keycloak-uncached

diff --git a/.travis.yml b/.travis.yml
index 8146d6e..b2b3627 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -3,17 +3,11 @@ language: java
 jdk:
   - oraclejdk8
 
-cache:
-    directories:
-        - $HOME/.m2
-
-before_cache:
-  - rm -rf $HOME/.m2/repository/org/keycloak
-
-install: mvn install -Pdistribution -DskipTests=true -B -V
+install: 
+  - travis_wait mvn install -Pdistribution -DskipTests=true -B -V -q
 
 script:
   - mvn test -B
-  - mvn -file testsuite/integration-arquillian test -B
+  - mvn -file testsuite/integration-arquillian test -B -Pno-console
 
 sudo: false

diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
index eebf18d..3cf3242 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java
@@ -5,6 +5,7 @@ import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.representations.AccessTokenResponse;
@@ -51,7 +52,13 @@ public class KeycloakOIDCIdentityProvider extends OIDCIdentityProvider {
         @POST
         @Path(AdapterConstants.K_LOGOUT)
         public Response backchannelLogout(String input) {
-            JWSInput token = new JWSInput(input);
+            JWSInput token = null;
+            try {
+                token = new JWSInput(input);
+            } catch (JWSInputException e) {
+                logger.warn("Failed to verify logout request");
+                return Response.status(400).build();
+            }
             PublicKey key = getExternalIdpKey();
             if (key != null) {
                 if (!verify(token, key)) {

diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
index 4178069..8547a03 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/mappers/AbstractClaimMapper.java
@@ -89,7 +89,7 @@ public abstract class AbstractClaimMapper extends AbstractIdentityProviderMapper
         } else if (value instanceof List) {
             List list = (List)value;
             for (Object val : list) {
-                return valueEquals(desiredValue, val);
+            	if (valueEquals(desiredValue, val)) return true;
             }
         }
         return false;

diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 4d5b45e..6938c11 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -29,6 +29,7 @@ import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.events.EventType;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.RealmModel;
@@ -282,40 +283,41 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
             throw new IdentityBrokerException("No token from server.");
         }
 
+        JsonWebToken token;
         try {
             JWSInput jws = new JWSInput(encodedToken);
             if (!verify(jws, key)) {
                 throw new IdentityBrokerException("token signature validation failed");
             }
-            JsonWebToken token = jws.readJsonContent(JsonWebToken.class);
+            token = jws.readJsonContent(JsonWebToken.class);
+        } catch (JWSInputException e) {
+            throw new IdentityBrokerException("Invalid token", e);
+        }
 
-            String iss = token.getIssuer();
+        String iss = token.getIssuer();
 
-            if (!token.hasAudience(getConfig().getClientId())) {
-                throw new IdentityBrokerException("Wrong audience from token.");
-            }
+        if (!token.hasAudience(getConfig().getClientId())) {
+            throw new IdentityBrokerException("Wrong audience from token.");
+        }
 
-            if (!token.isActive()) {
-                throw new IdentityBrokerException("Token is no longer valid");
-            }
+        if (!token.isActive()) {
+            throw new IdentityBrokerException("Token is no longer valid");
+        }
 
-            String trustedIssuers = getConfig().getIssuer();
+        String trustedIssuers = getConfig().getIssuer();
 
-            if (trustedIssuers != null) {
-                String[] issuers = trustedIssuers.split(",");
+        if (trustedIssuers != null) {
+            String[] issuers = trustedIssuers.split(",");
 
-                for (String trustedIssuer : issuers) {
-                    if (iss != null && iss.equals(trustedIssuer.trim())) {
-                        return token;
-                    }
+            for (String trustedIssuer : issuers) {
+                if (iss != null && iss.equals(trustedIssuer.trim())) {
+                    return token;
                 }
-
-                throw new IdentityBrokerException("Wrong issuer from token. Got: " + iss + " expected: " + getConfig().getIssuer());
             }
-            return token;
-        } catch (IOException e) {
-            throw new IdentityBrokerException("Could not decode token.", e);
+
+            throw new IdentityBrokerException("Wrong issuer from token. Got: " + iss + " expected: " + getConfig().getIssuer());
         }
+        return token;
     }
 
     @Override

diff --git a/client-registration/api/src/main/java/org/keycloak/client/registration/ClientRepresentationMixIn.java b/client-registration/api/src/main/java/org/keycloak/client/registration/ClientRepresentationMixIn.java
new file mode 100644
index 0000000..ba382f6
--- /dev/null
+++ b/client-registration/api/src/main/java/org/keycloak/client/registration/ClientRepresentationMixIn.java
@@ -0,0 +1,13 @@
+package org.keycloak.client.registration;
+
+import org.codehaus.jackson.annotate.JsonIgnore;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+abstract class ClientRepresentationMixIn {
+
+    @JsonIgnore
+    String registrationAccessToken;
+
+}

diff --git a/client-registration/api/src/main/java/org/keycloak/client/registration/OIDCClientRepresentationMixIn.java b/client-registration/api/src/main/java/org/keycloak/client/registration/OIDCClientRepresentationMixIn.java
new file mode 100644
index 0000000..b0dfed6
--- /dev/null
+++ b/client-registration/api/src/main/java/org/keycloak/client/registration/OIDCClientRepresentationMixIn.java
@@ -0,0 +1,22 @@
+package org.keycloak.client.registration;
+
+import org.codehaus.jackson.annotate.JsonIgnore;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+abstract class OIDCClientRepresentationMixIn {
+
+    @JsonIgnore
+    private Integer client_id_issued_at;
+
+    @JsonIgnore
+    private Integer client_secret_expires_at;
+
+    @JsonIgnore
+    private String registration_client_uri;
+
+    @JsonIgnore
+    private String registration_access_token;
+
+}

diff --git a/client-registration/cli/pom.xml b/client-registration/cli/pom.xml
new file mode 100755
index 0000000..13b8a8f
--- /dev/null
+++ b/client-registration/cli/pom.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+        <artifactId>keycloak-client-registration-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>1.7.0.Final-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>keycloak-client-registration-cli</artifactId>
+    <name>Keycloak Client Registration CLI</name>
+    <description/>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-client-registration-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.jboss.aesh</groupId>
+            <artifactId>aesh</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>

diff --git a/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/ClientRegistrationCLI.java b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/ClientRegistrationCLI.java
new file mode 100644
index 0000000..e76648b
--- /dev/null
+++ b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/ClientRegistrationCLI.java
@@ -0,0 +1,72 @@
+package org.keycloak.client.registration.cli;
+
+import org.jboss.aesh.cl.parser.CommandLineParserException;
+import org.jboss.aesh.console.AeshConsole;
+import org.jboss.aesh.console.AeshConsoleBuilder;
+import org.jboss.aesh.console.Prompt;
+import org.jboss.aesh.console.command.Command;
+import org.jboss.aesh.console.command.CommandNotFoundException;
+import org.jboss.aesh.console.command.registry.AeshCommandRegistryBuilder;
+import org.jboss.aesh.console.settings.Settings;
+import org.jboss.aesh.console.settings.SettingsBuilder;
+import org.jboss.aesh.terminal.Color;
+import org.jboss.aesh.terminal.TerminalColor;
+import org.jboss.aesh.terminal.TerminalString;
+import org.keycloak.client.registration.Auth;
+import org.keycloak.client.registration.ClientRegistration;
+import org.keycloak.client.registration.cli.commands.CreateCommand;
+import org.keycloak.client.registration.cli.commands.ExitCommand;
+import org.keycloak.client.registration.cli.commands.SetupCommand;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientRegistrationCLI {
+
+    private static ClientRegistration reg;
+
+    public static void main(String[] args) throws CommandLineParserException, CommandNotFoundException {
+        reg = ClientRegistration.create().url("http://localhost:8080/auth/realms/master").build();
+        reg.auth(Auth.token("..."));
+
+        Context context = new Context();
+
+        List<Command> commands = new LinkedList<>();
+        commands.add(new SetupCommand(context));
+        commands.add(new CreateCommand(context));
+        commands.add(new ExitCommand(context));
+
+        SettingsBuilder builder = new SettingsBuilder().logging(true);
+        builder.enableMan(true).readInputrc(false);
+
+        Settings settings = builder.create();
+
+        AeshCommandRegistryBuilder commandRegistryBuilder = new AeshCommandRegistryBuilder();
+        for (Command c : commands) {
+            commandRegistryBuilder.command(c);
+        }
+
+        AeshConsole aeshConsole = new AeshConsoleBuilder()
+                .commandRegistry(commandRegistryBuilder.create())
+                .settings(settings)
+                .prompt(new Prompt(new TerminalString("[clientreg]$ ",
+                        new TerminalColor(Color.GREEN, Color.DEFAULT, Color.Intensity.BRIGHT))))
+                .create();
+
+        aeshConsole.start();
+
+
+/*
+        if (args.length > 0) {
+            CommandContainer command = registry.getCommand(args[0], null);
+            ParserGenerator.parseAndPopulate(command, args[0], Arrays.copyOfRange(args, 1, args.length));
+        }*/
+
+        //commandInvocation.getCommandRegistry().getAllCommandNames()
+    }
+
+}
+

diff --git a/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/CreateCommand.java b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/CreateCommand.java
new file mode 100644
index 0000000..280534b
--- /dev/null
+++ b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/CreateCommand.java
@@ -0,0 +1,64 @@
+package org.keycloak.client.registration.cli.commands;
+
+import org.jboss.aesh.cl.Arguments;
+import org.jboss.aesh.cl.CommandDefinition;
+import org.jboss.aesh.cl.Option;
+import org.jboss.aesh.console.command.Command;
+import org.jboss.aesh.console.command.CommandResult;
+import org.jboss.aesh.console.command.invocation.CommandInvocation;
+import org.jboss.aesh.io.Resource;
+import org.keycloak.client.registration.ClientRegistrationException;
+import org.keycloak.client.registration.cli.Context;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.util.JsonSerialization;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+@CommandDefinition(name="create", description = "[OPTIONS] FILE")
+public class CreateCommand implements Command {
+
+    @Option(shortName = 'h', hasValue = false, description = "display this help and exit")
+    private boolean help;
+
+    @Arguments(description = "files or directories thats listed")
+    private List<Resource> arguments;
+
+    private Context context;
+
+    public CreateCommand(Context context) {
+        this.context = context;
+    }
+
+    @Override
+    public CommandResult execute(CommandInvocation commandInvocation) throws IOException, InterruptedException {
+        System.out.println(help);
+
+
+        if(help) {
+            commandInvocation.getShell().out().println(commandInvocation.getHelpInfo("create"));
+        }
+        else {
+
+            if(arguments != null) {
+                for(Resource f : arguments) {
+                    System.out.println(f.getAbsolutePath());
+                    ClientRepresentation rep = JsonSerialization.readValue(f.read(), ClientRepresentation.class);
+                    try {
+                        context.getReg().create(rep);
+                    } catch (ClientRegistrationException e) {
+                        e.printStackTrace();
+                    }
+                }
+
+            }
+        }
+//            reg.create();
+
+        return CommandResult.SUCCESS;
+    }
+
+}

diff --git a/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/ExitCommand.java b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/ExitCommand.java
new file mode 100644
index 0000000..507881b
--- /dev/null
+++ b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/ExitCommand.java
@@ -0,0 +1,29 @@
+package org.keycloak.client.registration.cli.commands;
+
+import org.jboss.aesh.cl.CommandDefinition;
+import org.jboss.aesh.console.command.Command;
+import org.jboss.aesh.console.command.CommandResult;
+import org.jboss.aesh.console.command.invocation.CommandInvocation;
+import org.keycloak.client.registration.cli.Context;
+
+import java.io.IOException;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+@CommandDefinition(name="exit", description = "Exit the program")
+public class ExitCommand implements Command {
+
+    private Context context;
+
+    public ExitCommand(Context context) {
+        this.context = context;
+    }
+
+    @Override
+    public CommandResult execute(CommandInvocation commandInvocation) throws IOException, InterruptedException {
+        commandInvocation.stop();
+        return CommandResult.SUCCESS;
+    }
+
+}

diff --git a/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/SetupCommand.java b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/SetupCommand.java
new file mode 100644
index 0000000..26579ab
--- /dev/null
+++ b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/commands/SetupCommand.java
@@ -0,0 +1,48 @@
+package org.keycloak.client.registration.cli.commands;
+
+import org.jboss.aesh.cl.CommandDefinition;
+import org.jboss.aesh.cl.Option;
+import org.jboss.aesh.console.command.Command;
+import org.jboss.aesh.console.command.CommandResult;
+import org.jboss.aesh.console.command.invocation.CommandInvocation;
+import org.jboss.aesh.io.Resource;
+import org.keycloak.client.registration.ClientRegistrationException;
+import org.keycloak.client.registration.cli.Context;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.util.JsonSerialization;
+
+import java.io.IOException;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+@CommandDefinition(name="setup", description = "")
+public class SetupCommand implements Command {
+
+    @Option(shortName = 'h', hasValue = false, description = "display this help and exit")
+    private boolean help;
+
+    private Context context;
+
+    public SetupCommand(Context context) {
+        this.context = context;
+    }
+
+    @Override
+    public CommandResult execute(CommandInvocation commandInvocation) throws IOException, InterruptedException {
+        System.out.println(help);
+
+        if(help) {
+            commandInvocation.getShell().out().println(commandInvocation.getHelpInfo("create"));
+        }
+
+        return CommandResult.SUCCESS;
+    }
+
+
+    private String promptForUsername(CommandInvocation invocation) throws InterruptedException {
+        invocation.print("username: ");
+        return invocation.getInputLine();
+    }
+
+}

diff --git a/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/Context.java b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/Context.java
new file mode 100644
index 0000000..49d8fb9
--- /dev/null
+++ b/client-registration/cli/src/main/java/org/keycloak/client/registration/cli/Context.java
@@ -0,0 +1,37 @@
+package org.keycloak.client.registration.cli;
+
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.map.SerializationConfig;
+import org.codehaus.jackson.map.annotate.JsonSerialize;
+import org.keycloak.client.registration.ClientRegistration;
+import org.keycloak.util.SystemPropertiesJsonParserFactory;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class Context {
+
+    private static final ObjectMapper mapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
+    static {
+        mapper.setSerializationInclusion(JsonSerialize.Inclusion.NON_NULL);
+        mapper.enable(SerializationConfig.Feature.INDENT_OUTPUT);
+    }
+
+    private ClientRegistration reg;
+
+    public ClientRegistration getReg() {
+        return reg;
+    }
+
+    public void setReg(ClientRegistration reg) {
+        this.reg = reg;
+    }
+
+    public static <T> T readJson(InputStream bytes, Class<T> type) throws IOException {
+        return mapper.readValue(bytes, type);
+    }
+
+}

diff --git a/client-registration/pom.xml b/client-registration/pom.xml
new file mode 100755
index 0000000..9d1ea9f
--- /dev/null
+++ b/client-registration/pom.xml
@@ -0,0 +1,19 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <parent>
+        <artifactId>keycloak-parent</artifactId>
+        <groupId>org.keycloak</groupId>
+        <version>1.7.0.Final-SNAPSHOT</version>
+    </parent>
+
+    <name>Keycloak Client Registration Parent</name>
+    <description/>
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>keycloak-client-registration-parent</artifactId>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>api</module>
+        <!--<module>cli</module>-->
+    </modules>
+</project>

diff --git a/common/src/main/java/org/keycloak/common/util/KeycloakUriBuilder.java b/common/src/main/java/org/keycloak/common/util/KeycloakUriBuilder.java
index 328916e..35085c7 100755
--- a/common/src/main/java/org/keycloak/common/util/KeycloakUriBuilder.java
+++ b/common/src/main/java/org/keycloak/common/util/KeycloakUriBuilder.java
@@ -342,6 +342,17 @@ public class KeycloakUriBuilder {
     }
 
     /**
+     * Set fragment, but not encode it. It assumes that given fragment was already properly encoded
+     *
+     * @param fragment
+     * @return
+     */
+    public KeycloakUriBuilder encodedFragment(String fragment) {
+        this.fragment = fragment;
+        return this;
+    }
+
+    /**
      * Only replace path params in path of URI.  This changes state of URIBuilder.
      *
      * @param name

diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
index aed99fc..eadbdcf 100755
--- a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
+++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
@@ -37,12 +37,25 @@
                 <constraints nullable="false"/>
             </column>
         </createTable>
+        <createTable tableName="REALM_DEFAULT_GROUPS">
+            <column name="REALM_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="GROUP_ID" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
 
         <addColumn tableName="IDENTITY_PROVIDER">
             <column name="FIRST_BROKER_LOGIN_FLOW_ID" type="VARCHAR(36)">
                 <constraints nullable="false"/>
             </column>
         </addColumn>
+
+        <addColumn tableName="REALM">
+            <column name="ACCESS_TOKEN_LIFE_IMPLICIT" type="INT" defaultValueNumeric="0"/>
+        </addColumn>
+
         <dropColumn tableName="IDENTITY_PROVIDER" columnName="UPDATE_PROFILE_FIRST_LGN_MD"/>
 
         <addPrimaryKey columnNames="ID" constraintName="CONSTRAINT_GROUP" tableName="KEYCLOAK_GROUP"/>
@@ -58,9 +71,40 @@
         <addForeignKeyConstraint baseColumnNames="GROUP_ID" baseTableName="GROUP_ROLE_MAPPING" constraintName="FK_GROUP_ROLE_GROUP" referencedColumnNames="ID" referencedTableName="KEYCLOAK_GROUP"/>
         <addForeignKeyConstraint baseColumnNames="ROLE_ID" baseTableName="GROUP_ROLE_MAPPING" constraintName="FK_GROUP_ROLE_ROLE" referencedColumnNames="ID" referencedTableName="KEYCLOAK_ROLE"/>
 
+        <addUniqueConstraint columnNames="GROUP_ID" constraintName="CON_GROUP_ID_DEF_GROUPS" tableName="REALM_DEFAULT_GROUPS"/>
+        <addForeignKeyConstraint baseColumnNames="REALM_ID" baseTableName="REALM_DEFAULT_GROUPS" constraintName="FK_DEF_GROUPS_REALM" referencedColumnNames="ID" referencedTableName="REALM"/>
+        <addForeignKeyConstraint baseColumnNames="GROUP_ID" baseTableName="REALM_DEFAULT_GROUPS" constraintName="FK_DEF_GROUPS_GROUP" referencedColumnNames="ID" referencedTableName="KEYCLOAK_GROUP"/>
+
         <addColumn tableName="CLIENT">
-            <column name="REGISTRATION_SECRET" type="VARCHAR(255)"/>
+            <column name="REGISTRATION_TOKEN" type="VARCHAR(255)"/>
+            <column name="STANDARD_FLOW_ENABLED" type="BOOLEAN" defaultValueBoolean="true">
+                <constraints nullable="false"/>
+            </column>
+            <column name="IMPLICIT_FLOW_ENABLED" type="BOOLEAN" defaultValueBoolean="false">
+                <constraints nullable="false"/>
+            </column>
+            <column name="DIRECT_ACCESS_GRANTS_ENABLED" type="BOOLEAN" defaultValueBoolean="true">
+                <constraints nullable="false"/>
+            </column>
         </addColumn>
 
