run-Exit, req_id=11504
[1587] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=11504
[1500] auth_cert_success-id=11504
[1284] fnbamd_cert_auth_copy_cert_status-req_id=11504
[950] fnbamd_cert_check_matched_groups-checking group ANY
[961] fnbamd_cert_check_matched_groups-matched
[1323] fnbamd_cert_auth_copy_cert_status-Leaf cert status is unchecked.
[1340] fnbamd_cert_auth_copy_cert_status-Issuer of cert depth 0 is not detected in CMDB.
[1411] fnbamd_cert_auth_copy_cert_status-Cert st 2c0, req_id=11504
[239] fnbamd_comm_send_result-Sending result 0 (nid 672) for req 11504, len=2602
[1375] destroy_auth_cert_session-id=11504
[1256] fnbamd_cert_auth_uninit-req_id=11504
[1884] fnbamd_ldaps_destroy-
[1431] fnbamd_rads_destroy-

This technical tip is not helping since it's already configured
How to fix 'gw validation failed'... - Fortinet Community


edit "IPsec"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes128-sha1 aes256-sha256
set dpd on-idle
set eap enable
set eap-identity send-request
set authusrgrp "AAD-IPSEC-VPN-USERS"
set transport auto
set assign-ip-from name
set ipv4-name "IPSECVPN_TUNNEL_ADDR1"
set psksecret ENC ******************
set dpd-retryinterval 60
next
end

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implementing-device-based-Conditional-Acce...

Hello @sjoshi 
The Windows FortiClientVPN is working fine.
The CA issue is with the iOS FortiClientVPN, and only with IPSec connection.

When connecting via SSL VPN


When connecting with IPsec VPN

So the User Agent is not valid, so my CA is blocking that because it's not detecting compliant device.