There is FortiOS NFR 505485 for implementing the SP role in FortiGate, which would allow SSO for SSL VPN users using Azure AD as the IdP. This would address your scenario without FAC. I am not sure what the status is of that NFR. We've also seen requests for the FortiClient to support SAML SSO for tunnel mode SSL VPN. Please check with the FOS team for latest.