+        <update tableName="CLIENT">
+            <column name="STANDARD_FLOW_ENABLED" valueBoolean="false"/>
+            <where>DIRECT_GRANTS_ONLY = :value</where>
+            <whereParams>
+                <param valueBoolean="true" />
+            </whereParams>
+        </update>
+
+        <dropDefaultValue tableName="CLIENT" columnName="DIRECT_GRANTS_ONLY" />
+        <dropColumn tableName="CLIENT" columnName="DIRECT_GRANTS_ONLY"/>
+
+        <modifyDataType tableName="REALM" columnName="PASSWORD_POLICY" newDataType="VARCHAR(2550)"/>
+
+        <!-- Sybase specific hacks -->
+        <modifySql dbms="sybase">
+            <regExpReplace replace=".*(SET DEFAULT NULL)" with="SELECT 1" />
+        </modifySql>
+
     </changeSet>
 </databaseChangeLog>
\ No newline at end of file

diff --git a/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java b/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
index ae9701b..67cb127 100755
--- a/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
+++ b/connections/mongo/src/main/java/org/keycloak/connections/mongo/DefaultMongoConnectionFactoryProvider.java
@@ -35,6 +35,7 @@ public class DefaultMongoConnectionFactoryProvider implements MongoConnectionPro
             "org.keycloak.models.mongo.keycloak.entities.MongoRealmEntity",
             "org.keycloak.models.mongo.keycloak.entities.MongoUserEntity",
             "org.keycloak.models.mongo.keycloak.entities.MongoRoleEntity",
+            "org.keycloak.models.mongo.keycloak.entities.MongoGroupEntity",
             "org.keycloak.models.mongo.keycloak.entities.MongoClientEntity",
             "org.keycloak.models.mongo.keycloak.entities.MongoUserConsentEntity",
             "org.keycloak.models.mongo.keycloak.entities.MongoMigrationModelEntity",

diff --git a/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/DefaultMongoUpdaterProvider.java b/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/DefaultMongoUpdaterProvider.java
index fa75d6b..e66e16d 100644
--- a/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/DefaultMongoUpdaterProvider.java
+++ b/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/DefaultMongoUpdaterProvider.java
@@ -28,7 +28,8 @@ public class DefaultMongoUpdaterProvider implements MongoUpdaterProvider {
             Update1_2_0_Beta1.class,
             Update1_2_0_CR1.class,
             Update1_3_0.class,
-            Update1_4_0.class
+            Update1_4_0.class,
+            Update1_7_0.class
     };
 
     @Override

diff --git a/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/updates/Update1_7_0.java b/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/updates/Update1_7_0.java
new file mode 100644
index 0000000..666a3af
--- /dev/null
+++ b/connections/mongo-update/src/main/java/org/keycloak/connections/mongo/updater/impl/updates/Update1_7_0.java
@@ -0,0 +1,39 @@
+package org.keycloak.connections.mongo.updater.impl.updates;
+
+import com.mongodb.BasicDBObject;
+import com.mongodb.DBCollection;
+import com.mongodb.DBCursor;
+import org.keycloak.models.KeycloakSession;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class Update1_7_0 extends Update {
+
+    @Override
+    public String getId() {
+        return "1.7.0";
+    }
+
+    @Override
+    public void update(KeycloakSession session) throws ClassNotFoundException {
+        DBCollection clients = db.getCollection("clients");
+        DBCursor clientsCursor = clients.find();
+
+        try {
+            while (clientsCursor.hasNext()) {
+                BasicDBObject client = (BasicDBObject) clientsCursor.next();
+
+                boolean directGrantsOnly = client.getBoolean("directGrantsOnly", false);
+                client.append("standardFlowEnabled", !directGrantsOnly);
+                client.append("implicitFlowEnabled", false);
+                client.append("directAccessGrantsEnabled", true);
+                client.removeField("directGrantsOnly");
+
+                clients.save(client);
+            }
+        } finally {
+            clientsCursor.close();
+        }
+    }
+}

diff --git a/core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java b/core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java
index 59e25ee..dc0e4e3 100755
--- a/core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java
+++ b/core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java
@@ -64,7 +64,7 @@ public class RSAProvider implements SignatureProvider {
             verifier.update(input.getEncodedSignatureInput().getBytes("UTF-8"));
             return verifier.verify(input.getSignature());
         } catch (Exception e) {
-            throw new RuntimeException(e);
+            return false;
         }
 
     }

diff --git a/core/src/main/java/org/keycloak/jose/jws/JWSInput.java b/core/src/main/java/org/keycloak/jose/jws/JWSInput.java
index b01355f..84f303d 100755
--- a/core/src/main/java/org/keycloak/jose/jws/JWSInput.java
+++ b/core/src/main/java/org/keycloak/jose/jws/JWSInput.java
@@ -21,14 +21,14 @@ public class JWSInput {
     byte[] signature;
 
 
-    public JWSInput(String wire) {
-        this.wireString = wire;
-        String[] parts = wire.split("\\.");
-        if (parts.length < 2 || parts.length > 3) throw new IllegalArgumentException("Parsing error");
-        encodedHeader = parts[0];
-        encodedContent = parts[1];
-        encodedSignatureInput = encodedHeader + '.' + encodedContent;
+    public JWSInput(String wire) throws JWSInputException {
         try {
+            this.wireString = wire;
+            String[] parts = wire.split("\\.");
+            if (parts.length < 2 || parts.length > 3) throw new IllegalArgumentException("Parsing error");
+            encodedHeader = parts[0];
+            encodedContent = parts[1];
+            encodedSignatureInput = encodedHeader + '.' + encodedContent;
             content = Base64Url.decode(encodedContent);
             if (parts.length > 2) {
                 encodedSignature = parts[2];
@@ -37,8 +37,8 @@ public class JWSInput {
             }
             byte[] headerBytes = Base64Url.decode(encodedHeader);
             header = JsonSerialization.readValue(headerBytes, JWSHeader.class);
-        } catch (Exception e) {
-            throw new RuntimeException(e);
+        } catch (Throwable t) {
+            throw new JWSInputException(t);
         }
     }
 
@@ -80,8 +80,12 @@ public class JWSInput {
         return header.getAlgorithm().getProvider().verify(this, key);
     }
 
-    public <T> T readJsonContent(Class<T> type) throws IOException {
-        return JsonSerialization.readValue(content, type);
+    public <T> T readJsonContent(Class<T> type) throws JWSInputException {
+        try {
+            return JsonSerialization.readValue(content, type);
+        } catch (IOException e) {
+            throw new JWSInputException(e);
+        }
     }
 
     public String readContentAsString() {

diff --git a/core/src/main/java/org/keycloak/jose/jws/JWSInputException.java b/core/src/main/java/org/keycloak/jose/jws/JWSInputException.java
new file mode 100644
index 0000000..930a0b6
--- /dev/null
+++ b/core/src/main/java/org/keycloak/jose/jws/JWSInputException.java
@@ -0,0 +1,18 @@
+package org.keycloak.jose.jws;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class JWSInputException extends Exception {
+
+    public JWSInputException(String s) {
+        super(s);
+    }
+
+    public JWSInputException() {
+    }
+
+    public JWSInputException(Throwable throwable) {
+        super(throwable);
+    }
+}

diff --git a/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessCreatePresentation.java b/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessCreatePresentation.java
new file mode 100644
index 0000000..4c18b3d
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessCreatePresentation.java
@@ -0,0 +1,36 @@
+package org.keycloak.representations.idm;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessCreatePresentation {
+
+    private Integer expiration;
+
+    private Integer count;
+
+    public ClientInitialAccessCreatePresentation() {
+    }
+
+    public ClientInitialAccessCreatePresentation(Integer expiration, Integer count) {
+        this.expiration = expiration;
+        this.count = count;
+    }
+
+    public Integer getExpiration() {
+        return expiration;
+    }
+
+    public void setExpiration(Integer expiration) {
+        this.expiration = expiration;
+    }
+
+    public Integer getCount() {
+        return count;
+    }
+
+    public void setCount(Integer count) {
+        this.count = count;
+    }
+
+}

diff --git a/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessPresentation.java b/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessPresentation.java
new file mode 100644
index 0000000..d8021ad
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/ClientInitialAccessPresentation.java
@@ -0,0 +1,67 @@
+package org.keycloak.representations.idm;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessPresentation {
+
+    private String id;
+
+    private String token;
+
+    private Integer timestamp;
+
+    private Integer expiration;
+
+    private Integer count;
+
+    private Integer remainingCount;
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public Integer getTimestamp() {
+        return timestamp;
+    }
+
+    public void setTimestamp(Integer timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public Integer getExpiration() {
+        return expiration;
+    }
+
+    public void setExpiration(Integer expiration) {
+        this.expiration = expiration;
+    }
+
+    public Integer getCount() {
+        return count;
+    }
+
+    public void setCount(Integer count) {
+        this.count = count;
+    }
+
+    public Integer getRemainingCount() {
+        return remainingCount;
+    }
+
+    public void setRemainingCount(Integer remainingCount) {
+        this.remainingCount = remainingCount;
+    }
+}

diff --git a/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java
index 514c0fb..aef643c 100755
--- a/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/ClientRepresentation.java
@@ -26,6 +26,9 @@ public class ClientRepresentation {
     protected Integer notBefore;
     protected Boolean bearerOnly;
     protected Boolean consentRequired;
+    protected Boolean standardFlowEnabled;
+    protected Boolean implicitFlowEnabled;
+    protected Boolean directAccessGrantsEnabled;
     protected Boolean serviceAccountsEnabled;
     protected Boolean directGrantsOnly;
     protected Boolean publicClient;
@@ -181,6 +184,30 @@ public class ClientRepresentation {
         this.consentRequired = consentRequired;
     }
 
+    public Boolean isStandardFlowEnabled() {
+        return standardFlowEnabled;
+    }
+
+    public void setStandardFlowEnabled(Boolean standardFlowEnabled) {
+        this.standardFlowEnabled = standardFlowEnabled;
+    }
+
+    public Boolean isImplicitFlowEnabled() {
+        return implicitFlowEnabled;
+    }
+
+    public void setImplicitFlowEnabled(Boolean implicitFlowEnabled) {
+        this.implicitFlowEnabled = implicitFlowEnabled;
+    }
+
+    public Boolean isDirectAccessGrantsEnabled() {
+        return directAccessGrantsEnabled;
+    }
+
+    public void setDirectAccessGrantsEnabled(Boolean directAccessGrantsEnabled) {
+        this.directAccessGrantsEnabled = directAccessGrantsEnabled;
+    }
+
     public Boolean isServiceAccountsEnabled() {
         return serviceAccountsEnabled;
     }

diff --git a/core/src/main/java/org/keycloak/representations/idm/CredentialRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/CredentialRepresentation.java
index 1e57dbc..6ad9715 100755
--- a/core/src/main/java/org/keycloak/representations/idm/CredentialRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/CredentialRepresentation.java
@@ -29,7 +29,7 @@ public class CredentialRepresentation {
     private Integer period;
 
     // only used when updating a credential.  Might set required action
-    protected boolean temporary;
+    protected Boolean temporary;
 
     public String getType() {
         return type;
@@ -79,11 +79,11 @@ public class CredentialRepresentation {
         this.hashIterations = hashIterations;
     }
 
-    public boolean isTemporary() {
+    public Boolean isTemporary() {
         return temporary;
     }
 
-    public void setTemporary(boolean temporary) {
+    public void setTemporary(Boolean temporary) {
         this.temporary = temporary;
     }
 

diff --git a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
index e1333e9..bc9ebf8 100755
--- a/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/RealmRepresentation.java
@@ -12,6 +12,7 @@ public class RealmRepresentation {
     protected Integer notBefore;
     protected Boolean revokeRefreshToken;
     protected Integer accessTokenLifespan;
+    protected Integer accessTokenLifespanForImplicitFlow;
     protected Integer ssoSessionIdleTimeout;
     protected Integer ssoSessionMaxLifespan;
     protected Integer offlineSessionIdleTimeout;
@@ -49,6 +50,7 @@ public class RealmRepresentation {
     protected RolesRepresentation roles;
     protected List<GroupRepresentation> groups;
     protected List<String> defaultRoles;
+    protected List<String> defaultGroups;
     @Deprecated
     protected Set<String> requiredCredentials;
     protected String passwordPolicy;
@@ -83,6 +85,7 @@ public class RealmRepresentation {
     private List<IdentityProviderRepresentation> identityProviders;
     private List<IdentityProviderMapperRepresentation> identityProviderMappers;
     private List<ProtocolMapperRepresentation> protocolMappers;
+    @Deprecated
     private Boolean identityFederationEnabled;
     protected Boolean internationalizationEnabled;
     protected Set<String> supportedLocales;
@@ -185,6 +188,14 @@ public class RealmRepresentation {
         this.accessTokenLifespan = accessTokenLifespan;
     }
 
+    public Integer getAccessTokenLifespanForImplicitFlow() {
+        return accessTokenLifespanForImplicitFlow;
+    }
+
+    public void setAccessTokenLifespanForImplicitFlow(Integer accessTokenLifespanForImplicitFlow) {
+        this.accessTokenLifespanForImplicitFlow = accessTokenLifespanForImplicitFlow;
+    }
+
     public Integer getSsoSessionIdleTimeout() {
         return ssoSessionIdleTimeout;
     }
@@ -269,6 +280,14 @@ public class RealmRepresentation {
         this.defaultRoles = defaultRoles;
     }
 
+    public List<String> getDefaultGroups() {
+        return defaultGroups;
+    }
+
+    public void setDefaultGroups(List<String> defaultGroups) {
+        this.defaultGroups = defaultGroups;
+    }
+
     public String getPrivateKey() {
         return privateKey;
     }
@@ -604,6 +623,7 @@ public class RealmRepresentation {
         identityProviders.add(identityProviderRepresentation);
     }
 
+    @Deprecated
     public boolean isIdentityFederationEnabled() {
         return identityProviders != null && !identityProviders.isEmpty();
     }

diff --git a/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java
index 07865db..0990a4e 100755
--- a/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/UserRepresentation.java
@@ -17,9 +17,9 @@ public class UserRepresentation {
     protected String id;
     protected Long createdTimestamp;
     protected String username;
-    protected boolean enabled;
-    protected boolean totp;
-    protected boolean emailVerified;
+    protected Boolean enabled;
+    protected Boolean totp;
+    protected Boolean emailVerified;
     protected String firstName;
     protected String lastName;
     protected String email;
@@ -40,6 +40,8 @@ public class UserRepresentation {
     @Deprecated
     protected List<SocialLinkRepresentation> socialLinks;
 
+    protected List<String> groups;
+
     public String getSelf() {
         return self;
     }
@@ -96,27 +98,27 @@ public class UserRepresentation {
         this.username = username;
     }
 
-    public boolean isEnabled() {
+    public Boolean isEnabled() {
         return enabled;
     }
 
-    public void setEnabled(boolean enabled) {
+    public void setEnabled(Boolean enabled) {
         this.enabled = enabled;
     }
 
-    public boolean isTotp() {
+    public Boolean isTotp() {
         return totp;
     }
 
-    public void setTotp(boolean totp) {
+    public void setTotp(Boolean totp) {
         this.totp = totp;
     }
 
-    public boolean isEmailVerified() {
+    public Boolean isEmailVerified() {
         return emailVerified;
     }
 
-    public void setEmailVerified(boolean emailVerified) {
+    public void setEmailVerified(Boolean emailVerified) {
         this.emailVerified = emailVerified;
     }
 
@@ -216,4 +218,12 @@ public class UserRepresentation {
     public void setServiceAccountClientId(String serviceAccountClientId) {
         this.serviceAccountClientId = serviceAccountClientId;
     }
+
+    public List<String> getGroups() {
+        return groups;
+    }
+
+    public void setGroups(List<String> groups) {
+        this.groups = groups;
+    }
 }

diff --git a/core/src/main/java/org/keycloak/representations/RefreshToken.java b/core/src/main/java/org/keycloak/representations/RefreshToken.java
index 39c7c46..0300673 100755
--- a/core/src/main/java/org/keycloak/representations/RefreshToken.java
+++ b/core/src/main/java/org/keycloak/representations/RefreshToken.java
@@ -28,6 +28,7 @@ public class RefreshToken extends AccessToken {
         this.subject = token.subject;
         this.issuedFor = token.issuedFor;
         this.sessionState = token.sessionState;
+        this.nonce = token.nonce;
         if (token.realmAccess != null) {
             realmAccess = token.realmAccess.clone();
         }

diff --git a/core/src/main/java/org/keycloak/RSATokenVerifier.java b/core/src/main/java/org/keycloak/RSATokenVerifier.java
index f177166..19babef 100755
--- a/core/src/main/java/org/keycloak/RSATokenVerifier.java
+++ b/core/src/main/java/org/keycloak/RSATokenVerifier.java
@@ -2,6 +2,7 @@ package org.keycloak;
 
 import org.keycloak.common.VerificationException;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.util.TokenUtil;
@@ -22,7 +23,7 @@ public class RSATokenVerifier {
         JWSInput input = null;
         try {
             input = new JWSInput(tokenString);
-        } catch (Exception e) {
+        } catch (JWSInputException e) {
             throw new VerificationException("Couldn't parse token", e);
         }
         if (!isPublicKeyValid(input, realmKey)) throw new VerificationException("Invalid token signature.");
@@ -30,7 +31,7 @@ public class RSATokenVerifier {
         AccessToken token;
         try {
             token = input.readJsonContent(AccessToken.class);
-        } catch (IOException e) {
+        } catch (JWSInputException e) {
             throw new VerificationException("Couldn't parse token signature", e);
         }
         String user = token.getSubject();

diff --git a/core/src/main/java/org/keycloak/util/JsonSerialization.java b/core/src/main/java/org/keycloak/util/JsonSerialization.java
index a1a93ba..19df33f 100755
--- a/core/src/main/java/org/keycloak/util/JsonSerialization.java
+++ b/core/src/main/java/org/keycloak/util/JsonSerialization.java
@@ -3,6 +3,7 @@ package org.keycloak.util;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 import org.codehaus.jackson.map.annotate.JsonSerialize;
+import org.codehaus.jackson.type.TypeReference;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -27,7 +28,10 @@ public class JsonSerialization {
 
     public static void writeValueToStream(OutputStream os, Object obj) throws IOException {
         mapper.writeValue(os, obj);
+    }
 
+    public static void writeValuePrettyToStream(OutputStream os, Object obj) throws IOException {
+        prettyMapper.writeValue(os, obj);
     }
 
     public static String writeValueAsPrettyString(Object obj) throws IOException {
@@ -53,6 +57,10 @@ public class JsonSerialization {
         return readValue(bytes, type, false);
     }
 
+    public static <T> T readValue(InputStream bytes, TypeReference<T> type) throws IOException {
+        return mapper.readValue(bytes, type);
+    }
+
     public static <T> T readValue(InputStream bytes, Class<T> type, boolean replaceSystemProperties) throws IOException {
         if (replaceSystemProperties) {
             return sysPropertiesAwareMapper.readValue(bytes, type);

diff --git a/core/src/main/java/org/keycloak/util/TokenUtil.java b/core/src/main/java/org/keycloak/util/TokenUtil.java
index 0d103a6..94f6a73 100644
--- a/core/src/main/java/org/keycloak/util/TokenUtil.java
+++ b/core/src/main/java/org/keycloak/util/TokenUtil.java
@@ -4,6 +4,7 @@ import java.io.IOException;
 
 import org.keycloak.OAuth2Constants;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.RefreshToken;
 
