You wouldn’t be doing SAML through NPS. Don’t confuse MFA with SAML. SAML is a more modern way of doing the authentication, even if you’re not using MFA…which you should be. If you’re using SSL VPN the set it up with SAML authentication for Entra ID. It alleviates the need for NPS. Both Microsoft and Fortinet have step-by-step guides for setting it up (the Microsoft guide is a little more current).
There is a very recent option to use SAML with IPsec. That should be planned for future implementation after the kinks are worked out.