The configuration of IPsec VPN SAML-based authentication is based on the document IPsec VPN SAML-based authentication.  The configuration with a loopback interface only works if 'set ike-saml-server' is also enabled on the ingress interface.  The following tunnel has been configured with a lookback interface:
config vpn ipsec phase1-interface
  edit "v4-PSK-IKEv2"
       set type dynamic
       set interface "Loopback"
       set ike-version 2
       set peertype any
       set net-device disable
       set mode-cfg enable
       set ipv4-dns-server1 172.17.60.6
       set ipv4-dns-server2 8.8.8.8
       set proposal aes128-sha1 aes256-sha256
       set dpd on-idle
       set dhgrp 5
       set eap enable
       set eap-identity send-request
       set assign-ip-from name
       set ipv4-split-include "LAN2-192.168.235.0"
       set ipv4-name "IPSec_Tunnel_Addr1"Â
       set save-password enable
       set client-auto-negotiate enable
       set client-keep-alive enable
       set psksecret 11111111
       set dpd-retryinterval 60
  next
end
 The Loopback interface configuration is as follows, where it requires a set 'set ike-saml-server'. Important note:
Using virtual IP for loopback interface is not supported in IPsec remote access.
config system interface
  edit "Loopback"
       set ike-saml-server "IPsec-SAML"
  next
end
Additionally, the option also needed to be set on the ingress interface. Otherwise, the connection will terminate at the TLS handshake with an 'Encrypted Alert', and there will be no SAML debug output.Â
In this case, assume the traffic is ingress on the interface wan2, where the option 'set ike-saml-server'Â needs to be set.
config system interfaceÂ
  edit "wan2"
    set ike-saml-server "IPsec-SAML"
  next
end
 Debug logs to be taken if any issue occurs:
diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 <remote_public_IP>
diagnose debug application ike -1
diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable
 To disable:Â
diagnose debug disable
diagnose vpn ike log filter clear
 IKE Debug commands reference: Troubleshooting Tip: IPsec Tunnel (debugging IKE).  Note: IKE with SAML authentication does not support multiple SAML servers on the same interface, as the SAML server is directly bound to the interface and allows only one instance to be configured.
Dial-up IPsec with SAML using an external browser for authentication is supported starting from v7.4.9 and v7.6.1, FortiClient v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux:Â Technical Tip: FortiClient SAML Authentication Configuration Demystified.
Starting from FortiGate v7.2.12, v7.4.9, and v7.6.4, the device verifies the signature of SAML response messages.
This enhancement is detailed in the SAML certificate verification section of the Release Notes:Â SAML certificate verification. This enhancement also applies to FIPS-CC CVE-Patched builds for v7.2 (for example, builds beginning with FIPS-CC-72-5 and later).
 After upgrading, SAML authentication may fail when FortiGate is configured as the Service Provider, such as in IPsec/SSL VPN, administrator SSO login, or SAML captive portal scenarios.  To comply with the updated verification requirement, both the SAML assertion and the SAML response must be signed.  For detailed troubleshooting steps and configuration guidance, refer to the following article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4.  Related documents: |