 /**
@@ -19,6 +20,7 @@ public class TokenUtil {
 
     public static final String TOKEN_TYPE_OFFLINE = "Offline";
 
+
     public static boolean isOfflineTokenRequested(String scopeParam) {
         if (scopeParam == null) {
             return false;
@@ -40,11 +42,15 @@ public class TokenUtil {
      * @param decodedToken
      * @return
      */
-    public static RefreshToken getRefreshToken(byte[] decodedToken) throws IOException {
-        return JsonSerialization.readValue(decodedToken, RefreshToken.class);
+    public static RefreshToken getRefreshToken(byte[] decodedToken) throws JWSInputException {
+        try {
+            return JsonSerialization.readValue(decodedToken, RefreshToken.class);
+        } catch (IOException e) {
+            throw new JWSInputException(e);
+        }
     }
 
-    public static RefreshToken getRefreshToken(String refreshToken) throws IOException {
+    public static RefreshToken getRefreshToken(String refreshToken) throws JWSInputException {
         byte[] encodedContent = new JWSInput(refreshToken).getContent();
         return getRefreshToken(encodedContent);
     }
@@ -55,13 +61,9 @@ public class TokenUtil {
      * @param refreshToken
      * @return
      */
-    public static boolean isOfflineToken(String refreshToken) {
-        try {
-            RefreshToken token = getRefreshToken(refreshToken);
-            return token.getType().equals(TOKEN_TYPE_OFFLINE);
-        } catch (IOException ioe) {
-            throw new RuntimeException(ioe);
-        }
+    public static boolean isOfflineToken(String refreshToken) throws JWSInputException {
+        RefreshToken token = getRefreshToken(refreshToken);
+        return token.getType().equals(TOKEN_TYPE_OFFLINE);
     }
 
 }

diff --git a/distribution/adapters/pom.xml b/distribution/adapters/pom.xml
index 10c8e0f..d13d992 100755
--- a/distribution/adapters/pom.xml
+++ b/distribution/adapters/pom.xml
@@ -25,6 +25,6 @@
         <module>tomcat7-adapter-zip</module>
         <module>tomcat8-adapter-zip</module>
         <module>wf8-adapter</module>
-        <module>wf9-adapter</module>
+        <module>wildfly-adapter</module>
     </modules>
 </project>

diff --git a/distribution/demo-dist/assembly.xml b/distribution/demo-dist/assembly.xml
index f1c39c2..bd169bf 100755
--- a/distribution/demo-dist/assembly.xml
+++ b/distribution/demo-dist/assembly.xml
@@ -33,14 +33,14 @@
             </excludes>
         </fileSet>
         <fileSet>
-            <directory>${project.build.directory}/unpacked/keycloak-wf9-adapter-${project.version}</directory>
+            <directory>${project.build.directory}/unpacked/keycloak-wildfly-adapter-${project.version}</directory>
             <outputDirectory>keycloak</outputDirectory>
             <excludes>
                 <exclude>standalone/configuration/standalone-keycloak.xml</exclude>
             </excludes>
         </fileSet>
         <fileSet>
-            <directory>${project.build.directory}/unpacked/keycloak-saml-wf9-adapter-${project.version}</directory>
+            <directory>${project.build.directory}/unpacked/keycloak-saml-wildfly-adapter-${project.version}</directory>
             <outputDirectory>keycloak</outputDirectory>
             <excludes>
                 <exclude>standalone/configuration/standalone-keycloak.xml</exclude>

diff --git a/distribution/demo-dist/pom.xml b/distribution/demo-dist/pom.xml
index 9443478..2caeb2b 100755
--- a/distribution/demo-dist/pom.xml
+++ b/distribution/demo-dist/pom.xml
@@ -21,12 +21,12 @@
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-wf9-adapter-dist</artifactId>
+            <artifactId>keycloak-wildfly-adapter-dist</artifactId>
             <type>zip</type>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
+            <artifactId>keycloak-saml-wildfly-adapter-dist</artifactId>
             <type>zip</type>
         </dependency>
         <dependency>
@@ -99,9 +99,9 @@
                             <artifactItems>
                                 <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-wildfly-adapter-dist</artifactId>
                                     <type>zip</type>
-                                    <outputDirectory>${project.build.directory}/unpacked/keycloak-wf9-adapter-${project.version}</outputDirectory>
+                                    <outputDirectory>${project.build.directory}/unpacked/keycloak-wildfly-adapter-${project.version}</outputDirectory>
                                 </artifactItem>
                             </artifactItems>
                         </configuration>
@@ -116,9 +116,9 @@
                             <artifactItems>
                                 <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-saml-wildfly-adapter-dist</artifactId>
                                     <type>zip</type>
-                                    <outputDirectory>${project.build.directory}/unpacked/keycloak-saml-wf9-adapter-${project.version}</outputDirectory>
+                                    <outputDirectory>${project.build.directory}/unpacked/keycloak-saml-wildfly-adapter-${project.version}</outputDirectory>
                                 </artifactItem>
                             </artifactItems>
                         </configuration>

diff --git a/distribution/demo-dist/src/main/xslt/standalone.xsl b/distribution/demo-dist/src/main/xslt/standalone.xsl
index 106c08f..9f52547 100755
--- a/distribution/demo-dist/src/main/xslt/standalone.xsl
+++ b/distribution/demo-dist/src/main/xslt/standalone.xsl
@@ -44,7 +44,7 @@
                 <web-context>auth</web-context>
             </subsystem>
             <subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
-            <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.6"/>
+            <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"/>
         </xsl:copy>
     </xsl:template>
 

diff --git a/distribution/downloads/pom.xml b/distribution/downloads/pom.xml
index b9daadf..b742897 100755
--- a/distribution/downloads/pom.xml
+++ b/distribution/downloads/pom.xml
@@ -239,12 +239,12 @@
 
                                 <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-wildfly-adapter-dist</artifactId>
                                     <type>zip</type>
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-wildfly-adapter-dist</artifactId>
                                     <type>tar.gz</type>
                                 </artifactItem>
                             </artifactItems>
@@ -338,12 +338,12 @@
 
                                <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-saml-wildfly-adapter-dist</artifactId>
                                     <type>zip</type>
                                 </artifactItem>
                                 <artifactItem>
                                     <groupId>org.keycloak</groupId>
-                                    <artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
+                                    <artifactId>keycloak-saml-wildfly-adapter-dist</artifactId>
                                     <type>tar.gz</type>
                                 </artifactItem>
                             </artifactItems>

diff --git a/distribution/feature-packs/adapter-feature-pack/pom.xml b/distribution/feature-packs/adapter-feature-pack/pom.xml
index 6d1a7a0..8fe0163 100755
--- a/distribution/feature-packs/adapter-feature-pack/pom.xml
+++ b/distribution/feature-packs/adapter-feature-pack/pom.xml
@@ -34,7 +34,7 @@
     <dependencies>
         <dependency>
             <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-wf9-subsystem</artifactId>
+            <artifactId>keycloak-wildfly-subsystem</artifactId>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>

diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-adapter-subsystem/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-adapter-subsystem/main/module.xml
index 66278bd..f759d30 100644
--- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-adapter-subsystem/main/module.xml
+++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-adapter-subsystem/main/module.xml
@@ -28,6 +28,6 @@
     </resources>
 
     <dependencies>
-        <module name="org.keycloak.keycloak-wf9-subsystem" export="true" services="export"/>
+        <module name="org.keycloak.keycloak-wildfly-subsystem" export="true" services="export"/>
     </dependencies>
 </module>

diff --git a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wf9-subsystem/main/module.xml b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wf9-subsystem/main/module.xml
index 4b2efe5..732e674 100755
--- a/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wf9-subsystem/main/module.xml
+++ b/distribution/feature-packs/adapter-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wf9-subsystem/main/module.xml
@@ -22,10 +22,10 @@
   ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
   -->
 
-<module xmlns="urn:jboss:module:1.3" name="org.keycloak.keycloak-wf9-subsystem">
+<module xmlns="urn:jboss:module:1.3" name="org.keycloak.keycloak-wildfly-subsystem">
 
     <resources>
-        <artifact name="${org.keycloak:keycloak-wf9-subsystem}"/>
+        <artifact name="${org.keycloak:keycloak-wildfly-subsystem}"/>
     </resources>
 
     <dependencies>

diff --git a/distribution/feature-packs/server-feature-pack/pom.xml b/distribution/feature-packs/server-feature-pack/pom.xml
index 0f5dd37..6f05056 100644
--- a/distribution/feature-packs/server-feature-pack/pom.xml
+++ b/distribution/feature-packs/server-feature-pack/pom.xml
@@ -38,17 +38,25 @@
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-wildfly-adduser</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
             <artifactId>keycloak-wildfly-extensions</artifactId>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-wf9-server-subsystem</artifactId>
+            <artifactId>keycloak-wildfly-server-subsystem</artifactId>
         </dependency>
         <dependency>
             <groupId>org.wildfly</groupId>
             <artifactId>wildfly-feature-pack</artifactId>
             <type>zip</type>
         </dependency>
+        <dependency>
+            <groupId>org.jboss.aesh</groupId>
+            <artifactId>aesh</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.bat b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.bat
new file mode 100644
index 0000000..dca1136
--- /dev/null
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.bat
@@ -0,0 +1,73 @@
+@echo off
+rem -------------------------------------------------------------------------
+rem Add User script for Windows
+rem -------------------------------------------------------------------------
+rem
+rem A simple utility for adding new users to the properties file used
+rem for domain management authentication out of the box.
+
+rem $Id$
+
+@if not "%ECHO%" == ""  echo %ECHO%
+@if "%OS%" == "Windows_NT" setlocal
+
+if "%OS%" == "Windows_NT" (
+  set "DIRNAME=%~dp0%"
+) else (
+  set DIRNAME=.\
+)
+
+pushd "%DIRNAME%.."
+set "RESOLVED_JBOSS_HOME=%CD%"
+popd
+
+if "x%JBOSS_HOME%" == "x" (
+  set "JBOSS_HOME=%RESOLVED_JBOSS_HOME%"
+)
+
+pushd "%JBOSS_HOME%"
+set "SANITIZED_JBOSS_HOME=%CD%"
+popd
+
+if /i "%RESOLVED_JBOSS_HOME%" NEQ "%SANITIZED_JBOSS_HOME%" (
+   echo.
+   echo   WARNING: The JBOSS_HOME ^("%SANITIZED_JBOSS_HOME%"^) that this script uses points to a different installation than the one that this script resides in ^("%RESOLVED_JBOSS_HOME%"^). Unpredictable results may occur.
+   echo.
+   echo       JBOSS_HOME: "%JBOSS_HOME%"
+   echo.
+)
+
+rem Setup JBoss specific properties
+if "x%JAVA_HOME%" == "x" (
+  set  JAVA=java
+  echo JAVA_HOME is not set. Unexpected results may occur.
+  echo Set JAVA_HOME to the directory of your local JDK to avoid this message.
+) else (
+  set "JAVA=%JAVA_HOME%\bin\java"
+)
+
+rem Find jboss-modules.jar, or we can't continue
+if exist "%JBOSS_HOME%\jboss-modules.jar" (
+    set "RUNJAR=%JBOSS_HOME%\jboss-modules.jar"
+) else (
+  echo Could not locate "%JBOSS_HOME%\jboss-modules.jar".
+  echo Please check that you are in the bin directory when running this script.
+  goto END
+)
+
+rem Set default module root paths
+if "x%JBOSS_MODULEPATH%" == "x" (
+  set "JBOSS_MODULEPATH=%JBOSS_HOME%\modules"
+)
+
+rem Uncomment to override standalone and domain user location
+rem set "JAVA_OPTS=%JAVA_OPTS% -Djboss.server.config.user.dir=..\standalone\configuration -Djboss.domain.config.user.dir=..\domain\configuration"
+
+"%JAVA%" %JAVA_OPTS% ^
+    -jar "%JBOSS_HOME%\jboss-modules.jar" ^
+    -mp "%JBOSS_MODULEPATH%" ^
+     org.keycloak.keycloak-wildfly-adduser ^
+     %*
+
+:END
+if "x%NOPAUSE%" == "x" pause

diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.sh b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.sh
new file mode 100755
index 0000000..1f6dfff
--- /dev/null
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/content/bin/add-user.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+# Add User Utility
+#
+# A simple utility for adding new users to the properties file used
+# for domain management authentication out of the box.
+#
+
+DIRNAME=`dirname "$0"`
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false;
+if  [ `uname|grep -i CYGWIN` ]; then
+    cygwin=true;
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+    [ -n "$JBOSS_HOME" ] &&
+        JBOSS_HOME=`cygpath --unix "$JBOSS_HOME"`
+    [ -n "$JAVA_HOME" ] &&
+        JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+    [ -n "$JAVAC_JAR" ] &&
+        JAVAC_JAR=`cygpath --unix "$JAVAC_JAR"`
+fi
+
+# Setup JBOSS_HOME
+RESOLVED_JBOSS_HOME=`cd "$DIRNAME/.."; pwd`
+if [ "x$JBOSS_HOME" = "x" ]; then
+    # get the full path (without any relative bits)
+    JBOSS_HOME=$RESOLVED_JBOSS_HOME
+else
+ SANITIZED_JBOSS_HOME=`cd "$JBOSS_HOME"; pwd`
+ if [ "$RESOLVED_JBOSS_HOME" != "$SANITIZED_JBOSS_HOME" ]; then
+   echo "WARNING: The JBOSS_HOME ($SANITIZED_JBOSS_HOME) that this script uses points to a different installation than the one that this script resides in ($RESOLVED_JBOSS_HOME). Unpredictable results may occur."
+   echo ""
+ fi
+fi
+export JBOSS_HOME
+
+# Setup the JVM
+if [ "x$JAVA" = "x" ]; then
+    if [ "x$JAVA_HOME" != "x" ]; then
+        JAVA="$JAVA_HOME/bin/java"
+    else
+        JAVA="java"
+    fi
+fi
+
+if [ "x$JBOSS_MODULEPATH" = "x" ]; then
+    JBOSS_MODULEPATH="$JBOSS_HOME/modules"
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+    JBOSS_HOME=`cygpath --path --windows "$JBOSS_HOME"`
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+    JBOSS_MODULEPATH=`cygpath --path --windows "$JBOSS_MODULEPATH"`
+fi
+
+# Sample JPDA settings for remote socket debugging
+#JAVA_OPTS="$JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=y"
+# Uncomment to override standalone and domain user location  
+#JAVA_OPTS="$JAVA_OPTS -Djboss.server.config.user.dir=../standalone/configuration -Djboss.domain.config.user.dir=../domain/configuration"
+
+JAVA_OPTS="$JAVA_OPTS"
+
+eval \"$JAVA\" $JAVA_OPTS \
+         -jar \""$JBOSS_HOME"/jboss-modules.jar\" \
+         -mp \""${JBOSS_MODULEPATH}"\" \
+         org.keycloak.keycloak-wildfly-adduser \
+         '"$@"'

diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/jboss/aesh/0.65/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/jboss/aesh/0.65/module.xml
new file mode 100644
index 0000000..4166dbd
--- /dev/null
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/jboss/aesh/0.65/module.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  ~ JBoss, Home of Professional Open Source.
+  ~ Copyright 2010, Red Hat, Inc., and individual contributors
+  ~ as indicated by the @author tags. See the copyright.txt file in the
+  ~ distribution for a full listing of individual contributors.
+  ~
+  ~ This is free software; you can redistribute it and/or modify it
+  ~ under the terms of the GNU Lesser General Public License as
+  ~ published by the Free Software Foundation; either version 2.1 of
+  ~ the License, or (at your option) any later version.
+  ~
+  ~ This software is distributed in the hope that it will be useful,
+  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
+  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  ~ Lesser General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Lesser General Public
+  ~ License along with this software; if not, write to the Free
+  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  -->
+
+<module xmlns="urn:jboss:module:1.3" name="org.jboss.aesh" slot="0.65">
+    <properties>
+        <property name="jboss.api" value="private"/>
+    </properties>
+
+    <resources>
+        <artifact name="${org.jboss.aesh:aesh}"/>
+    </resources>
+
+    <dependencies>
+        <module name="org.fusesource.jansi" />
+    </dependencies>
+</module>

diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/main/module.xml
index d6e7d81..8002aa2 100644
--- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/main/module.xml
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-server-subsystem/main/module.xml
@@ -29,6 +29,6 @@
     </resources>
 
     <dependencies>
-        <module name="org.keycloak.keycloak-wf9-server-subsystem" services="export" export="true"/>
+        <module name="org.keycloak.keycloak-wildfly-server-subsystem" services="export" export="true"/>
     </dependencies>
 </module>

diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wildfly-adduser/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wildfly-adduser/main/module.xml
new file mode 100755
index 0000000..d27499b
--- /dev/null
+++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/base/org/keycloak/keycloak-wildfly-adduser/main/module.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module xmlns="urn:jboss:module:1.3" name="org.keycloak.keycloak-wildfly-adduser">
+    <main-class name="org.keycloak.wildfly.adduser.AddUser"/>
+    <resources>
+        <artifact name="${org.keycloak:keycloak-wildfly-adduser}"/>
+    </resources>
+    <dependencies>
+        <module name="org.keycloak.keycloak-common"/>
+        <module name="org.keycloak.keycloak-core"/>
+        <module name="org.keycloak.keycloak-model-api"/>
+        <module name="org.jboss.aesh" slot="0.65"/>
+        <module name="org.jboss.as.domain-management"/>
+        <module name="org.codehaus.jackson.jackson-core-asl"/>
+    </dependencies>
+</module>

diff --git a/distribution/saml-adapters/as7-eap6-adapter/as7-adapter-zip/assembly.xml b/distribution/saml-adapters/as7-eap6-adapter/as7-adapter-zip/assembly.xml
index 1acb6aa..78c4823 100755
--- a/distribution/saml-adapters/as7-eap6-adapter/as7-adapter-zip/assembly.xml
+++ b/distribution/saml-adapters/as7-eap6-adapter/as7-adapter-zip/assembly.xml
@@ -29,7 +29,7 @@
     </fileSets>
     <files>
         <file>
-             <source>../../shared-cli/adapter-install.cli</source>
+             <source>../../shared-cli/adapter-install-saml.cli</source>
              <outputDirectory>bin</outputDirectory>
         </file>
     </files>

diff --git a/distribution/saml-adapters/as7-eap6-adapter/eap6-adapter-zip/assembly.xml b/distribution/saml-adapters/as7-eap6-adapter/eap6-adapter-zip/assembly.xml
index f844a41..1ed0089 100755
--- a/distribution/saml-adapters/as7-eap6-adapter/eap6-adapter-zip/assembly.xml
+++ b/distribution/saml-adapters/as7-eap6-adapter/eap6-adapter-zip/assembly.xml
@@ -29,7 +29,7 @@
     </fileSets>
     <files>
         <file>
-             <source>../../shared-cli/adapter-install.cli</source>
+             <source>../../shared-cli/adapter-install-saml.cli</source>
              <outputDirectory>bin</outputDirectory>
         </file>
     </files>

diff --git a/distribution/saml-adapters/pom.xml b/distribution/saml-adapters/pom.xml
index 456f292..ea95663 100755
--- a/distribution/saml-adapters/pom.xml
+++ b/distribution/saml-adapters/pom.xml
@@ -15,7 +15,7 @@
     <packaging>pom</packaging>
 
