When the user is trying to connect to the IPsec remote VPN, the IDP login page is not loading.

This issue can occur when the ike-saml-server is not configured on the interface on which the IPsec VPN is configured to listen.

Configure the ike-saml-server under the concerned interface. Enable the ike-saml-server under the interface using this command:

config system interface
    edit <name>
        set ike-saml-server <saml_server>
    next
end

Note: ike-saml-server can only be configured using CLI.

Once the ike-saml-server is enabled on an interface, the FortiGate will start to listen for SAML authentication requests from FortiClient remote access IPsec VPN clients.

Debugs to be taken if any issue occurs:

diagnose debug application ike -1

diagnose debug application samld -1
diagnose debug application fnbamd -1
diagnose debug application eap_proxy -1
diagnose debug console timestamp enable
diagnose debug enable

To disable: 

diagnose debug disable

Related documents:

Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN

Technical Tip: FortiGate IPSec Dial-up IKEv2 SAML-based authentication with FortiAuthenticator as Id...

SAML-based authentication for FortiClient remote access dialup IPsec VPN clients