Since v7.2.0, SAML-based authentication for FortiClient remote access dial-up IPsec VPN clients is supported, and this feature requires FortiClient v7.2.4 and supports only IKEv2.

The change can be made only by CLI as follows:

config system global
    set auth-ike-saml-port <integer> (default 1001)
end

On v7.6.3 and v7.4.8, there is an issue that changes the port customized (10443) to the default port (1001) after the FortiGate reboot, and it is possible to check from the below command after the device initiates:

FGT # diagnose debug config-error-log read
>>>  "set" "auth-ike-saml-port" "10443" @ global.system.global:failed command (error -23)
# --------------------------
FGT # conf sys global 
FGT (global) # sh full | grep ike
    set auth-ike-saml-port 1001     <--- Back to default

As a workaround, it is necessary to change to another port than 10443, like 11443, as shown in the example:

config system global
...
    set auth-ike-saml-port 11443
...
end

It will be necessary to open a case with the TAC support in case the issue remains.

Related documents:

• SAML-based authentication for FortiClient remote access dialup IPsec VPN clients
• Troubleshooting Tip: How to troubleshoot IPsec SAML Dial UP tunnel
• Troubleshooting Tip: Custom IKE SAML Port 10443 resets after FortiOS v7.6.3 and v7.4.8 upgrade