     <modules>
-        <module>wf9-adapter</module>
+        <module>wildfly-adapter</module>
         <module>tomcat6-adapter-zip</module>
         <module>tomcat7-adapter-zip</module>
         <module>tomcat8-adapter-zip</module>

diff --git a/distribution/server-overlay/eap6/eap6-server-modules/build.xml b/distribution/server-overlay/eap6/eap6-server-modules/build.xml
index 9f60836..e8086dc 100755
--- a/distribution/server-overlay/eap6/eap6-server-modules/build.xml
+++ b/distribution/server-overlay/eap6/eap6-server-modules/build.xml
@@ -274,8 +274,8 @@
 
         <!-- subsystems -->
 
-        <module-def name="org.keycloak.keycloak-as7-server-subsystem">
-            <maven-resource group="org.keycloak" artifact="keycloak-as7-server-subsystem"/>
+        <module-def name="org.keycloak.keycloak-eap6-server-subsystem">
+            <maven-resource group="org.keycloak" artifact="keycloak-eap6-server-subsystem"/>
         </module-def>
 
         <module-def name="org.keycloak.keycloak-server-subsystem"/>

diff --git a/distribution/server-overlay/eap6/eap6-server-modules/pom.xml b/distribution/server-overlay/eap6/eap6-server-modules/pom.xml
index 91b2969..b3225fd 100755
--- a/distribution/server-overlay/eap6/eap6-server-modules/pom.xml
+++ b/distribution/server-overlay/eap6/eap6-server-modules/pom.xml
@@ -32,7 +32,7 @@
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-as7-server-subsystem</artifactId>
+            <artifactId>keycloak-eap6-server-subsystem</artifactId>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>

diff --git a/distribution/server-overlay/eap6/eap6-server-modules/src/main/resources/modules/org/keycloak/keycloak-server-subsystem/main/module.xml b/distribution/server-overlay/eap6/eap6-server-modules/src/main/resources/modules/org/keycloak/keycloak-server-subsystem/main/module.xml
index 90939b0..4829258 100755
--- a/distribution/server-overlay/eap6/eap6-server-modules/src/main/resources/modules/org/keycloak/keycloak-server-subsystem/main/module.xml
+++ b/distribution/server-overlay/eap6/eap6-server-modules/src/main/resources/modules/org/keycloak/keycloak-server-subsystem/main/module.xml
@@ -30,6 +30,6 @@
     </resources>
 
     <dependencies>
-        <module name="org.keycloak.keycloak-as7-server-subsystem" services="export" export="true"/>
+        <module name="org.keycloak.keycloak-eap6-server-subsystem" services="export" export="true"/>
     </dependencies>
 </module>

diff --git a/docbook/auth-server-docs/reference/en/en-US/master.xml b/docbook/auth-server-docs/reference/en/en-US/master.xml
index 2af744f..5078f10 100755
--- a/docbook/auth-server-docs/reference/en/en-US/master.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/master.xml
@@ -20,6 +20,7 @@
                 <!ENTITY SpringSecurityAdapter SYSTEM "modules/spring-security-adapter.xml">
                 <!ENTITY InstalledApplications SYSTEM "modules/installed-applications.xml">
                 <!ENTITY Logout SYSTEM "modules/logout.xml">
+                <!ENTITY ErrorHandling SYSTEM "modules/adapter_error_handling.xml">
                 <!ENTITY SAML SYSTEM "modules/saml.xml">
                 <!ENTITY JAAS SYSTEM "modules/jaas.xml">
                 <!ENTITY IdentityBroker SYSTEM "modules/identity-broker.xml">
@@ -27,6 +28,7 @@
                 <!ENTITY Migration SYSTEM "modules/MigrationFromOlderVersions.xml">
                 <!ENTITY Email SYSTEM "modules/email.xml">
                 <!ENTITY Roles SYSTEM "modules/roles.xml">
+                <!ENTITY Groups SYSTEM "modules/groups.xml">
                 <!ENTITY DirectAccess SYSTEM "modules/direct-access.xml">
                 <!ENTITY ServiceAccounts SYSTEM "modules/service-accounts.xml">
                 <!ENTITY CORS SYSTEM "modules/cors.xml">
@@ -36,7 +38,6 @@
                 <!ENTITY UserFederation SYSTEM "modules/user-federation.xml">
                 <!ENTITY Kerberos SYSTEM "modules/kerberos.xml">
                 <!ENTITY ExportImport SYSTEM "modules/export-import.xml">
-                <!ENTITY AdminRecovery SYSTEM "modules/admin-recovery.xml">
                 <!ENTITY ServerCache SYSTEM "modules/cache.xml">
                 <!ENTITY SecurityVulnerabilities SYSTEM "modules/security-vulnerabilities.xml">
                 <!ENTITY Clustering SYSTEM "modules/clustering.xml">
@@ -48,6 +49,7 @@
                 <!ENTITY Recaptcha SYSTEM "modules/recaptcha.xml">
                 <!ENTITY AuthSPI SYSTEM "modules/auth-spi.xml">
                 <!ENTITY FilterAdapter SYSTEM "modules/servlet-filter-adapter.xml">
+                <!ENTITY ClientRegistration SYSTEM "modules/client-registration.xml">
                 ]>
 
 <book>
@@ -113,9 +115,11 @@ This one is short
         &SpringSecurityAdapter;
         &InstalledApplications;
         &Logout;
+        &ErrorHandling;
         &MultiTenancy;
         &JAAS;
     </chapter>
+    &ClientRegistration;
 
     &IdentityBroker;
     &Themes;
@@ -131,6 +135,7 @@ This one is short
     </chapter>
     &AccessTypes;
     &Roles;
+    &Groups;
     &DirectAccess;
     &ServiceAccounts;
     &CORS;

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/adapter_error_handling.xml b/docbook/auth-server-docs/reference/en/en-US/modules/adapter_error_handling.xml
new file mode 100755
index 0000000..38c0bb1
--- /dev/null
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/adapter_error_handling.xml
@@ -0,0 +1,58 @@
+<section id="adapter_error_handling">
+    <title>Error Handling</title>
+    <para>
+        Keycloak has some error handling facilities for servlet based client adapters.  When an error is encountered in
+        authentication, keycloak will call <literal>HttpServletResponse.sendError()</literal>.  You can set up an error-page
+        within your <literal>web.xml</literal> file to handle the error however you want.  Keycloak may throw
+        400, 401, 403, and 500 errors.
+    </para>
+    <para>
+<programlisting>
+<![CDATA[
+<error-page>
+    <error-code>404</error-code>
+    <location>/ErrorHandler</location>
+</error-page>]]>
+</programlisting>
+    </para>
+    <para>
+        Keycloak also sets an <literal>HttpServletRequest</literal> attribute that you can retrieve.  The attribute name
+        is <literal>org.keycloak.adapters.spi.AuthenticationError</literal>.  Typecast this object to:
+        <literal>org.keycloak.adapters.OIDCAuthenticationError</literal>.  This class can tell you exactly what happened.
+        If this attribute is not set, then the adapter was not responsible for the error code.
+    </para>
+    <para>
+<programlisting>
+public class OIDCAuthenticationError implements AuthenticationError {
+    public static enum Reason {
+        NO_BEARER_TOKEN,
+        NO_REDIRECT_URI,
+        INVALID_STATE_COOKIE,
+        OAUTH_ERROR,
+        SSL_REQUIRED,
+        CODE_TO_TOKEN_FAILURE,
+        INVALID_TOKEN,
+        STALE_TOKEN,
+        NO_AUTHORIZATION_HEADER
+    }
+
+    private Reason reason;
+    private String description;
+
+    public OIDCAuthenticationError(Reason reason, String description) {
+        this.reason = reason;
+        this.description = description;
+    }
+
+    public Reason getReason() {
+        return reason;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+}
+
+</programlisting>
+    </para>
+</section>
\ No newline at end of file

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/admin-permissions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/admin-permissions.xml
index 833d390..678c6d1 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/admin-permissions.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/admin-permissions.xml
@@ -64,6 +64,9 @@
                     <literal>manage-applications</literal> - Create, modify and delete applications in the realm
                 </listitem>
                 <listitem>
+                    <literal>create-clients</literal> - Create clients in the realm
+                </listitem>
+                <listitem>
                     <literal>manage-clients</literal> - Create, modify and delete clients in the realm
                 </listitem>
                 <listitem>

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/client-registration.xml b/docbook/auth-server-docs/reference/en/en-US/modules/client-registration.xml
new file mode 100755
index 0000000..fab7119
--- /dev/null
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/client-registration.xml
@@ -0,0 +1,215 @@
+<chapter id="client-registration">
+    <title>Client Registration</title>
+
+    <para>
+        In order for an application or service to utilize Keycloak it has to register a client in Keycloak. An
+        admin can do this through the admin console (or admin REST endpoints), but clients can also register themselves
+        through Keycloak's client registration service.
+    </para>
+
+    <para>
+        The Client Registration Service provides built-in support for Keycloak Client Representations, OpenID Connect
+        Client Meta Data and SAML Entity Descriptors. It's also possible to plugin custom client registration providers
+        if required. The Client Registration Service endpoint is <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;</literal>.
+    </para>
+    <para>
+        The built-in supported <literal>providers</literal> are:
+        <itemizedlist>
+            <listitem><literal>default</literal> Keycloak Representations</listitem>
+            <listitem><literal>install</literal> Keycloak Adapter Configuration</listitem>
+            <listitem><literal>openid-connect</literal> OpenID Connect Dynamic Client Registration</listitem>
+            <listitem><literal>saml2-entity-descriptor</literal> SAML Entity Descriptors</listitem>
+        </itemizedlist>
+        The following sections will describe how to use the different providers.
+    </para>
+
+    <section>
+        <title>Authentication</title>
+        <para>
+            To invoke the Client Registration Services you need a token. The token can be a standard bearer token, a
+            initial access token or a registration access token.
+        </para>
+
+        <section>
+            <title>Bearer Token</title>
+            <para>
+                The bearertoken can be issued on behalf of a user or a Service Account. The following permissions are required
+                to invoke the endpoints (see <link linkend='admin-permissions'>Admin Permissions</link> for more details):
+                <itemizedlist>
+                    <listitem>
+                        <literal>create-client</literal> or <literal>manage-client</literal> - To create clients
+                    </listitem>
+                    <listitem>
+                        <literal>view-client</literal> or <literal>manage-client</literal> - To view clients
+                    </listitem>
+                    <listitem>
+                        <literal>manage-client</literal> - To update or delete clients
+                    </listitem>
+                </itemizedlist>
+                If you are using a regular bearer token to create clients we recommend using a token from on behalf of a
+                Service Account with only the <literal>create-client</literal> role. See the
+                <link linkend="service-accounts">Service Account</link> section for more details.
+            </para>
+        </section>
+
+        <section>
+            <title>Initial Access Token</title>
+            <para>
+                The best approach to create new clients is by using initial access tokens. An initial access token can
+                only be used to create clients and has a configurable expiration as well as a configurable limit on
+                how many clients can be created.
+            </para>
+            <para>
+                An initial access token can be created through the admin console. To create a new initial access token
+                first select the realm in the admin console, then click on <literal>Realm Settings</literal> in the menu
+                on the left, followed by <literal>Initial Access Tokens</literal> in the tabs displayed in the page.
+            </para>
+            <para>
+                You will now be able to see any existing initial access tokens. If you have access you can delete tokens
+                that are no longer required. You can only retrieve the value of the token when you are creating it. To
+                create a new token click on <literal>Create</literal>. You can now optionally add how long the token
+                should be valid, also how many clients can be created using the token. After you click on <literal>Save</literal>
+                the token value is displayed. It is important that you copy/paste this token now as you won't be able
+                to retrieve it later. If you forget to copy/paste it, then delete the token and create another one.
+                The token value is used as a standard bearer token when invoking the Client Registration Services, by
+                adding it to the Authorization header in the request. For example:
+<programlisting><![CDATA[
+Authorization: bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....
+]]></programlisting>
+            </para>
+        </section>
+
+        <section>
+            <title>Registration Access Token</title>
+            <para>
+                When you create a client through the Client Registration Service the response will include a registration
+                access token. The registration access token provides access to retrieve the client configuration later, but
+                also to update or delete the client. The registration access token is included with the request in the
+                same way as a bearer token or initial access token. Registration access tokens are only valid once
+                when it's used the response will include a new token.
+            </para>
+            <para>
+                If a client was created outside of the Client Registration Service it won't have a registration access
+                token associated with it. You can create one through the admin console. This can also be useful if
+                you loose the token for a particular client. To create a new token find the client in the admin console
+                and click on <literal>Credentials</literal>. Then click on <literal>Generate registration access token</literal>.
+            </para>
+        </section>
+    </section>
+
+    <section>
+        <title>Keycloak Representations</title>
+        <para>
+            The <literal>default</literal> client registration provider can be used to create, retrieve, update and delete a client. It uses
+            Keycloaks Client Representation format which provides support for configuring clients exactly as they can
+            be configured through the admin console, including for example configuring protocol mappers.
+        </para>
+        <para>
+            To create a client create a Client Representation (JSON) then do a HTTP POST to:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;/default</literal>. It will return a Client Representation
+            that also includes the registration access token. You should save the registration access token somewhere
+            if you want to retrieve the config, update or delete the client later.
+        </para>
+        <para>
+            To retrieve the Client Representation then do a HTTP GET to:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;clients/&lt;provider&gt;/default/&lt;client id&gt;</literal>. It will also
+            return a new registration access token.
+        </para>
+        <para>
+            To update the Client Representation then do a HTTP PUT to with the updated Client Representation to:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;/default/&lt;client id&gt;</literal>. It will also
+            return a new registration access token.
+        </para>
+        <para>
+            To delete the Client Representation then do a HTTP DELETE to:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;/default/&lt;client id&gt;</literal>
+        </para>
+    </section>
+
+    <section>
+        <title>Keycloak Adapter Configuration</title>
+        <para>
+            The <literal>installation</literal> client registration provider can be used to retrieve the adapter configuration
+            for a client. In addition to token authentication you can also authenticate with client credentials using
+            HTTP basic authentication. To do this include the following header in the request:
+<programlisting><![CDATA[
+Authorization: basic BASE64(client-id + ':' + client-secret)
+]]></programlisting>
+        </para>
+        <para>
+            To retrieve the Adapter Configuration then do a HTTP GET to:
+            <literal>&lt;KEYCLOAK URL&gt;//realms/&lt;realm&gt;clients/&lt;provider&gt;/installation/&lt;client id&gt;</literal>
+        </para>
+        <para>
+            No authentication is required for public clients. This means that for the JavaScript adapter you can
+            load the client configuration directly from Keycloak using the above URL.
+        </para>
+    </section>
+
+    <section>
+        <title>OpenID Connect Dynamic Client Registration</title>
+        <para>
+            Keycloak implements <ulink url="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration</ulink>,
+            which extends <ulink url="https://tools.ietf.org/html/rfc7591">OAuth 2.0 Dynamic Client Registration Protocol</ulink> and
+            <ulink url="https://tools.ietf.org/html/rfc7592">OAuth 2.0 Dynamic Client Registration Management Protocol</ulink>.
+        </para>
+        <para>
+            The endpoint to use these specifications to register clients in Keycloak is:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;/oidc[/&lt;client id&gt;]</literal>.
+        </para>
+        <para>
+            This endpoints can also be found in the OpenID Connect Discovery endpoint for the realm:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/.well-known/openid-configuration</literal>.
+        </para>
+    </section>
+
+    <section>
+        <title>SAML Entity Descriptors</title>
+        <para>
+            The SAML Entity Descriptor endpoint only supports using SAML v2 Entity Descriptors to create clients. It
+            doesn't support retrieving, updating or deleting clients. For those operations the Keycloak representation
+            endpoints should be used. When creating a client a Keycloak Client Representation is returned with details
+            about the created client, including a registration access token.
+        </para>
+        <para>
+            To create a client do a HTTP POST with the SAML Entity Descriptor to:
+            <literal>&lt;KEYCLOAK URL&gt;/realms/&lt;realm&gt;/clients/&lt;provider&gt;/saml2-entity-descriptor</literal>.
+        </para>
+    </section>
+
+    <section>
+        <title>Client Registration Java API</title>
+        <para>
+            The Client Registration Java API makes it easy to use the Client Registration Service using Java. To use
+            include the dependency <literal>org.keycloak:keycloak-client-registration-api:&gt;VERSION&lt;</literal> from
+            Maven.
+        </para>
+        <para>
+            For full instructions on using the Client Registration refer to the JavaDocs. Below is an example of creating
+            a client:
+<programlisting><![CDATA[
+String initialAccessToken = "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmMjJmNzQyYy04ZjNlLTQ2M....";
+
+ClientRepresentation client = new ClientRepresentation();
+client.setClientId(CLIENT_ID);
+
+ClientRegistration reg = ClientRegistration.create().url("http://keycloak/auth/realms/myrealm").build();
+reg.auth(initialAccessToken);
+
+client = reg.create(client);
+
+String registrationAccessToken = client.getRegistrationAccessToken();
+]]></programlisting>
+        </para>
+    </section>
+
+    <!--
+    <section>
+        <title>Client Registration CLI</title>
+        <para>
+            TODO
+        </para>
+    </section>
+    -->
+
+</chapter>

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/groups.xml b/docbook/auth-server-docs/reference/en/en-US/modules/groups.xml
new file mode 100755
index 0000000..eb54e0e
--- /dev/null
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/groups.xml
@@ -0,0 +1,31 @@
+<chapter id="groups">
+    <title>Groups</title>
+    <para>
+        Groups in Keycloak allow you to manage a common set of attributes and role mappings for a large set of users.
+        Users can be members of zero or more groups.  Users inherit the attributes and role mappings assign to each group.
+        As an admin this makes it easy for you to manage permissions for a user in one place.
+    </para>
+    <para>
+        Groups are hierarchical.  A group can have many subgroups, but a group can only have one parent.  Subgroups inherit
+        the attributes and role mappings from the parent.  This applies to user as well.  So, if you have a parent group and a child group
+        and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the
+        parent and child.
+    </para>
+    <section>
+        <title>Groups vs. Roles</title>
+        <para>
+            In the IT world the concepts of Group and Role are often blurred and interchangeable.  In Keycloak, Groups are just
+            a collection of users that you can apply roles and attributes to in one place.  Roles are used to assign permissions
+            and access control.
+        </para>
+        <para>
+            Keycloak Roles have the concept of a Composite Role.  A role can be associated with one or more additional roles.
+            This is called a Composite Role.  If a user has a role mapping to the Composite Role, they inherit all the roles associated
+            with the composite.  So what's the difference from a Keycloak Group and a Composite Role?  Logically they could be
+            used for the same exact thing.  The difference is conceptual.  Composite roles should be used to compose the
+            permission model of your set of services and applications.  So, roles become a set of permissions.  Groups on the
+            other hand, would be a set of users that have a set of permissions.  Use Groups to manage users, composite roles to
+            manage applications and services.
+        </para>
+    </section>
+</chapter>
\ No newline at end of file

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/jboss-adapter.xml b/docbook/auth-server-docs/reference/en/en-US/modules/jboss-adapter.xml
index 71e599d..7524f1d 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/jboss-adapter.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/jboss-adapter.xml
@@ -14,10 +14,10 @@
         the Keycloak download site.  They are also available as a maven artifact.
     </para>
     <para>
-        Install on Wildfly 9:
+        Install on Wildfly 9 or 10:
 <programlisting>
 $ cd $WILDFLY_HOME
-$ unzip keycloak-wf9-adapter-dist.zip
+$ unzip keycloak-wildfly-adapter-dist.zip
 </programlisting>
     </para>
     <para>

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
index b0a443d..571cd6c 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/MigrationFromOlderVersions.xml
@@ -84,6 +84,10 @@
             <simplesect>
                 <title>Option 'Update Profile On First Login' moved from Identity provider to Review Profile authenticator</title>
                 <para>
+                    form-error-page in web.xml will no longer work for client adapter authentication errors.  You must define an error-page for
+                    the the various HTTP error codes.  See documentation for more details if you want to catch and handle adapter error conditions.
+                </para>
+                <para>
                     In this version, we added <literal>First Broker Login</literal>, which allows you to specify what exactly should be done
                     when new user is logged through Identity provider (or Social provider), but there is no existing Keycloak user
                     yet linked to the social account. As part of this work, we added option <literal>First Login Flow</literal> to identity providers where

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/roles.xml b/docbook/auth-server-docs/reference/en/en-US/modules/roles.xml
index 9cd6176..b7c034c 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/roles.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/roles.xml
@@ -1,7 +1,7 @@
 <chapter id="roles">
     <title>Roles</title>
     <para>
-        In Keycloak, roles (or permissions) can be defined globally at the realm level, or individually per application.
+        In Keycloak, roles can be defined globally at the realm level, or individually per application.
         Each role has a name which must be unique at the level it is defined in, i.e. you can have only one "admin" role at
         the realm level.  You may have that a role named "admin" within an Application too, but "admin" must be unique
         for that application.

