The configuration of IPsec VPN SAML-based authentication is based on the document IPsec VPN SAML-based authentication 

The configuration with a loopback interface only works if 'set ike-saml-server' is also enabled on the ingress interface. 

The following tunnel has been configured with a lookback interface:

config vpn ipsec phase1-interface

    edit "v4-PSK-IKEv2"

        set type dynamic

        set interface "Loopback"

        set ike-version 2

        set peertype any

        set net-device disable

        set mode-cfg enable

        set ipv4-dns-server1 172.17.60.6

        set ipv4-dns-server2 8.8.8.8

        set proposal aes128-sha1 aes256-sha256

        set dpd on-idle

        set dhgrp 5

        set eap enable

        set eap-identity send-request

        set assign-ip-from name

        set ipv4-split-include "LAN2-192.168.235.0"

        set ipv4-name "IPSec_Tunnel_Addr1" 

        set save-password enable

        set client-auto-negotiate enable

        set client-keep-alive enable

        set psksecret 11111111

        set dpd-retryinterval 60

   next

The Loopback interface configuration is as follows, where it requires a set 'set ike-saml-server'.

config system interface

    edit "Loopback"
        set ike-saml-server "IPsec-SAML"
    next

Additionally, the option also needed to be set on the ingress interface. Otherwise, the connection will terminate at the TLS handshake with an 'Encrypted Alert', and there will be no SAML debugs output. 

In this case, let's assume the traffic is ingress on the interface wan2, where the option 'set ike-saml-server' needs to be set.

config system interface 

    edit "wan2"
        set ike-saml-server "IPsec-SAML"
    next