When enabling Authentication KeepAlive causes the IPsec VPN with SAML not to connect.
After the end user enters the Single-Sign-On credential for SAML, FortiClient responds with 'IPSec Connection is down' or directly brings back to the 'Connect' page.

Debug commands for IPsec troubleshooting (Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel) show that traffic stops after FortiGate sends the Authentication Keepalive Portal. No IKE negotiation is initiated between FortiGate and the end user.

Sample Log:

FortiClient initiated SAML authentication:

[authd_local_saml_auth:5778]: SAML login with UID '2D56XXXXXXXXXXX30A4D3DA0E'.
[authd_http_prepare_javascript_redir:3942]: https://54.252.41.X:9443/saml?070c028b958de7bd

End user provided SSO/SAML credentials, which were received by FortiGate.

samld_send_common_reply [95]: Attr: 10, 43, 'username' 'adimailig@fortinet-us.com'
samld_send_common_reply [95]: Attr: 10, 51, 'group' '014XXXXX-XXXX-XXXX-XXXX-XXXXX9a'
<>
[authd_http_on_saml_msg:4612]: user 'adimailig@fortinet-us.com'.
[authd_http_on_saml_msg:4604]: group '014XXXXX-XXXX-XXXX-XXXX-XXXXX9a'.

KeepAlive Portal is sent by FortiGate to FortiClient, and the connection stops. IKE negotiation not initiated.

[authd_http_prepare_javascript_redir:3942]: https://54.252.41.X:9443/keepalive?07060802060e090d
<>

[132] __saml_auth_cache_push-Auth cache created, user='2D56XXXXXXXXXXX30A4D3DA0E', SAML_server='IPSEC_SAML', vfid=0
[139] __saml_auth_cache_push-Hash bucket 198
[186] __saml_auth_cache_push-New auth cache entry is created, user='2D56XXXXXXXXXXX30A4D3DA0E', saml_user='adimailig@fortinet-us.com', expires=1746003434, SAML_server='IPSEC_SAML', vfid=0

This issue has been resolved in v7.6.4.

Workaround:
Disable Authentication KeepAlive to connect to the IPSEC VPN with SAML.

config system global

    set auth-keepalive disable

end

Related articles:
Technical Tip: Troubleshoot IPsec SAML Dial UP tunnel 
Technical Tip: Authentication keepalive page

Technical Tip: How to read SAML Debug output