From cc8cfd4269ded0aad6d7403f6564d6c5c525da37 Mon Sep 17 00:00:00 2001
From: Vlasta Ramik <vramik@users.noreply.github.com>
Date: Tue, 2 Jul 2019 10:53:14 +0200
Subject: [PATCH] KEYCLOAK-10751 Fix SAML undertow adapter not sending
 challenge

Co-Authored-By: mhajas <mhajas@redhat.com>
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
---
 .../keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
index 090734368eb..34197bc504b 100755
--- a/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
+++ b/adapters/saml/undertow/src/main/java/org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.java
@@ -136,6 +136,7 @@ public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
         }
         if (outcome == AuthOutcome.NOT_AUTHENTICATED) {
             // we are in passive mode and user is not authenticated, let app server to try another auth mechanism
+            // See KEYCLOAK-2107, AbstractSamlAuthenticationHandler
             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
         }
         if (outcome == AuthOutcome.LOGGED_OUT) {
@@ -148,6 +149,9 @@ public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
         AuthChallenge challenge = authenticator.getChallenge();
         if (challenge != null) {
             exchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
+            if (authenticator instanceof UndertowSamlEndpoint) {
+                exchange.getSecurityContext().setAuthenticationRequired();
+            }
         }
 
         if (outcome == AuthOutcome.FAILED) {