Technical Tip: auth-ike-saml-port changed after device reboot

Since v7.2.0, SAML-based authentication for FortiClient remote access dial-up IPsec VPN clients is supported, and this feature requires FortiClient v7.2.4 and supports only IKEv2.

The change can be made only by CLI as follows:

config system global     set auth-ike-saml-port <integer> (default 1001) end

On v7.6.3, v7.4.8, and v7.4.9, there is an issue that changes the port customized (10443) to the default port (1001) after the FortiGate reboot, and it is possible to check from the below command after the device initiates:

FGT # diagnose debug config-error-log read >>>  "set" "auth-ike-saml-port" "10443" @ global.system.global:failed command (error -23) # -------------------------- FGT # conf sys global  FGT (global) # sh full | grep ike     set auth-ike-saml-port 1001     <--- Back to default

As a workaround, it is necessary to change to another port other than 10443, like 11443, as shown in the example:

config system global ...     set auth-ike-saml-port 11443 ... end

This is a known issue and is tracked under bug ID 1180324. It is resolved on FortiOS v7.4.10, v7.6.5, and the upcoming v8.0.0 (ETA is in March 2026).

It will be necessary to open a case with TAC Support if the issue persists even on the fixed versions.

Related documents:

• SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
• Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel
• Troubleshooting Tip: Custom IKE SAML Port 10443 resets after FortiOS v7.6.3 and v7.4.8 upgrade