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/saml.xml b/docbook/auth-server-docs/reference/en/en-US/modules/saml.xml
index de289b8..49416a0 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/saml.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/saml.xml
@@ -15,6 +15,15 @@
     <para>
         <variablelist>
             <varlistentry>
+                <term>Client ID</term>
+                <listitem>
+                    <para>
+                        This value must match the issuer value sent with AuthNRequests.  Keycloak will pull the issuer
+                        from the Authn SAML request and match it to a client by this value.
+                    </para>
+                </listitem>
+            </varlistentry>
+            <varlistentry>
                 <term>Include AuthnStatement</term>
                 <listitem>
                     <para>

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml b/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
index 78d9a4b..01ad7e6 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/server-installation.xml
@@ -128,6 +128,25 @@ cd <WILDFLY_HOME>/bin
             </itemizedlist>
         </para>
         <section>
+            <title>Admin User</title>
+            <para>
+                To access the admin console you need an account to login. Currently, there's a default account added
+                with the username <literal>admin</literal> and password <literal>admin</literal>. You will be required
+                to change the password on first login. We are planning on removing the built-in account soon and will
+                instead have an initial step to create the user.
+            </para>
+            <para>
+                You can also create a user with the <literal>add-user</literal> script found in <literal>bin</literal>.
+                This script will create a temporary file with the details of the user, which are imported at startup.
+                To add a user with this script run:
+<programlisting><![CDATA[
+bin/add-user.[sh|bat] -r master -u <username> -p <password>
+]]></programlisting>
+                Then restart the server.
+            </para>
+        </section>
+
+        <section>
             <title>Relational Database Configuration</title>
             <para>
                 You might want to use a better relational database for Keycloak like PostgreSQL or MySQL.  You might also

diff --git a/docbook/auth-server-docs/reference/en/en-US/modules/timeouts.xml b/docbook/auth-server-docs/reference/en/en-US/modules/timeouts.xml
index 7f8800e..229ee8d 100755
--- a/docbook/auth-server-docs/reference/en/en-US/modules/timeouts.xml
+++ b/docbook/auth-server-docs/reference/en/en-US/modules/timeouts.xml
@@ -43,6 +43,12 @@
             application not knowing if the user's permissions have changed.  This value is usually in minutes.
         </para>
         <para>
+            The <code class="literal">Access Token Lifespan For Implicit Flow</code> is how long an access token is valid for when using OpenID Connect implicit flow.
+            With implicit flow, there is no refresh token available, so that's why the lifespan is usually bigger than default Access Token Lifespan mentioned above.
+            See <ulink url="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth">OpenID Connect specification</ulink> for details about implicit flow and
+            <link linkend="javascript-adapter">Javascript Adapter</link> for some additional details.
+        </para>
+        <para>
             The <literal>Client login timeout</literal> is how long an access code is valid for.  An access code is obtained
             on the 1st leg of the OAuth 2.0 redirection protocol.  This should be a short time limit.  Usually seconds.
         </para>

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/master.xml b/docbook/saml-adapter-docs/reference/en/en-US/master.xml
index 5b798a1..7f14165 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/master.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/master.xml
@@ -8,7 +8,9 @@
                 <!ENTITY Jetty9Adapter SYSTEM "modules/jetty9-adapter.xml">
                 <!ENTITY Jetty8Adapter SYSTEM "modules/jetty8-adapter.xml">
                 <!ENTITY FilterAdapter SYSTEM "modules/servlet-filter-adapter.xml">
+                <!ENTITY Assertions SYSTEM "modules/assertion-api.xml">
                 <!ENTITY Logout SYSTEM "modules/logout.xml">
+                <!ENTITY ErrorHandling SYSTEM "modules/adapter_error_handling.xml">
                 ]>
 
 <book>
@@ -49,6 +51,8 @@ This one is short
     &Jetty8Adapter;
     &FilterAdapter;
     &Logout;
+    &Assertions;
+    &ErrorHandling;
 
 
 

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter_error_handling.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter_error_handling.xml
new file mode 100755
index 0000000..1d6d11f
--- /dev/null
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter_error_handling.xml
@@ -0,0 +1,42 @@
+<chapter id="adapter_error_handling">
+    <title>Error Handling</title>
+    <para>
+        Keycloak has some error handling facilities for servlet based client adapters.  When an error is encountered in
+        authentication, keycloak will call <literal>HttpServletResponse.sendError()</literal>.  You can set up an error-page
+        within your <literal>web.xml</literal> file to handle the error however you want.  Keycloak may throw
+        400, 401, 403, and 500 errors.
+    </para>
+    <para>
+<programlisting>
+<![CDATA[
+<error-page>
+    <error-code>404</error-code>
+    <location>/ErrorHandler</location>
+</error-page>]]>
+</programlisting>
+    </para>
+    <para>
+        Keycloak also sets an <literal>HttpServletRequest</literal> attribute that you can retrieve.  The attribute name
+        is <literal>org.keycloak.adapters.spi.AuthenticationError</literal>.  Typecast this object to:
+        <literal>org.keycloak.adapters.saml.SamlAuthenticationError</literal>.  This class can tell you exactly what happened.
+        If this attribute is not set, then the adapter was not responsible for the error code.
+    </para>
+    <para>
+<programlisting>
+public class SamlAuthenticationError implements AuthenticationError {
+    public static enum Reason {
+        EXTRACTION_FAILURE,
+        INVALID_SIGNATURE,
+        ERROR_STATUS
+    }
+
+    public Reason getReason() {
+        return reason;
+    }
+    public StatusResponseType getStatus() {
+        return status;
+    }
+}
+</programlisting>
+    </para>
+</chapter>
\ No newline at end of file

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
index cce3faf..5335362 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/adapter-config.xml
@@ -11,7 +11,8 @@
         sslPolicy="EXTERNAL"
         nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
         logoutPage="/logout.jsp"
-        forceAuthentication="false">
+        forceAuthentication="false"
+        isPassive="false">
         <Keys>
             <Key signing="true" >
                 <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
@@ -63,7 +64,8 @@
 <SP entityID="sp"
     sslPolicy="ssl"
     nameIDPolicyFormat="format"
-    forceAuthentication="true">
+    forceAuthentication="true"
+    isPassive="false">
 ...
 </SP>]]></programlisting>
         <para>
@@ -106,12 +108,23 @@
                     <listitem>
                         <para>
                             SAML clients can request that a user is re-authenticated even if
-                            they are already logged in at the IDP.  Set this to true if you
+                            they are already logged in at the IDP. Set this to <literal>true</literal> if you
                             want this.
                             <emphasis>OPTIONAL.</emphasis>.  Set to <literal>false</literal> by default.
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>isPassive</term>
+                    <listitem>
+                        <para>
+                            SAML clients can request that a user is never asked to authenticate even if
+                            they are not logged in at the IDP. Set this to <literal>true</literal> if you want this.
+                            Do not use together with <literal>forceAuthentication</literal> as they are opposite.
+                            <emphasis>OPTIONAL.</emphasis>. Set to <literal>false</literal> by default.
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </para>
     </section>

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/assertion-api.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/assertion-api.xml
new file mode 100755
index 0000000..6106c07
--- /dev/null
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/assertion-api.xml
@@ -0,0 +1,109 @@
+<chapter id="assertions">
+    <title>Obtaining Assertion Attributes</title>
+    <para>
+        After a successful SAML login, your application code may want to obtain attribute values passed with the SAML assertion.
+        <literal>HttpServletRequest.getUserPrincipal</literal> returns a Principal object that you can typecast into a
+        Keycloak specific class called <literal>org.keycloak.adapters.saml.SamlPrincipal</literal>.  This object allows
+        you to look at the raw assertion and also has convenience functions to look up attribute values.
+    </para>
+    <para>
+<programlisting><![CDATA[
+package org.keycloak.adapters.saml;
+
+public class SamlPrincipal implements Serializable, Principal {
+    /**
+     * Get full saml assertion
+     *
+     * @return
+     */
+    public AssertionType getAssertion() {
+       ...
+    }
+
+    /**
+     * Get SAML subject sent in assertion
+     *
+     * @return
+     */
+    public String getSamlSubject() {
+        ...
+    }
+
+    /**
+     * Subject nameID format
+     *
+     * @return
+     */
+    public String getNameIDFormat() {
+        ...
+    }
+
+    @Override
+    public String getName() {
+        ...
+    }
+
+    /**
+     * Convenience function that gets Attribute value by attribute name
+     *
+     * @param name
+     * @return
+     */
+    public List<String> getAttributes(String name) {
+        ...
+
+    }
+
+    /**
+     * Convenience function that gets Attribute value by attribute friendly name
+     *
+     * @param friendlyName
+     * @return
+     */
+    public List<String> getFriendlyAttributes(String friendlyName) {
+        ...
+    }
+
+    /**
+     * Convenience function that gets first  value of an attribute by attribute name
+     *
+     * @param name
+     * @return
+     */
+    public String getAttribute(String name) {
+        ...
+    }
+
+    /**
+     * Convenience function that gets first  value of an attribute by attribute name
+     *
+     *
+     * @param friendlyName
+     * @return
+     */
+    public String getFriendlyAttribute(String friendlyName) {
+        ...
+    }
+
+    /**
+     * Get set of all assertion attribute names
+     *
+     * @return
+     */
+    public Set<String> getAttributeNames() {
+        ...
+    }
+
+    /**
+     * Get set of all assertion friendly attribute names
+     *
+     * @return
+     */
+    public Set<String> getFriendlyNames() {
+        ...
+    }
+}
+]]>
+</programlisting>
+    </para>
+</chapter>
\ No newline at end of file

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/jboss-adapter.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/jboss-adapter.xml
index fc29402..675cc0b 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/jboss-adapter.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/jboss-adapter.xml
@@ -3,7 +3,7 @@
     <para>
         To be able to secure WAR apps deployed on JBoss EAP 6.x or Wildfly, you must install and
         configure the Keycloak SAML Adapter Subsystem.  You then provide a keycloak
-        config, <literal>/WEB-INF/keycloak-saml</literal> file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml.
+        config, <literal>/WEB-INF/keycloak-saml.xml</literal> file in your WAR and change the auth-method to KEYCLOAK-SAML within web.xml.
         Both methods are described in this section.
     </para>
     <section id="jboss-adapter-installation">
@@ -13,10 +13,10 @@
         the Keycloak download site.  They are also available as a maven artifact.
     </para>
     <para>
-        Install on Wildfly 9:
+        Install on Wildfly 9 or 10:
 <programlisting>
 $ cd $WILDFLY_HOME
-$ unzip keycloak-saml-wf9-adapter-dist.zip
+$ unzip keycloak-saml-wildfly-adapter-dist.zip
 </programlisting>
     </para>
     <para>
@@ -38,7 +38,7 @@ $ unzip keycloak-saml-eap6-adapter-dist.zip
         from the server's bin directory:
 <programlisting>
 $ cd $JBOSS_HOME/bin
-$ jboss-cli.sh -c --file=adapter-install.cli
+$ jboss-cli.sh -c --file=adapter-install-saml.cli
 </programlisting>
         The script will add the extension, subsystem, and optional security-domain as described below.
     </para>
@@ -52,7 +52,7 @@ $ jboss-cli.sh -c --file=adapter-install.cli
     </extensions>
 
     <profile>
-        <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.6"/>
+        <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1"/>
          ...
     </profile>
 ]]>
@@ -185,4 +185,92 @@ public class CustomerService {
 </programlisting>
         </para>
     </section>
+    <section>
+        <title>Securing WARs via Keycloak SAML Subsystem</title>
+        <para>
+            You do not have to crack open a WAR to secure it with Keycloak.  Alternatively, you can externally secure
+            it via the Keycloak SAML Adapter Subsystem.  While you don't have to specify KEYCLOAK-SAML as an <literal>auth-method</literal>,
+            you still have to define the <literal>security-constraints</literal> in <literal>web.xml</literal>.  You do
+            not, however, have to create a <literal>WEB-INF/keycloak-saml.xml</literal> file.  This metadata is instead defined
+            within XML in your server's <literal>domain.xml</literal> or <literal>standalone.xml</literal> subsystem
+            configuration section.
+        </para>
+        <para>
+            <programlisting><![CDATA[
+<extensions>
+  <extension module="org.keycloak.keycloak-saml-adapter-subsystem"/>
+</extensions>
+
+<profile>
+  <subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
+    <secure-deployment name="WAR MODULE NAME.war">
+      <SP entityID="APPLICATION URL">
+        ...
+      </SP>
+    </secure-deployment>
+  </subsystem>
+</profile>
+]]>
+            </programlisting>
+        </para>
+        <para>
+            The <literal>secure-deployment</literal> <literal>name</literal> attribute identifies the WAR you want
+            to secure.  Its value is the <literal>module-name</literal> defined in <literal>web.xml</literal> with
+            <literal>.war</literal> appended.  The rest of the configuration uses the same XML syntax as
+            <literal>keycloak-saml.xml</literal> configuration defined in <link linkend='adapter-config'>general adapter configuration</link>.
+        </para>
+        <para>
+            An example configuration:
+        </para>
+        <para>
+            <programlisting><![CDATA[
+<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
+  <secure-deployment name="saml-post-encryption.war">
+    <SP entityID="http://localhost:8080/sales-post-enc/"
+        sslPolicy="EXTERNAL"
+        nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+        logoutPage="/logout.jsp"
+        forceAuthentication="false">
+      <Keys>
+        <Key signing="true" encryption="true">
+          <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+            <PrivateKey alias="http://localhost:8080/sales-post-enc/" password="test123"/>
+            <Certificate alias="http://localhost:8080/sales-post-enc/"/>
+          </KeyStore>
+        </Key>
+      </Keys>
+      <PrincipalNameMapping policy="FROM_NAME_ID"/>
+      <RoleIdentifiers>
+        <Attribute name="Role"/>
+      </RoleIdentifiers>
+      <IDP entityID="idp">
+        <SingleSignOnService signRequest="true"
+            validateResponseSignature="true"
+            requestBinding="POST"
+            bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
+
+        <SingleLogoutService
+            validateRequestSignature="true"
+            validateResponseSignature="true"
+            signRequest="true"
+            signResponse="true"
+            requestBinding="POST"
+            responseBinding="POST"
+            postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
+            redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
+        <Keys>
+          <Key signing="true" >
+            <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+              <Certificate alias="saml-demo"/>
+            </KeyStore>
+          </Key>
+        </Keys>
+      </IDP>
+    </SP>
+   </secure-deployment>
+</subsystem>
+]]>
+            </programlisting>
+        </para>
+    </section>
 </chapter>
\ No newline at end of file

diff --git a/docbook/saml-adapter-docs/reference/en/en-US/modules/tomcat-adapter.xml b/docbook/saml-adapter-docs/reference/en/en-US/modules/tomcat-adapter.xml
index f6db1b0..37ffbe1 100755
--- a/docbook/saml-adapter-docs/reference/en/en-US/modules/tomcat-adapter.xml
+++ b/docbook/saml-adapter-docs/reference/en/en-US/modules/tomcat-adapter.xml
@@ -1,5 +1,5 @@
 <chapter id="tomcat-adapter">
-    <title>Tomcat 6, 7 and 8 SAML dapters</title>
+    <title>Tomcat 6, 7 and 8 SAML adapters</title>
     <para>
         To be able to secure WAR apps deployed on Tomcat 6, 7 and 8 you must install the Keycloak Tomcat 6, 7 or 8 SAML adapter
         into your Tomcat installation.  You then have to provide some extra configuration in each WAR you deploy to

diff --git a/events/api/src/main/java/org/keycloak/events/Details.java b/events/api/src/main/java/org/keycloak/events/Details.java
index b9c5338..a995d7b 100755
--- a/events/api/src/main/java/org/keycloak/events/Details.java
+++ b/events/api/src/main/java/org/keycloak/events/Details.java
@@ -11,6 +11,7 @@ public interface Details {
     String CODE_ID = "code_id";
     String REDIRECT_URI = "redirect_uri";
     String RESPONSE_TYPE = "response_type";
+    String RESPONSE_MODE = "response_mode";
     String AUTH_TYPE = "auth_type";
     String AUTH_METHOD = "auth_method";
     String IDENTITY_PROVIDER = "identity_provider";

diff --git a/events/api/src/main/java/org/keycloak/events/Event.java b/events/api/src/main/java/org/keycloak/events/Event.java
index d4fd536..6382421 100644
--- a/events/api/src/main/java/org/keycloak/events/Event.java
+++ b/events/api/src/main/java/org/keycloak/events/Event.java
@@ -47,7 +47,7 @@ public class Event {
     }
 
     public void setRealmId(String realmId) {
-        this.realmId = realmId;
+        this.realmId = maxLength(realmId, 255);
     }
 
     public String getClientId() {
@@ -55,7 +55,7 @@ public class Event {
     }
 
     public void setClientId(String clientId) {
-        this.clientId = clientId;
+        this.clientId = maxLength(clientId, 255);
     }
 
     public String getUserId() {
@@ -63,7 +63,7 @@ public class Event {
     }
 
     public void setUserId(String userId) {
-        this.userId = userId;
+        this.userId = maxLength(userId, 255);
     }
 
     public String getSessionId() {
@@ -112,4 +112,11 @@ public class Event {
         return clone;
     }
 
+    static String maxLength(String string, int length){
+        if (string != null && string.length() > length) {
+            return string.substring(0, length - 1);
+        }
+        return string;
+    }
+
 }

diff --git a/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java b/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java
index 400ef04..9e1e127 100755
--- a/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java
+++ b/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProvider.java
@@ -2,7 +2,7 @@ package org.keycloak.events.email;
 
 import org.jboss.logging.Logger;
 import org.keycloak.email.EmailException;
-import org.keycloak.email.EmailProvider;
+import org.keycloak.email.EmailTemplateProvider;
 import org.keycloak.events.admin.AdminEvent;
 import org.keycloak.events.Event;
 import org.keycloak.events.EventListenerProvider;
@@ -23,13 +23,13 @@ public class EmailEventListenerProvider implements EventListenerProvider {
 
     private KeycloakSession session;
     private RealmProvider model;
-    private EmailProvider emailProvider;
+    private EmailTemplateProvider emailTemplateProvider;
     private Set<EventType> includedEvents;
 
