The "Require HTTP Basic Credentials" is working as designed. When the assertion is processed, it looks for the "Authorization" header in the request, if that header doesn’t exist, then the assertion fails and sets a “401 Unauthorized” response back to the client, which the browser will see, and will then give you a prompt to fill in credentials. Once you populated the credentials, and hit enter, then the browser will send a second request that contains the “Authorization” header this time around.
So, in policy on this case, since the Authorization header doesn’t exist, the Require HTTP Basic Credentials assertion fails. Policy logic results in the branch failing, but since there is “At least one” , it proceeds to the second “Return Template Response” which succeeds, and so the 401 Unauthorized doesn’t get returned to the client.
NOTE: The “Require HTTP Basic Credentials” is not responsible for “prompting” the user for credentials. The application (i.e. browser) will see a 401 Unauthorized as a response, and the application will decide to prompt the user for credentials, and try again.