Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

When several requests trigger SAML-related initialization concurrently, a ConcurrentModificationException is occasionally thrown from the SAML module. The stack traces lead back to calls made during the creation of ThreadLocal DocumentBuilder instances.

Version

latest

Regression

[ ] The issue is a regression

Expected behavior

Keycloak should start consistently without intermittent exceptions, even when many threads initialize their ThreadLocal DocumentBuilder instances at the same time.

Actual behavior

Keycloak startup sometimes fails with a ConcurrentModificationException originating from the XML parsing components used by the SAML module. When this occurs, the client attempting to authenticate receives an HTTP 400 response. The issue is intermittent and typically appears only during multi-threaded startup conditions.

How to Reproduce?

A JUnit test that spawns multiple threads and repeatedly triggers ThreadLocal initialization of the XML DocumentBuilder can expose the issue. The test does not fail on every run—the bug is timing-dependent—but repeatedly running the test will at some point expose the bug where the ConcurrentModificationException is thrown, demonstrating that the problem exists.

Anything else?

I will provide a PR with the failing test and a proposed fix.