-    public EmailEventListenerProvider(KeycloakSession session, EmailProvider emailProvider, Set<EventType> includedEvents) {
+    public EmailEventListenerProvider(KeycloakSession session, EmailTemplateProvider emailTemplateProvider, Set<EventType> includedEvents) {
         this.session = session;
         this.model = session.realms();
-        this.emailProvider = emailProvider;
+        this.emailTemplateProvider = emailTemplateProvider;
         this.includedEvents = includedEvents;
     }
 
@@ -41,7 +41,7 @@ public class EmailEventListenerProvider implements EventListenerProvider {
                 UserModel user = session.users().getUserById(event.getUserId(), realm);
                 if (user != null && user.getEmail() != null && user.isEmailVerified()) {
                     try {
-                        emailProvider.setRealm(realm).setUser(user).sendEvent(event);
+                        emailTemplateProvider.setRealm(realm).setUser(user).sendEvent(event);
                     } catch (EmailException e) {
                         log.error("Failed to send type mail", e);
                     }

diff --git a/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProviderFactory.java b/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProviderFactory.java
index 9f662dc..ae2c4d0 100755
--- a/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProviderFactory.java
+++ b/events/email/src/main/java/org/keycloak/events/email/EmailEventListenerProviderFactory.java
@@ -1,7 +1,7 @@
 package org.keycloak.events.email;
 
 import org.keycloak.Config;
-import org.keycloak.email.EmailProvider;
+import org.keycloak.email.EmailTemplateProvider;
 import org.keycloak.events.EventListenerProvider;
 import org.keycloak.events.EventListenerProviderFactory;
 import org.keycloak.events.EventType;
@@ -26,8 +26,8 @@ public class EmailEventListenerProviderFactory implements EventListenerProviderF
 
     @Override
     public EventListenerProvider create(KeycloakSession session) {
-        EmailProvider emailProvider = session.getProvider(EmailProvider.class);
-        return new EmailEventListenerProvider(session, emailProvider, includedEvents);
+        EmailTemplateProvider emailTemplateProvider = session.getProvider(EmailTemplateProvider.class);
+        return new EmailEventListenerProvider(session, emailTemplateProvider, includedEvents);
     }
 
     @Override

diff --git a/examples/demo-template/offline-access-app/src/main/java/org/keycloak/example/OfflineAccessPortalServlet.java b/examples/demo-template/offline-access-app/src/main/java/org/keycloak/example/OfflineAccessPortalServlet.java
old mode 100644
new mode 100755
index 8290b3b..2583ec4
--- a/examples/demo-template/offline-access-app/src/main/java/org/keycloak/example/OfflineAccessPortalServlet.java
+++ b/examples/demo-template/offline-access-app/src/main/java/org/keycloak/example/OfflineAccessPortalServlet.java
@@ -17,10 +17,13 @@ import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.AdapterDeploymentContext;
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
 import org.keycloak.adapters.ServerRequest;
+import org.keycloak.adapters.spi.LogoutError;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.util.JsonSerialization;
@@ -47,40 +50,44 @@ public class OfflineAccessPortalServlet extends HttpServlet {
 
     @Override
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        try {
+            if (req.getRequestURI().endsWith("/login")) {
+                storeToken(req);
+                req.getRequestDispatcher("/WEB-INF/pages/loginCallback.jsp").forward(req, resp);
+                return;
+            }
 
-        if (req.getRequestURI().endsWith("/login")) {
-            storeToken(req);
-            req.getRequestDispatcher("/WEB-INF/pages/loginCallback.jsp").forward(req, resp);
-            return;
-        }
+            String refreshToken = RefreshTokenDAO.loadToken();
+            String refreshTokenInfo;
+            boolean savedTokenAvailable;
+            if (refreshToken == null) {
+                refreshTokenInfo = "No token saved in database. Please login first";
+                savedTokenAvailable = false;
+            } else {
+                RefreshToken refreshTokenDecoded = null;
+                    refreshTokenDecoded = TokenUtil.getRefreshToken(refreshToken);
+                String exp = (refreshTokenDecoded.getExpiration() == 0) ? "NEVER" : Time.toDate(refreshTokenDecoded.getExpiration()).toString();
+                refreshTokenInfo = String.format("<p>Type: %s</p><p>ID: %s</p><p>Expires: %s</p>", refreshTokenDecoded.getType(), refreshTokenDecoded.getId(), exp);
+                savedTokenAvailable = true;
+            }
+            req.setAttribute("tokenInfo", refreshTokenInfo);
+            req.setAttribute("savedTokenAvailable", savedTokenAvailable);
 
-        String refreshToken = RefreshTokenDAO.loadToken();
-        String refreshTokenInfo;
-        boolean savedTokenAvailable;
-        if (refreshToken == null) {
-            refreshTokenInfo = "No token saved in database. Please login first";
-            savedTokenAvailable = false;
-        } else {
-            RefreshToken refreshTokenDecoded = TokenUtil.getRefreshToken(refreshToken);
-            String exp = (refreshTokenDecoded.getExpiration() == 0) ? "NEVER" : Time.toDate(refreshTokenDecoded.getExpiration()).toString();
-            refreshTokenInfo = String.format("<p>Type: %s</p><p>ID: %s</p><p>Expires: %s</p>", refreshTokenDecoded.getType(), refreshTokenDecoded.getId(), exp);
-            savedTokenAvailable = true;
-        }
-        req.setAttribute("tokenInfo", refreshTokenInfo);
-        req.setAttribute("savedTokenAvailable", savedTokenAvailable);
-
-        String customers;
-        if (req.getRequestURI().endsWith("/loadCustomers")) {
-            customers = loadCustomers(req, refreshToken);
-        } else {
-            customers = "";
-        }
-        req.setAttribute("customers", customers);
+            String customers;
+            if (req.getRequestURI().endsWith("/loadCustomers")) {
+                customers = loadCustomers(req, refreshToken);
+            } else {
+                customers = "";
+            }
+            req.setAttribute("customers", customers);
 
-        req.getRequestDispatcher("/WEB-INF/pages/view.jsp").forward(req, resp);
+            req.getRequestDispatcher("/WEB-INF/pages/view.jsp").forward(req, resp);
+        } catch (JWSInputException e) {
+            throw new ServletException(e);
+        }
     }
 
-    private void storeToken(HttpServletRequest req) throws IOException {
+    private void storeToken(HttpServletRequest req) throws IOException, JWSInputException {
         RefreshableKeycloakSecurityContext ctx = (RefreshableKeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName());
         String refreshToken = ctx.getRefreshToken();
 
@@ -203,6 +210,18 @@ public class OfflineAccessPortalServlet extends HttpServlet {
                     public String getRemoteAddr() {
                         return servletRequest.getRemoteAddr();
                     }
+
+                    @Override
+                    public void setError(AuthenticationError error) {
+                        servletRequest.setAttribute(AuthenticationError.class.getName(), error);
+
+                    }
+
+                    @Override
+                    public void setError(LogoutError error) {
+                        servletRequest.setAttribute(LogoutError.class.getName(), error);
+                    }
+
                 };
             }
 

diff --git a/examples/js-console/src/main/webapp/index.html b/examples/js-console/src/main/webapp/index.html
index 2cca0f8..3789a9f 100644
--- a/examples/js-console/src/main/webapp/index.html
+++ b/examples/js-console/src/main/webapp/index.html
@@ -67,8 +67,11 @@
         var o = 'Token Expires:\t\t' + new Date((keycloak.tokenParsed.exp + keycloak.timeSkew) * 1000).toLocaleString() + '\n';
         o += 'Token Expires in:\t' + Math.round(keycloak.tokenParsed.exp + keycloak.timeSkew - new Date().getTime() / 1000) + ' seconds\n';
 
-        o += 'Refresh Token Expires:\t' + new Date((keycloak.refreshTokenParsed.exp + keycloak.timeSkew) * 1000).toLocaleString() + '\n';
-        o += 'Refresh Expires in:\t' + Math.round(keycloak.refreshTokenParsed.exp + keycloak.timeSkew - new Date().getTime() / 1000) + ' seconds';
+        if (keycloak.refreshTokenParsed) {
+            o += 'Refresh Token Expires:\t' + new Date((keycloak.refreshTokenParsed.exp + keycloak.timeSkew) * 1000).toLocaleString() + '\n';
+            o += 'Refresh Expires in:\t' + Math.round(keycloak.refreshTokenParsed.exp + keycloak.timeSkew - new Date().getTime() / 1000) + ' seconds';
+        }
+
         output(o);
     }
 
@@ -106,7 +109,17 @@
         event('Auth Logout');
     };
 
-    keycloak.init().success(function(authenticated) {
+    keycloak.onTokenExpired = function () {
+        event('Access token expired.');
+    };
+
+    // Flow can be changed to 'implicit' or 'hybrid', but then client must enable implicit flow in admin console too 
+    var initOptions = {
+        responseMode: 'fragment',
+        flow: 'standard'
+    };
+
+    keycloak.init(initOptions).success(function(authenticated) {
         output('Init Success (' + (authenticated ? 'Authenticated' : 'Not Authenticated') + ')');
     }).error(function() {
         output('Init Error');

diff --git a/export-import/export-import-api/src/main/java/org/keycloak/exportimport/util/ExportUtils.java b/export-import/export-import-api/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
index 30eb055..12b358e 100755
--- a/export-import/export-import-api/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
+++ b/export-import/export-import-api/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
@@ -7,6 +7,7 @@ import org.codehaus.jackson.JsonGenerator;
 import org.codehaus.jackson.map.ObjectMapper;
 import org.codehaus.jackson.map.SerializationConfig;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleContainerModel;
@@ -15,6 +16,7 @@ import org.keycloak.models.FederatedIdentityModel;
 import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.UserCredentialValueModel;
 import org.keycloak.models.UserModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.ModelToRepresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.CredentialRepresentation;
@@ -294,6 +296,12 @@ public class ExportUtils {
             }
         }
 
+        List<String> groups = new LinkedList<>();
+        for (GroupModel group : user.getGroups()) {
+            groups.add(ModelToRepresentation.buildGroupPath(group));
+        }
+        userRep.setGroups(groups);
+
         return userRep;
     }
 

diff --git a/forms/common-freemarker/src/main/java/org/keycloak/freemarker/ExtendingThemeManager.java b/forms/common-freemarker/src/main/java/org/keycloak/freemarker/ExtendingThemeManager.java
index 020d349..0a253d1 100644
--- a/forms/common-freemarker/src/main/java/org/keycloak/freemarker/ExtendingThemeManager.java
+++ b/forms/common-freemarker/src/main/java/org/keycloak/freemarker/ExtendingThemeManager.java
@@ -153,6 +153,10 @@ public class ExtendingThemeManager implements ThemeProvider {
 
         private List<Theme> themes;
 
+        private Properties properties;
+
+        private ConcurrentHashMap<String, ConcurrentHashMap<Locale, Properties>> messages = new ConcurrentHashMap<>();
+
         public ExtendingTheme(List<Theme> themes) {
             this.themes = themes;
         }
@@ -229,28 +233,41 @@ public class ExtendingThemeManager implements ThemeProvider {
 
         @Override
         public Properties getMessages(String baseBundlename, Locale locale) throws IOException {
-            Properties messages = new Properties();
-            ListIterator<Theme> itr = themes.listIterator(themes.size());
-            while (itr.hasPrevious()) {
-                Properties m = itr.previous().getMessages(baseBundlename, locale);
-                if (m != null) {
-                    messages.putAll(m);
+            if (messages.get(baseBundlename) == null || messages.get(baseBundlename).get(locale) == null) {
+                Properties messages = new Properties();
+                ListIterator<Theme> itr = themes.listIterator(themes.size());
+                while (itr.hasPrevious()) {
+                    Properties m = itr.previous().getMessages(baseBundlename, locale);
+                    if (m != null) {
+                        messages.putAll(m);
+                    }
                 }
+
+                this.messages.putIfAbsent(baseBundlename, new ConcurrentHashMap<Locale, Properties>());
+                this.messages.get(baseBundlename).putIfAbsent(locale, messages);
+
+                return messages;
+            } else {
+                return messages.get(baseBundlename).get(locale);
             }
-            return messages;
         }
 
         @Override
         public Properties getProperties() throws IOException {
-            Properties properties = new Properties();
-            ListIterator<Theme> itr = themes.listIterator(themes.size());
-            while (itr.hasPrevious()) {
-                Properties p = itr.previous().getProperties();
-                if (p != null) {
-                    properties.putAll(p);
+            if (properties == null) {
+                Properties properties = new Properties();
+                ListIterator<Theme> itr = themes.listIterator(themes.size());
+                while (itr.hasPrevious()) {
+                    Properties p = itr.previous().getProperties();
+                    if (p != null) {
+                        properties.putAll(p);
+                    }
                 }
+                this.properties = properties;
+                return properties;
+            } else {
+                return properties;
             }
-            return properties;
         }
 
     }

diff --git a/forms/common-themes/src/main/resources/theme/base/account/account.ftl b/forms/common-themes/src/main/resources/theme/base/account/account.ftl
index 60a21b5..34c3e84 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/account.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/account/account.ftl
@@ -12,7 +12,7 @@
 
     <form action="${url.accountUrl}" class="form-horizontal" method="post">
 
-        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
+        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
 
         <div class="form-group ${messagesPerField.printIfExists('username','has-error')}">
             <div class="col-sm-2 col-md-2">

diff --git a/forms/common-themes/src/main/resources/theme/base/account/applications.ftl b/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
index b2bbdf2..bca5102 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/account/applications.ftl
@@ -8,8 +8,8 @@
     </div>
 
     <form action="${url.revokeClientUrl}" method="post">
-        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
-        <input type="hidden" id="referrer" name="referrer" value="${stateChecker}">
+        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
+        <input type="hidden" id="referrer" name="referrer" value="${stateChecker?html}">
 
         <table class="table table-striped table-bordered">
             <thead>

diff --git a/forms/common-themes/src/main/resources/theme/base/account/messages/messages_ca.properties b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_ca.properties
new file mode 100644
index 0000000..2bb68b1
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_ca.properties
@@ -0,0 +1,155 @@
+doSave=Desa
+doCancel=Cancel\u00B7la
+doLogOutAllSessions=Desconnecta de totes les sessions
+doRemove=Elimina
+doAdd=Afegeix
+doSignOut=Desconnectar
+
+editAccountHtmlTtile=Edita compte
+federatedIdentitiesHtmlTitle=Identitats federades
+accountLogHtmlTitle=Registre del compte
+changePasswordHtmlTitle=Canvia contrasenya
+sessionsHtmlTitle=Sessions
+accountManagementTitle=Gesti\u00F3 de Compte Keycloak
+authenticatorTitle=Autenticador
+applicationsHtmlTitle=Aplicacions
+
+authenticatorCode=Codi d''un sol \u00FAs
+email=Email
+firstName=Nom
+givenName=Nom de pila
+fullName=Nom complet
+lastName=Cognoms
+familyName=Cognom
+password=Contrasenya
+passwordConfirm=Confirma la contrasenya
+passwordNew=Nova contrasenya
+username=Usuari
+address=Adre\u00E7a
+street=Carrer
+locality=Ciutat o Municipi
+region=Estat, Prov\u00EDncia, o Regi\u00F3
+postal_code=Postal code
+country=Pa\u00EDs
+emailVerified=Email verificat
+gssDelegationCredential=GSS Delegation Credential
+
+role_admin=Administrador
+role_realm-admin=Administrador del domini
+role_create-realm=Crear domini
+role_view-realm=Veure domini
+role_view-users=Veure usuaris
+role_view-applications=Veure aplicacions
+role_view-clients=Veure clients
+role_view-events=Veure events
+role_view-identity-providers=Veure prove\u00EFdors d''identitat
+role_manage-realm=Gestionar domini
+role_manage-users=Gestinar usuaris
+role_manage-applications=Gestionar aplicacions
+role_manage-identity-providers=Gestionar prove\u00EFdors d''identitat
+role_manage-clients=Gestionar clients
+role_manage-events=Gestionar events
+role_view-profile=Veure perfil
+role_manage-account=Gestionar compte
+role_read-token=Llegir token
+role_offline-access=Acc\u00E9s sense connexi\u00F3
+client_account=Compte
+client_security-admin-console=Consola d''Administraci\u00F3 de Seguretat
+client_realm-management=Gesti\u00F3 de domini
+client_broker=Broker
+
+
+requiredFields=Camps obligatoris
+allFieldsRequired=Tots els camps obligatoris
+
+backToApplication=« Torna a l''aplicaci\u00F3
+backTo=Torna a {0}
+
+date=Data
+event=Event
+ip=IP
+client=Client
+clients=Clients
+details=Detalls
+started=Iniciat
+lastAccess=\u00DAltim acc\u00E9s
+expires=Expira
+applications=Aplicacions
+
+account=Compte
+federatedIdentity=Identitat federada
+authenticator=Autenticador
+sessions=Sessions
+log=Registre
+
+application=Aplicaci\u00F3
+availablePermissions=Permisos disponibles
+grantedPermissions=Permisos concedits
+grantedPersonalInfo=Informaci\u00F3 personal concedida
+additionalGrants=Permisos addicionals
+action=Acci\u00F3
+inResource=a
+fullAccess=Acc\u00E9s total
+offlineToken=Codi d''autoritzaci\u00F3 offline
+revoke=Revocar perm\u00EDs
+
+configureAuthenticators=Autenticadors configurats
+mobile=M\u00F2bil
+totpStep1=Instal\u00B7la <a href=\"https://fedorahosted.org/freeotp/\" target=\"_blank\">FreeOTP</a> o Google Authenticator al teu tel\u00E8fon m\u00F2bil. Les dues aplicacions estan disponibles a <a href=\"https://play.google.com\">Google Play</a> i en l''App Store d''Apple.
+totpStep2=Obre l''aplicaci\u00F3 i escaneja el codi o introdueix la clau.
+totpStep3=Introdueix el codi \u00FAnic que et mostra l''aplicaci\u00F3 d''autenticaci\u00F3 i fes clic a Envia per finalitzar la configuraci\u00F3
+
+missingUsernameMessage=Si us plau indica el teu usuari.
+missingFirstNameMessage=Si us plau indica el nom.
+invalidEmailMessage=Email no v\u00E0lid
+missingLastNameMessage=Si us plau indica els teus cognoms.
+missingEmailMessage=Si us plau indica l''email.
+missingPasswordMessage=Si us plau indica la contrasenya.
+notMatchPasswordMessage=Les contrasenyes no coincideixen.
+
+missingTotpMessage=Si us plau indica el teu codi d''autenticaci\u00F3
+invalidPasswordExistingMessage=La contrasenya actual no \u00E9s correcta.
+invalidPasswordConfirmMessage=La confirmaci\u00F3 de contrasenya no coincideix.
+invalidTotpMessage=El c\u00F3digo de autenticaci\u00F3n no es v\u00E1lido.
+
+usernameExistsMessage=L''usuari ja existeix
+emailExistsMessage=L''email ja existeix
+
+readOnlyUserMessage=No pots actualitzar el teu usuari perqu\u00E8 el teu compte \u00E9s de nom\u00E9s lectura.
+readOnlyPasswordMessage=No pots actualitzar la contrasenya perqu\u00E8 el teu compte \u00E9s de nom\u00E9s lectura.
+
+successTotpMessage=Aplicaci\u00F3 d''autenticaci\u00F3 m\u00F2bil configurada.
+successTotpRemovedMessage=Aplicaci\u00F3 d''autenticaci\u00F3 m\u00F2bil eliminada.
+
+successGrantRevokedMessage=Perm\u00EDs revocat correctament
+
+accountUpdatedMessage=El teu compte s''ha actualitzat.
+accountPasswordUpdatedMessage=La contrasenya s''ha actualitzat.
+
+missingIdentityProviderMessage=Prove\u00EFdor d''identitat no indicat.
+invalidFederatedIdentityActionMessage=Acci\u00F3 no v\u00E0lida o no indicada.
+identityProviderNotFoundMessage=No s''ha trobat un prove\u00EFdor d''identitat.
+federatedIdentityLinkNotActiveMessage=Aquesta identitat ja no est\u00E0 activa
+federatedIdentityRemovingLastProviderMessage=No pots eliminar l''\u00FAltima identitat federada perqu\u00E8 no tens fixada una contrasenya.
+identityProviderRedirectErrorMessage=Error en la redirecci\u00F3 al prove\u00EFdor d''identitat
+identityProviderRemovedMessage=Prove\u00EFdor d''identitat esborrat correctament.
+
+accountDisabledMessage=El compte est\u00E0 desactivada, contacteu amb l''administrador.
+
+accountTemporarilyDisabledMessage=El compte est\u00E0 temporalment desactivat, contacta amb l''administrador o intenta-ho de nou m\u00E9s tard.
+invalidPasswordMinLengthMessage=Contrasenya incorrecta: longitud m\u00EDnima {0}.
+invalidPasswordMinLowerCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres min\u00FAscules.
+invalidPasswordMinDigitsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} caracteres num\u00E9ricos.
+invalidPasswordMinUpperCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres maj\u00FAscules.
+invalidPasswordMinSpecialCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} car\u00E0cters especials.
+invalidPasswordNotUsernameMessage=Contrasenya incorrecta: no pot ser igual al nom d''usuari.
+invalidPasswordRegexPatternMessage=Contrasenya incorrecta: no compleix l''expressi\u00F3 regular.
+invalidPasswordHistoryMessage=Contrasenya incorrecta: no pot ser igual a cap de les \u00FAltimes {0} contrasenyes.
+
+locale_de=Deutsch
+locale_en=English
+locale_it=Italian
+locale_pt-BR=Portugu\u00EAs (Brasil)
+locale_fr=Fran\u00E7ais
+locale_es=Espa\u00F1ol
+locale_ca=Catal\u00E0

