The configuration of IPsec VPN SAML-based authentication is based on the document IPsec VPN SAML-based authentication.

The configuration with a loopback interface only works if 'set ike-saml-server' is also enabled on the ingress interface. 

The following tunnel has been configured with a lookback interface:

config vpn ipsec phase1-interface

    edit "v4-PSK-IKEv2"

        set type dynamic

        set interface "Loopback"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 172.17.60.6

        set ipv4-dns-server2 8.8.8.8

        set proposal aes128-sha1 aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable

        set eap-identity send-request

        set assign-ip-from name

        set ipv4-split-include "LAN2-192.168.235.0"

        set ipv4-name "IPSec_Tunnel_Addr1" 

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret 11111111

        set dpd-retryinterval 60

   next

end

The Loopback interface configuration is as follows, where it requires a set 'set ike-saml-server'.

config system interface

    edit "Loopback"
        set ike-saml-server "IPsec-SAML"
    next

end

Additionally, the option also needed to be set on the ingress interface. Otherwise, the connection will terminate at the TLS handshake with an 'Encrypted Alert', and there will be no SAML debug output. 

In this case, assume the traffic is ingress on the interface wan2, where the option 'set ike-saml-server' needs to be set.

config system interface 

    edit "wan2"
        set ike-saml-server "IPsec-SAML"
    next

end

Debugs to be taken if any issue occurs:

diagnose vpn ike log filter clear

diagnose vpn ike log filter rem-addr4 <remote_public_IP>
diagnose debug application ike -1

diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable

To disable: 

diagnose debug disable

diagnose vpn ike log filter clear

IKE Debug commands reference: Troubleshooting Tip: IPsec Tunnel (debugging IKE).

Note:
IKE with SAML authentication does not support multiple SAML servers on the same interface, as the SAML server is directly bound to the interface and allows only one instance to be configured.

Dial-up IPsec with SAML using an external browser for authentication is supported starting from v7.4.9 and v7.6.1, FortiClient v7.2.5 and v7.4.1 for Mac and Windows, and FortiClient v7.4.3 for Linux: Technical Tip: FortiClient SAML Authentication Configuration Demystified

Starting from FortiGate v7.2.12, v7.4.9, and v7.6.4, the device verifies the signature of SAML response messages.

This enhancement is detailed in the SAML certificate verification section of the Release Notes: SAML certificate verification

Related document:

SAML certificate verification 

This enhancement also applies to FIPS-CC CVE-Patched builds for v7.2 (for example, builds beginning with FIPS-CC-72-5 and later).

After upgrading, SAML authentication may fail when FortiGate is configured as the Service Provider, such as in IPsec/SSL VPN, administrator SSO login, or SAML captive portal scenarios.

To comply with the updated verification requirement, both the SAML assertion and the SAML response must be signed.

For detailed troubleshooting steps and configuration guidance, refer to the following article: Troubleshooting Tip: SAML Authentication fails after firmware upgrade to v7.2.12, v7.4.9 or v7.6.4

Related documents:

SAML-based authentication for FortiClient remote access dial-up IPsec VPN clients

Technical Tip: FortiGate SAML authentication resource list

Troubleshooting Tip: IPsec dial-up connection to a Loopback Interface using Virtual IP does not work