Although the SAMLRequest issuer is based on the base_url, the ReplyURL can be changed according to the URL reaching to Artifactory with (True for JFrog SaaS, for self-hosted this is depends if using the X-JFrog-Override-Base-Url header). In this scenario, the login will fail on the IDP side.
We can use the same technique shown above to decrypt the SAMLRequest to validate what is the AssertionConsumerServiceURL value and to compare it to the value configured in the IDP side.
Azure example:
Keycloack example:
To resolve the error, we can add additional ReplyURL on the IDP side (if supported) or change the ReplyURL to match the SAMLRequest. Azure:
Keycloack: