I know enough about FortiAuthenticator to be dangerous, so forgive me if I come across ignorant on the product. I currently have mine setup where I have a SAML connection to Azure where I can pull user and group information; however, the only login event I have been able to accomplish from my non-domain joined devices (which for me is about 90% of my devices as we are 1:1 Apple) is via Syslog from my 3rd party internal web filter appliance for Apple devices. I have a web filter agent providing login info to my filter where it matches it against AD users so that they can be put into the correct groups. Domain joined devices are handled via web filter agent on the AD server for those login events. So in a nutshell, I am able to filter all of that down to my FortiGates into FSSO groups for varied policies to match up against.
So my first question is, why doesn't Fortinet have a simple multi-OS agent that would provide that info directly to the FortiAuthenticator? In my situation, I am having to rely on someone else's technology that does provide a simple agent like this and doing this via syslog seems to be very chatty due to the number of events taking place. I also understand that this is also one part of FortiClient's many features, but I've had bad results with that product and it's support with macOS and had to stop using it as it caused more problems in my environment than it solved.
Second question is, if I am performing logins into Azure (and again, this might just be my ignorance), is there not a way to use those logins (since I'm already tied to Azure anyway) for FSSO use? Can that info not report back to FortiAuthenticator to use for SSO purposes?