The user's browser already has valid SAML assertions, so it sends them to the SPs web server (FGT). The web server (FGT) uses them to grant or deny access to the service. SAML authentication stops here.
The user's browser doesn't have valid SAML assertions, so the SPs web server (FGT) redirects the browser to the SAML IdP (FAC).
If you change browser or log off the user this assertions are destroyed. As long as you get redirected to FAC it means that the browser doesn't have valid assertions anymore.
Maybe admin session timeout of the FGT is treated as a log off for SAML. In my lab I have this profile applied:
edit "prof_admin" set admintimeout-override disable
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.