diff --git a/forms/common-themes/src/main/resources/theme/base/account/messages/messages_es.properties b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_es.properties
index 40743f8..ac59648 100644
--- a/forms/common-themes/src/main/resources/theme/base/account/messages/messages_es.properties
+++ b/forms/common-themes/src/main/resources/theme/base/account/messages/messages_es.properties
@@ -96,7 +96,7 @@ revoke=Revocar permiso
 configureAuthenticators=Autenticadores configurados
 mobile=M\u00F3vil
 totpStep1=Instala <a href=\"https://fedorahosted.org/freeotp/\" target=\"_blank\">FreeOTP</a> o Google Authenticator en tu tel\u00E9fono m\u00F3vil. Ambas aplicaciones est\u00E1n disponibles en <a href=\"https://play.google.com\">Google Play</a> y en la App Store de Apple.
-totpStep2=Abre la aplicacvi\u00F3n y escanea el c\u00F3digo o introduce la clave.
+totpStep2=Abre la aplicaci\u00F3n y escanea el c\u00F3digo o introduce la clave.
 totpStep3=Introduce el c\u00F3digo \u00FAnico que te muestra la aplicaci\u00F3n de autenticaci\u00F3n y haz clic en Enviar para finalizar la configuraci\u00F3n
 
 missingUsernameMessage=Por favor indica tu usuario.
@@ -152,3 +152,4 @@ locale_it=Italian
 locale_pt-BR=Portugu\u00EAs (Brasil)
 locale_fr=Fran\u00E7ais
 locale_es=Espa\u00F1ol
+locale_ca=Catal\u00E0

diff --git a/forms/common-themes/src/main/resources/theme/base/account/password.ftl b/forms/common-themes/src/main/resources/theme/base/account/password.ftl
index abea25d..053fdbd 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/password.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/account/password.ftl
@@ -23,7 +23,7 @@
             </div>
         </#if>
 
-        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
+        <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
 
         <div class="form-group">
             <div class="col-sm-2 col-md-2">
@@ -49,7 +49,6 @@
             <div id="kc-form-buttons" class="col-md-offset-2 col-md-10 submit">
                 <div class="">
                     <button type="submit" class="${properties.kcButtonClass!} ${properties.kcButtonPrimaryClass!} ${properties.kcButtonLargeClass!}" name="submitAction" value="Save">${msg("doSave")}</button>
-                    <button type="submit" class="${properties.kcButtonClass!} ${properties.kcButtonDefaultClass!} ${properties.kcButtonLargeClass!}" name="submitAction" value="Cancel">${msg("doCancel")}</button>
                 </div>
             </div>
         </div>

diff --git a/forms/common-themes/src/main/resources/theme/base/account/totp.ftl b/forms/common-themes/src/main/resources/theme/base/account/totp.ftl
index 1cf9e67..1f261e7 100755
--- a/forms/common-themes/src/main/resources/theme/base/account/totp.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/account/totp.ftl
@@ -41,7 +41,7 @@
         <hr/>
 
         <form action="${url.totpUrl}" class="form-horizontal" method="post">
-            <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker}">
+            <input type="hidden" id="stateChecker" name="stateChecker" value="${stateChecker?html}">
             <div class="form-group">
                 <div class="col-sm-2 col-md-2">
                     <label for="totp" class="control-label">${msg("authenticatorCode")}</label>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/index.ftl b/forms/common-themes/src/main/resources/theme/base/admin/index.ftl
index 0cdadfb..f6bbfa5 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/index.ftl
+++ b/forms/common-themes/src/main/resources/theme/base/admin/index.ftl
@@ -53,10 +53,10 @@
 </div>
 </div>
 
-<div class="feedback-aligner" data-ng-show="notification">
+<div class="feedback-aligner" data-ng-show="notification.display">
     <div class="alert alert-{{notification.type}} alert-dismissable">
-        <button type="button" class="close">
-            <span class="pficon pficon-close" data-ng-click="notification = null"/>
+        <button type="button" class="close" data-ng-click="notification.remove()" id="notification-close">
+            <span class="pficon pficon-close"/>
         </button>
 
