Issue:SAML-based IPsec VPN using FortiClient 7.2.4 and Microsoft Entra ID is not working. When accessing the SAML login URL (https://[redacted]:9443/remote/saml/login), the browser returns:ERR_EMPTY_RESPONSEFortiGate does not respond on the configured auth-ike-saml-port.What We’ve Verified:auth-ike-saml-port is set (tested 9443 and 10443)SAML server is bound to the WAN interfacePublic cert (Let’s Encrypt) is valid and applied (set cert, set auth-cert)FortiClient is correctly configured for SAML IKEv2No output from diag debug application samld -1 — SAML daemon appears inactiveRequest:Please assist in confirming why the SAML listener is not responding on the configured port despite correct configuration. No known issues are mentioned in 7.4.7 release notes.

Explorer III

Question

FortiClient SAML IPsec VPN Not Responding on Port 9443 – FortiOS 7.4.7

Forum|Forum|11 months ago
May 23, 2025
4 replies
2967 views

Issue:

SAML-based IPsec VPN using FortiClient 7.2.4 and Microsoft Entra ID is not working. When accessing the SAML login URL (https://[redacted]:9443/remote/saml/login), the browser returns:

ERR_EMPTY_RESPONSE

FortiGate does not respond on the configured auth-ike-saml-port.

What We’ve Verified:

auth-ike-saml-port is set (tested 9443 and 10443)
SAML server is bound to the WAN interface
Public cert (Let’s Encrypt) is valid and applied (set cert, set auth-cert)
FortiClient is correctly configured for SAML IKEv2
No output from diag debug application samld -1 — SAML daemon appears inactive

Request:

Please assist in confirming why the SAML listener is not responding on the configured port despite correct configuration. No known issues are mentioned in 7.4.7 release notes.

saml

Anthony_E

Staff

Hello,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello,

To troubleshoot the SAML listener not responding on the configured port, ensure that the SAML configuration is complete and correct, as upgrades might alter configurations. Collect WAD and SAML debug logs for further analysis. Consider using an external browser for SAML authentication as a workaround. If the issue persists, contacting Fortinet support with detailed logs might be necessary/

You can have a look at this post which has a solution: https://community.fortinet.com/t5/Support-Forum/Error-SAML-Auth-FortiOS-7-4-1/td-p/279001

Regards,

Best Regards

nflnetwork29Author

Explorer III

DO you have a sample syntax for these ones?

Collect WAD and SAML debug logs

funkylicious

SuperUser

hi,

what the browser returns appears to be valid/ok response as in my test environment i get the same.

you can test with telnet IP port and see if it's listening and connects and that should be your confirmation that it works (make sure that you dont have overlapping services listening on the same port, e.g. sslvpn and ike-saml ) .

as for debug logs you can use,

diagnose debug application ike -1

diagnose debug application samld -1

diagnose debug enable

L.E. can you post a sanitized config of saml and ipsec config ?

show user saml

show vpn ipsec phase1-interface

"jack of all trades, master of none"

Nbufalo

New Member

Apologies for the bump on this thread... Were you ever able to get this working appropriately? I am running into a similar issue with one of my setups.

Issue:

What We’ve Verified:

Request:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded