I believe having the SAML authentication restricted to a specific realm (and the AD/cert auth with default realm "/") should be sufficient, but there were a few bugs around FortiGate still prompting certificates with the default realm in use, so you might need to do specific realms for both methods.
I understand this requires updating the FortiClient configurations to point to the new VPN gateway (including realm), but you should not be required to install a new version of FortiClient for that change.
I assume you already have a FortiClient set up to connect for the SAML authentication? I would suggest adding a realm for SAML, then trying to connect to the new realm. If that fails due to the certificate requirement, then you will need two separate realms, and will also need to update the clients still using AD/cert auth to access the new realm.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++