For initial deployment, review Technical Tip: How to configure Microsoft Entra ID SAML authentication for Dial-up IPsec VPN.

If the dial-up tunnel fails to connect, there could be multiple reasons.

1. Authentication Failed Against SAML. Collect these command logs before authentication:

diagnose vpn ike log-filter dst-addr4 x.x.x.x

diagnose debug console timestamp enable

diagnose debug app authd 60

diagnose debug app fnbamd -1
diagnose debug app saml -1
diagnose debug app ike -1

diagnose debug application eap_proxy -1

diagnose debug enable

For v7.4.0 and above, there is a slight change in the command as below:

diagnose vpn ike log filter rem-addr4 x.x.x.x <----- x.x.x.x is client public IP.

diagnose debug console timestamp enable

diagnose debug app authd 60

diagnose debug app fnbamd -1
diagnose debug app saml -1
diagnose debug app ike -1

diagnose debug application eap_proxy -1

diagnose debug enable

Note:

It is a best practice to clear the filter before running the debugs. To clear the filter, enter the following command:

diagnose vpn ike log-filter clear

For v7.4.0 and above,

diagnose vpn ike log filter clear

After the test, press 'ctrl+c', and enter 'diagnose debug disable' to stop the debugging.

Initiate the SAML connection and review if SAML authentication passed, if logs are stuck, and no IKE logs are found in most cases, the issue is with the remote auth timeout value:

Note:

Verify that the 'external browser' is disabled on FortiClient. IPsec dial-up does not currently support an external browser, but this support is expected to be added in upcoming versions.

samld_send_common_reply [99]: Attr: 11, 1449, https://login.microsoftonline.com/xxxxxx-

send_common_reply [119]: Sent resp:
ike shrank heap by 331776 bytes

Analyze the following output:

show full sys global | grep remoteauthtimeout

By default value is set to 5, which means 5 seconds, then required to increase in the time according login process as SAML authentication will take more than 5 seconds. 

For remoteauth, refer to Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo....

2. Another reason is that no proposal has been chosen. If no proposal is chosen in the IKE logs, then the issue could be because of a phase 1 or phase 2 configuration error.  Confirm the configuration of phase 1 and phase 2 against the FortiClient configuration. 

Related articles: 

3. If IKE logs stop receiving traffic from users after the following logs, then the issue is caused by:

ike 0:Test-VPN:98620: remote port change 1011 -> 64916
ike 0:Test-VPN:98620: out F293D467FA21A5A3AB2AB79

BC3E06FB12E202320000000010000008024000064DEEB75FB51E17E4

CC4418F12683D471877F7194BC1E89C8ED4475012F92726A2803E0374

FB01058D224652A4D8B227FE7F91347FBC447EA441A1A9B3F8
3035F90E73C626EF7EBF9DC21CADEB7C008E533E21D10E73DE236B

DA565F7AF8D4A9FD 

ike 0:Test-VPN:98620: sent IKE msg (AUTH_RESPONSE): 2.94.156.100:4500->4.4.54.100:64916, len=128, vrf=0, id=f293d467fa21a5a3/ab2ab79bc3e06fb1:00000001

1. Authentication group not configured or wrong authentication group configured on either IPSEC Phase1 or Firewall Policy.
2. IKE version mismatch between FortiGate and FortiClient.
3. Pre-shared Key mismatch.

4. If the traffic failed due to EAP failure, verify if the SAML group has a specific object ID or group ID to match the user.
   If there is one, remove it and test again. 

Example of expected log: 

808C9B32XCXXXXXAB03AE7D47D8A5552E202308000000040000XXXXXXXX

XX8490FC0382ED1EE1FE0E62AAC3EEB02C

F2560637F3DC794A039B2818B0AEC707587FC8B53FF573B453F3A9C8AEC9990
ike 2:IPSecSAML: HA state master(2)
ike 2:IPSecSAML:685142: dec 808C9B3277B865DBAB03AE7D47D8A5552E2

02308000000040000002AXXXXXXX

0000000A02F700061A03
ike 2:IPSecSAML:685142: responder received EAP msg
ike 2:IPSecSAML:685142: send EAP message to FNBAM
ike 2:IPSecSAML: EAP 1882479231 pending
ike 2:IPSecSAML:685142 EAP 1882479231 result FNBAM_DENIED
ike 2:IPSecSAML: EAP failed for user "23423425435C34f3r43FASWQ"
ike 2:IPSecSAML:685142: responder preparing EAP pass through message
ike 2:IPSecSAML:685142: enc 0000000803F700040706050403
ike 2:IPSecSAML:685142: out 808C9B3277B865DBAB03AE7D47D8A5552E2023

20000000040000005030000034B2

A50A9B91C8349B656146899B97FFF

06907674FBCD20BA5CA854835E512BD91E34BF2BC100AD01ED409035C0C52DCA7
ike 2:IPSecSAML:685142: sent IKE msg (AUTH_RESPONSE): 206.1.x.x:500->38.1.x.x:500, len=80, vrf=0, id=808c9b3277b865db/ab03ae7d47d8a555:00000004
ike 2:IPSecSAML: connection expiring due to EAP failure
ike 2:IPSecSAML: deleting

To review the auth user group:

show VPN ipsec phase1-interface <VPN Name>   

config vpn ipsec phase1-interface
    edit "TEST-VPN"
        set type dynamic
        set interface "port4"
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 
        set eap enable
        set eap-identity send-request

        set authusrgrp SAML_GRP
    next
end