         <span class="pficon pficon-ok" ng-show="notification.type == 'success'"></span>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_ca.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_ca.properties
new file mode 100644
index 0000000..31b9fe2
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_ca.properties
@@ -0,0 +1,466 @@
+# Common messages
+enabled=Habilitat
+name=Nom
+save=Desar
+cancel=Cancel\u00B7la
+onText=SI
+offText=NO
+client=Client
+clients=Clients
+clear=Neteja
+selectOne=Selecciona un...
+
+true=S\u00ED
+false=No
+
+
+# Realm settings
+realm-detail.enabled.tooltip=Els usuaris i clients nom\u00E9s poden accedir a un domini si est\u00E0 habilitat
+registrationAllowed=Registre d''usuari
+registrationAllowed.tooltip=Habilitar/deshabilitar la p\u00E0gina de registre. Un enlla\u00E7 per al registre es mostrar\u00E0 tamb\u00E9 a la p\u00E0gina d''inici de sessi\u00F3.
+registrationEmailAsUsername=Email com a nom d''usuari
+registrationEmailAsUsername.tooltip=Si est\u00E0 habilitat el nom d''usuari queda ocult del formulari de registre i l''email es fa servir com a nom d''usuari per als nous usuaris.
+editUsernameAllowed=Edita el nom d''usuari
+editUsernameAllowed.tooltip=Si est\u00E0 habilitat, el nom d''usuari \u00E9s editable, altrament \u00E9s de nom\u00E9s lectura.
+resetPasswordAllowed=Oblit contrasenya
+resetPasswordAllowed.tooltip=Mostra un enlla\u00E7 a la p\u00E0gina d''inici de sessi\u00F3 perqu\u00E8 l''usuari faci clic quan ha oblidat les seves credencials.
+rememberMe=Mantenir connectat
+rememberMe.tooltip=Mostra la casella de selecci\u00F3 en la p\u00E0gina d''inici de sessi\u00F3 per a permetre a l''usuari estar connectat entre reinicis del navegador fins que la sessi\u00F3 expiri.
+verifyEmail=Verificar email
+verifyEmail.tooltip=For\u00E7ar l''usuari a verificar la seva adre\u00E7a de correu electr\u00F2nic la primera vegada que inici\u00EF sessi\u00F3.
+sslRequired=Sol\u00B7licitar SSL
+sslRequired.option.all=totes les peticions
+sslRequired.option.external=peticions externes
+sslRequired.option.none=cap
+sslRequired.tooltip=\u00C9s HTTP obligatori? ''cap'' significa que HTTPS no \u00E9s obligatori per cap direcic\u00F3n IP de client, ''peticions externes'' indica que localhost i les adreces IP privades poden accedir sense HTTPS, ''totes les peticions'' vol dir que HTTPS \u00E9s obligatori per a totes les adreces IP.
+publicKey=Clau p\u00FAblica
+gen-new-keys=Generar noves claus
+certificate=Certificat
+host=Host
+smtp-host=Host SMTP
+port=Port
+smtp-port=Port SMTP (per defecte 25)
+from=Des de
+sender-email-addr=Email del emissor
+enable-ssl=Habilitar SSL
+enable-start-tls=Habilitar StartTLS
+enable-auth=Habilitar autenticaci\u00F3
+username=Usuari
+login-username=Usuari
+password=Contrasenya
+login-password=Contrasenya
+login-theme=Tema d''inici de sessi\u00F3
+select-one=Selecciona un...
+login-theme.tooltip=Selecciona el tema per a les p\u00E0gines d''inici de sessi\u00F3, TOTP, permisos, registre i recordatori de contrasenya.
+account-theme=Tema de compte
+account-theme.tooltip=Selecciona el tema per a les p\u00E0gines de gesti\u00F3 del compte d''usuari.
+admin-console-theme=Tema de consola d''administraci\u00F3
+select-theme-admin-console=Selecciona el tema per a la consola d''administraci\u00F3.
+email-theme=Tema d''email
+select-theme-email=Selecciona el tema per als correus electr\u00F2nics que s\u00F3n enviats pel servidor.
+i18n-enabled=Internacionalitzaci\u00F3 activa
+supported-locales=Idiomes suportats
+supported-locales.placeholder=Indica l''idioma i prem Intro
+default-locale=Idioma per defecte
+realm-cache-enabled=Cach\u00E9 de domini habilitada
+realm-cache-enabled.tooltip=Activar/desactivar la cach\u00E9 per al domini, client i dades de rols.
+user-cache-enabled=Cach\u00E9 d''usuari habilitada
+user-cache-enabled.tooltip=Habilitar/deshabilitar la cach\u00E9 d''usuaris i d''assignacions d''usuaris a rols.
+revoke-refresh-token=Revocar el token d''actualitzaci\u00F3
+revoke-refresh-token.tooltip=Si est\u00E0 activat els tokens d''actualitzaci\u00F3 nom\u00E9s poden usar-se una vegada. En un altre cas els tokens d''actualitzaci\u00F3 no es revoquen quan s''utilitzen i poden ser usat m\u00FAltiples vegades.
+sso-session-idle=Sessions SSO inactives
+seconds=Segons
+minutes=Minuts
+hours=Hores
+days=Dies
+sso-session-max=Temps m\u00E0xim sessi\u00F3 SSO
+sso-session-idle.tooltip=Temps m\u00E0xim que una sessi\u00F3 pot estar inactiva abans que expiri. Els tokens i sessions de navegador s\u00F3n invalidades quan la sessi\u00F3 expira.
+sso-session-max.tooltip=Temps m\u00E0xim abans que una sessi\u00F3 expiri. Els tokens i sessions de navegador s\u00F3n invalidats quan una sessi\u00F3 expira.
+offline-session-idle=Inactivitat de sessi\u00F3 sense connexi\u00F3
+offline-session-idle.tooltip=Temps m\u00E0xim inactiu d''una sessi\u00F3 sense connexi\u00F3 abans que expiri. Necessites fer servi un token sense connexi\u00F3 per refrescar almenys una vegada dins d'aquest per\u00EDode, en un altre cas la sessi\u00F3 sense connexi\u00F3 expirar\u00E0.
+access-token-lifespan=Durada del token d''acc\u00E9s
+access-token-lifespan.tooltip=Temps m\u00E0xim abans que un token d''acc\u00E9s expiri. Es recomana que aquest valor sigui curt en relaci\u00F3 al temps m\u00E0xim de SSO
+client-login-timeout=Temps m\u00E0xim d''autenticaci\u00F3
+client-login-timeout.tooltip=Temps m\u00E0xim que un client t\u00E9 per finalitzar el protocol d''obtenci\u00F3 del token d''acc\u00E9s. Hauria de ser normalment de l''ordre d''1 minut.
+login-timeout=Temps m\u00E0xim de desconnexi\u00F3
+login-timeout.tooltip=Temps m\u00E0xim que un usuari t\u00E9 per completar l''inici de sessi\u00F3. Es recomana que sigui relativament alt. 30 minuts o m\u00E9s.
+login-action-timeout=Temps m\u00E0xim d''acci\u00F3 en l''inici de sessi\u00F3
+login-action-timeout.tooltip=Temps m\u00E0xim que un usuari t\u00E9 per completar accions relacionades amb l''inici de sessi\u00F3, com l''actualitzaci\u00F3 de contrasenya o configuraci\u00F3 de TOTP. \u00C9s recomanat que sigui relativament alt. 5 minuts o m\u00E9s.
+headers=Cap\u00E7aleres
+brute-force-detection=Detecci\u00F3 d''atacs per for\u00E7a bruta
+x-frame-options=X-Frame-Options
+click-label-for-info=Fes clic a l''enlla\u00E7 de l''etiqueta per obtenir m\u00E9s informaci\u00F3. El valor per defecte evita que les p\u00E0gines siguin incloses des d'iframes externs.
+content-sec-policy=Content-Security-Policy
+max-login-failures=Nombre m\u00E0xim d''errors d''inici de sessi\u00F3
+max-login-failures.tooltip=Indica quants errors es permeten abans que es dispari una espera.
+wait-increment=Increment d''espera
+wait-increment.tooltip=Quan s''ha arribat al llindar d''error, quant de temps ha d''estar un usuari bloquejat?
+quick-login-check-millis=Temps en mil\u00B7lisegons entre inicis de sessi\u00F3 r\u00E0pids
+quick-login-check-millis.tooltip=Si ocorren errors de forma concurrent i molt r\u00E0pida, bloquejar a l''usuari.
+min-quick-login-wait=Temps m\u00EDnim entre errors de connexi\u00F3 r\u00E0pids
+min-quick-login-wait.tooltip=Quant de temps s''ha d''esperar despr\u00E9s d''un error en un intent r\u00E0pid d''identificaci\u00F3
+max-wait=Espera m\u00E0xima
+max-wait.tooltip=Temps m\u00E0xim que un usuari queda bloquejat.
+failure-reset-time=Reinici del comptador d''errors
+failure-reset-time.tooltip=Quan s''ha de reiniciar el comptador d''errors?
+realm-tab-login=Inici de sessi\u00F3
+realm-tab-keys=Claus
+realm-tab-email=Email
+realm-tab-themes=Temes
+realm-tab-cache=Cach\u00E9
+realm-tab-tokens=Tokens
+realm-tab-security-defenses=Defenses de seguretat
+realm-tab-general=General
+add-realm=Afegir domini
+
+#Session settings
+realm-sessions=Sessions de domini
+revocation=Revocaci\u00F3
+logout-all=Desconnectar tot
+active-sessions=Sessions actives
+sessions=Sessions
+not-before=No abans de
+not-before.tooltip=Revocar qualsevol token em\u00E8s abans d''aquesta data.
+set-to-now=Fixar a ara
+push=Push
+push.tooltip=Per a cada client que t\u00E9 un URL d''administraci\u00F3, notificar les noves pol\u00EDtiques de revocaci\u00F3.
+
+#Protocol Mapper
+usermodel.prop.label=Propietat
+usermodel.prop.tooltip=Nom del m\u00E8tode de propietat en la interf\u00EDcie UserModel. Per exemple, un valor de ''email'' faria refer\u00E8ncia al m\u00E8tode UserModel.getEmail().
+usermodel.attr.label=Atribut d''usuari
+usermodel.attr.tooltip=Nom de l''atribut d''usuari emmagatzemat que \u00E9s el nom de l''atribut dins el map UserModel.attribute.
+userSession.modelNote.label=Nota sessi\u00F3 usuari
+userSession.modelNote.tooltip=Nom de la nota emmagatzemada en la sessi\u00F3 d''usuari dins del mapa UserSessionModel.note
+multivalued.label=Valors m\u00FAltiples
+multivalued.tooltip=Indica si l''atribut suporta m\u00FAltiples valors. Si est\u00E0 habilitat, la llista de tots els valors d''aquest atribut es fixar\u00E0 com a reclamaci\u00F3. Si est\u00E0 deshabilitat, nom\u00E9s el primer valor ser\u00E0 fixat com a reclamaci\u00F3.
+selectRole.label=Selecciona rol
+selectRole.tooltip=Introdueix el rol a la caixa de text de l''esquerra, o fes clic a aquest bot\u00F3 per navegar i buscar el rol que vols.
+tokenClaimName.label=Nom de reclam del token
+tokenClaimName.tooltip=Nom del reclam a inserir en el testimoni. Pot ser un nom complet com ''address.street''. En aquest cas, es crear\u00E0 un objecte JSON niat.
+jsonType.label=Tipus JSON de reclamaci\u00F3
+jsonType.tooltip=El tipus de JSON que hauria de fer-se servir per omplir la petici\u00F3 de JSON en el token. long, int, boolean i String s\u00F3n valors v\u00E0lids
+includeInIdToken.label=Afegir al token d''ID
+includeInAccessToken.label=Afegir al token d''acc\u00E9s
+includeInAccessToken.tooltip=S''hauria d'afegir la identitat reclamada al token d''acc\u00E9s?
+
+
+# client details
+clients.tooltip=Els clients s\u00F3n aplicacions de navegador de confian\u00E7a i serveis web d''un domini. Aquests clients poden sol\u00B7licitar un inici de sessi\u00F3. Tamb\u00E9 pots definir rols espec\u00EDfics de client.
+search.placeholder=Cercar...
+create=Crea
+import=Importar
+client-id=ID Client
+base-url=URL Base
+actions=Accions
+not-defined=No definit
+edit=Edita
+delete=Esborra
+no-results=Sense resultats
+no-clients-available=No hi ha clients disponibles
+add-client=Afegir Client
+select-file=Selecciona arxiu
+view-details=Veure detalls
+clear-import=Neteja importaci\u00F3
+client-id.tooltip=Indica l''identificador (ID) referenciat en URIs i tokens. Per exemple ''my-client''
+client.name.tooltip=Indica el nom visible del client. Per exemple ''My Client''. Tamb\u00E9 suporta claus per valors localitzats. Per exemple: ${my_client}
+client.enabled.tooltip=Els clients deshabilitats no poden iniciar una identificaci\u00F3 o obtenir codis d''acc\u00E9s.
+consent-required=Consentiment necessari
+consent-required.tooltip=Si est\u00E0 habilitat, els usuaris han de consentir l''acc\u00E9s del client.
+direct-grants-only=Nom\u00E9s permisos directes
+direct-grants-only.tooltip=Quan est\u00E0 habilitat, el client nom\u00E9s pot obtenir permisos de l''API REST.
+client-protocol=Protocol del Client
+client-protocol.tooltip=''OpenID connect'' permet als clients verificar la identitat de l''usuari final basat en l''autenticaci\u00F3 realitzada per un servidor d''autoritzaci\u00F3. ''SAML'' habilita l''autenticaci\u00F3 i autoritzaci\u00F3 d''escenaris basats en web incloent cross-domain i single sign-on (SSO) i utilitza tokens de seguretat que contenen afirmacions per passar informaci\u00F3.
+access-type=Tipus d''acc\u00E9s
+access-type.tooltip=Els clients ''Confidential'' necessiten un secret per iniciar el protocol d''identificaci\u00F3. Els clients ''Public'' no requereixen un secret. Els clients 'Bearer-only' s\u00F3n serveis web que mai inicien un login.
+service-accounts-enabled=Comptes de servei habilitades
+service-accounts-enabled.tooltip=Permetre autenticar aquest client contra Keycloak i rebre un token d''acc\u00E9s dedicat per a aquest client.
+include-authnstatement=Incloure AuthnStatement
+include-authnstatement.tooltip=Hauria d''incloure''s una declaraci\u00F3 especificant el m\u00E8tode i la marca de temps en la resposta d''inici de sessi\u00F3?
+sign-documents=Signar documents
+sign-documents.tooltip=Hauria el domini de signar els documents SAML?
+sign-assertions=Signar assercions
+sign-assertions.tooltip=Haurien de signar-se les assercions en documents SAML? Aquest ajust no \u00E9s necessari si el document ja s''est\u00E0 signant.
+signature-algorithm=Algorisme de signatura
+signature-algorithm.tooltip=L''algorisme de signatura usat per signar els documents.
+canonicalization-method=M\u00E8tode de canonicalitzaci\u00F3
+canonicalization-method.tooltip=M\u00E8tode de canonicalitzaci\u00F3 per a les signatures XML
+encrypt-assertions=Xifrar afirmacions
+encrypt-assertions.tooltip=Haurien de xifrar-se les afirmacions SAML amb la clau p\u00FAblica del client fent servir AES?
+client-signature-required=Signatura de Client requerida
+client-signature-required.tooltip=Signar\u00E0 el client les seves peticions i respostes SAML? I haurien de ser validades?
+force-post-binding=For\u00E7ar enlla\u00E7os POST
+force-post-binding.tooltip=Fer servir sempre POST per a les respostes
+front-channel-logout=Desconnexi\u00F3 en primer pla (Front Channel)
+front-channel-logout.tooltip=Quan est\u00E0 activat, la desconnexi\u00F3 requereix una redirecci\u00F3 del navegador cap al client. Quan no est\u00E0 activat, el servidor realitza una invovaci\u00F3n de desconnexi\u00F3 en segon pla.
+force-name-id-format=For\u00E7ar format NameID
+force-name-id-format.tooltip=Ignorar la petici\u00F3 de subjecte NameID i fer servir la configurada a la consola d''administraci\u00F3.
+name-id-format=Format de NameID
+name-id-format.tooltip=El format de NameID que es far\u00E0 servir per al t\u00EDtol
+root-url=URL arrel
+root-url.tooltip=URL arrel afegida a les URL relatives
+valid-redirect-uris=URIs de redirecci\u00F3 v\u00E0lides
+valid-redirect-uris.tooltip=Patr\u00F3 d''URI v\u00E0lida per a la qual un navegador pot sol\u00B7licitar la redirecci\u00F3 despr\u00E9s d''un inici o tancament de sessi\u00F3 completat. Es permeten comodins simples p.ex. ''http://example.com/*''. Tamb\u00E9 es poden indicar rutes relatives p.ex. ''/my/relative/path/*''. Les rutes relatives generaran un URI de redirecci\u00F3 fent servir el host i port de la petici\u00F3. Per SAML, s''han de fixar patrons d''URI v\u00E0lids si vols confiar en l''URL del servei del consumidor indicada en la petici\u00F3 d''inici de sessi\u00F3.
+base-url.tooltip=URL per defecte per utilitzar quan el servidor d''autoritzaci\u00F3 necessita redirigir o enviar de tornada al client.
+admin-url=URL d''administraci\u00F3
+admin-url.tooltip=URL a la interf\u00EDcie d''administraci\u00F3 del client. Fixa aquest valor si el client suporta l''adaptador de REST. Aquesta API REST permet al servidor d''autenticaci\u00F3 enviar al client pol\u00EDtiques de revocaci\u00F3 i altres tasques administratives. Normalment es fixa a l''URL base del client.
+master-saml-processing-url=URL principal de processament SAML
+master-saml-processing-url.tooltip=Si est\u00E0 configurada, aquesta URL es fara servir per a cada enlla\u00E7 al prove\u00EFdor del servei del consumidor d''assercions i serveis de desconnexi\u00F3 \u00FAnics. Pot ser sobreescrit de forma individual per a cada enlla\u00E7 i servei en el punt final de configuraci\u00F3 fina de SAML.
+idp-sso-url-ref=Nom de la URL d''un SSO iniciat per l''IDP
+idp-sso-url-ref.tooltip=Nom del fragment de l''URL per referenciar al client quan vols un SSO iniciat per l''IDP. Deixant aix\u00F2 buit desactiva els SSO iniciats per l''IDP. L''URL referenciada des del navegador ser\u00E0: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
+idp-sso-relay-state=Estat de retransmissi\u00F3 d''un SSO iniciat per l''IDP
+idp-sso-relay-state.tooltip=Estat de retransmissi\u00F3 que vols enviar amb una petici\u00F3 SAML quan s''inicia un SSO iniciat per l''IDP
+web-origins=Or\u00EDgens web
+web-origins.tooltip=Or\u00EDgens CORS permesos. Per permetre tots els or\u00EDgens d''URIs de redirecci\u00F3 v\u00E0lides afegeix ''+''. Per permetre tots els or\u00EDgens afegeix ''*''.
+fine-saml-endpoint-conf=Fine Grain SAML Endpoint Configuration
+fine-saml-endpoint-conf.tooltip=Expandeix aquesta secci\u00F3 per configurar les URL exactes per Assertion Consumer i Single Logout Service.
+assertion-consumer-post-binding-url=Assertion Consumer Service POST Binding URL
+assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client''s assertion consumer service (login responses).  You can leave this blank if you do not have a URL for this binding.
+assertion-consumer-redirect-binding-url=Assertion Consumer Service Redirect Binding URL
+assertion-consumer-redirect-binding-url.tooltip=Assertion Consumer Service Redirect Binding URL
+logout-service-binding-post-url=URL d''enlla\u00E7 SAML POST per a la desconnexi\u00F3
+logout-service-binding-post-url.tooltip=URL d''enlla\u00E7 SAML POST per a la desconnexi\u00F3 \u00FAnica del client. Pots deixar-ho en blanc si est\u00E0s fent servir un enlla\u00E7 diferent.
+logout-service-redir-binding-url=URL d''enlla\u00E7 SAML de redirecci\u00F3 per a la desconnexi\u00F3
+logout-service-redir-binding-url.tooltip=URL d''enlla\u00E7 SAML de redirecci\u00F3 per a la desconnexi\u00F3 \u00FAnica del client. Pots deixar-ho en blanc si est\u00E0s fent servir un enlla\u00E7 diferent.
+
+# client import
+import-client=Importar Client
+format-option=Format
+select-format=Selecciona un format
+import-file=Arxiu d''Importaci\u00F3
+
+# client tabs
+settings=Ajustos
+credentials=Credencials
+saml-keys=Claus SAML
+roles=Rols
+mappers=Assignadors
+mappers.tootip=Els assignadors de protocols realitzen transformacions en tokens i documents. Poden fer coses com assignar dades d''usuari en peticions de protocol, o simplement transformar qualsevol petici\u00F3 entre el client i el servidor d''autenticaci\u00F3.
+scope=\u00C0mbit
+scope.tooltip=Les assignacions d''\u00E0mbit et permeten restringir que assignacions de rols d''usuari s''inclouen en el testimoni d''acc\u00E9s sol\u00B7licitat pel client.
+sessions.tooltip=Veure sessions actives per a aquest client. Permet veure quins usuaris estan actius i quan es van identificar.
+offline-access=Acc\u00E9s sense connexi\u00F3
+offline-access.tooltip=Veure sessions sense connexi\u00F3 per aquest client. Et permet veure que usuaris han sol\u00B7licitat tokens sense connexi\u00F3 i quan els van sol\u00B7licitar. Per revocar tots els tokens del client, accedeix a la pestanya de Revocaci\u00F3 i fixa el valor \"No abans de\" a \"now\".
+clustering=Clustering
+installation=Instal\u00B7laci\u00F3
+installation.tooltip=Eina d''ajuda per generar la configuraci\u00F3 de diversos formats d''adaptadors de client que pots descarregar o copiar i enganxar per configurar teus clients.
+service-account-roles=Rols de compte de servei
+service-account-roles.tooltip=Permetre autenticar assignacions de rol per el compte de servei dedicat a aquest client.
+
+# client credentials
+client-authenticator=Client autenticador
+client-authenticator.tooltip=Client autenticador usat per autenticar aquest client contra el servidor Keycloak
+certificate.tooltip=Certificat de client per validar els JWT emesos per aquest client i signats amb la clau privada del client del teu magatzem de claus.
+no-client-certificate-configured=No s''ha configurat el certificat de client
+gen-new-keys-and-cert=Generar noves claus i certificat
+import-certificate=Importar Certificat
+gen-client-private-key=Generar clau privada de client
+generate-private-key=Generar clau privada
+archive-format=Format d''Arxiu
+archive-format.tooltip=Format d''arxiu Java keystore o PKCS12
+key-alias=\u00C0lies de clau
+key-alias.tooltip=\u00C0lies de l''arxiu de la teva clau privada i certificat.
+key-password=Contrasenya de la clau
+key-password.tooltip=Contrasenya per accedir a la clau privada continguda en l''arxiu
+store-password=Contrasenya del magatzem
+store-password.tooltip=Contrasenya per accedir a l''arxiu
+generate-and-download=Generar i descarregar
+client-certificate-import=Importaci\u00F3 de certificat de client
+import-client-certificate=Importar Certificat de Client
+jwt-import.key-alias.tooltip=\u00C0lies de l''arxiu del teu certificat.
+secret=Secret
+regenerate-secret=Regenerar secret
+add-role=Afegir rol
+role-name=Nom de rol
+composite=Compost
+description=Descripci\u00F3
+no-client-roles-available=No hi ha rols de client disponibles
+scope-param-required=Par\u00E0metre d''\u00E0mbit obligatori
+scope-param-required.tooltip=Aquest rol nom\u00E9s ser\u00E0 concedit si el par\u00E0metre d''\u00E0mbit amb el nom del rol \u00E9s usat durant la petici\u00F3 d''autoritzaci\u00F3/obtenci\u00F3 de token.
+composite-roles=Rols compostos
+composite-roles.tooltip=Quan aquest paper \u00E9s assignat/desassignat a un usuari qualsevol rol associat amb ell ser\u00E0 assignat/desassignat de forma impl\u00EDcita.
+realm-roles=Rols de domini
+available-roles=Rols Disponibles
+add-selected=Afegeix seleccionat
+associated-roles=Rols Associats
+composite.associated-realm-roles.tooltip=Rols a nivell de domini associats amb aquest rol compost.
+composite.available-realm-roles.tooltip=Rols a nivell de domini disponibles en aquest paper compost.
+remove-selected=Esborrar seleccionats
+client-roles=Rols de Client
+select-client-to-view-roles=Selecciona el client per veure els seus rols
+available-roles.tooltip=Rols d''aquest client que pots associar a aquest rol compost.
+client.associated-roles.tooltip=Rols de client associats amb aquest rol compost.
+add-builtin=Afegeix Builtin
+category=Categoria
+type=Tipus
+no-mappers-available=No hi ha assignadors disponibles
+add-builtin-protocol-mappers=Afegeix Builtin Protocol Mappers
+add-builtin-protocol-mapper=Afegeix Builtin Protocol Mapper
+scope-mappings=Assignacions d''\u00E0mbit
+full-scope-allowed=Permet tots els \u00E0mbits
+full-scope-allowed.tooltip=Permet deshabilitar totes les restriccions.
+scope.available-roles.tooltip=Rols de domini que poden ser assignats a l''\u00E0mbit
+assigned-roles=Rols Assignats
+assigned-roles.tooltip=Rols a nivell de domini assignats a aquest \u00E0mbit.
+effective-roles=Rols efectius
+realm.effective-roles.tooltip=Rols de domini assignats que poden haver estat heretats d''un rol compost.
+select-client-roles.tooltip=Selecciona el client per veure els seus rols
+assign.available-roles.tooltip=Rols de clients disponibles per ser assignats.
+client.assigned-roles.tooltip=Rols de client assignats
+client.effective-roles.tooltip=Rols de client assignats que poden haver estat heretats des d''un rol compost.
+basic-configuration=Configuraci\u00F3 b\u00E0sica
+node-reregistration-timeout=Temps d''espera de re-registre de node
+node-reregistration-timeout.tooltip=Indica el m\u00E0xim interval de temps perqu\u00E8 els nodes del cl\u00FAster registrats es tornin a registrar. Si el node del cl\u00FAster no envia una petici\u00F3 de re-registre a Keycloak dins d''aquest interval, ser\u00E0 desregistrat de Keycloak
+registered-cluster-nodes=Registrar nodes de cl\u00FAster
+register-node-manually=Registrar node manualment
+test-cluster-availability=Provar disponibilitat del cl\u00FAster
+last-registration=\u00DAltim registre
+node-host=Host del node
+no-registered-cluster-nodes=No hi ha nodes de cl\u00FAster registrats disponibles
+cluster-nodes=Nodes de cl\u00FAster
+add-node=Afegir Node
+active-sessions.tooltip=Nombre total de sessions actives per a aquest client.
+show-sessions=Mostrar sessions
+show-sessions.tooltip=Advert\u00E8ncia, aquesta \u00E9s una operaci\u00F3 potencialment costosa depenent del nombre de sessions actives.
+user=Usuari
+from-ip=Des de IP
+session-start=Inici de sessi\u00F3
+first-page=Primera p\u00E0gina
+previous-page=P\u00E0gina Anterior
+next-page=P\u00E0gina seg\u00FCent
+client-revoke.not-before.tooltip=Revocar tots els tokens emesos abans d''aquesta data per a aquest client.
+client-revoke.push.tooltip=Si l''URL d''administraci\u00F3 est\u00E0 configurada per a aquest client, envia aquesta pol\u00EDtica a aquest client.
+select-a-format=Selecciona un format
+download=Descarrega
+offline-tokens=Tokens sense connexi\u00F3
+offline-tokens.tooltip=Nombre total de tokens sense connexi\u00F3 d''aquest client.
+show-offline-tokens=Mostrar tokens sense connexi\u00F3
+show-offline-tokens.tooltip=Advert\u00E8ncia, aquesta \u00E9s una operaci\u00F3 potencialment costosa depenent del nombre de tokens sense connexi\u00F3.
+token-issued=Token expedit
+last-access=\u00DAltim Acc\u00E9s
+last-refresh=\u00DAltima actualitzaci\u00F3
+key-export=Exportar clau
+key-import=Importar clau
+export-saml-key=Exporta clau SAML
+import-saml-key=Importar clau SAML
+realm-certificate-alias=\u00C0lies del certificat del domini
+realm-certificate-alias.tooltip=El certificat del domini \u00E9s emmagatzemat en arxiu. Aquest \u00E9s l''\u00E0lies a aquest.
+signing-key=Clau de firma
+saml-signing-key=Clau de firma SAML.
+private-key=Clau Privada
+generate-new-keys=Generar noves claus
+export=Exporta
+encryption-key=Clau de xifrat
+saml-encryption-key.tooltip=Clau de xifrat de SAML
+service-accounts=Comptes de servei
+service-account.available-roles.tooltip=Rols de domini que poden ser assignats al compte del servei.
+service-account.assigned-roles.tooltip=Rols de domini assignats al compte del servei.
+service-account-is-not-enabled-for=El compte del servei no est\u00E0 habilitada per {{client}}
+create-protocol-mappers=Crea assignadors de protocol
+create-protocol-mapper=Crea assignador de protocol
+protocol=Protocol
+protocol.tooltip=Protocol.
+id=ID
+mapper.name.tooltip=Nom de l''assignador.
+mapper.consent-required.tooltip=Quan es concedeix acc\u00E9s temporal, \u00E9s necessari el consentiment de l''usuari per a proporcinar aquestes dades al client?
+consent-text=Text del consentiment
+consent-text.tooltip=Text per mostrar a la p\u00E0gina de consentiment.
+mapper-type=Tipus d''assignador
+
+# realm identity providers
+identity-providers=Prove\u00EFdors d''identitat
+table-of-identity-providers=Taula de prove\u00EFdors d''identitat
+add-provider.placeholder=Afegir prove\u00EFdor...
+provider=Prove\u00EFdor
+gui-order=Ordre en la interf\u00EDcie gr\u00E0fica (GUI)
+redirect-uri=URI de redirecci\u00F3
+redirect-uri.tooltip=L''URI de redirecci\u00F3 usada per configurar el prove\u00EFdor d''identitat.
+alias=\u00C0lies
+identity-provider.alias.tooltip=L''\u00E0lies que identifica de forma \u00FAnica un prove\u00EFdor d''identitat, es far servir tamb\u00E9 per construir la URI de redirecci\u00F3.
+identity-provider.enabled.tooltip=Habilita/deshabilita aquest prove\u00EFdor d''identitat.
+authenticate-by-default=Autenticar per defecte
+identity-provider.authenticate-by-default.tooltip=Indica si aquest prove\u00EFdor hauria de ser provat per defecte per autenticacaci\u00F3n fins i tot abans de mostrar la p\u00E0gina d''inici de sessi\u00F3.
+store-tokens=Emmagatzemar tokens
+identity-provider.store-tokens.tooltip=Habilitar/deshabilitar si els tokens han de ser emmagatzemats despr\u00E9s d''autenticar als usuaris.
+stored-tokens-readable=Tokens emmagatzemats llegibles
+identity-provider.stored-tokens-readable.tooltip=Habilitar/deshabilitar si els nous usuaris poden llegir els tokens emmagatzemats. Aix\u00F2 assigna el rol ''broker.read-token''.
+update-profile-on-first-login=Actualitzar perfil al primer inici de sessi\u00F3
+on=Activat
+on-missing-info=Si falta informaci\u00F3
+off=Desactivat
+update-profile-on-first-login.tooltip=Defineix condicions sota les quals un usuari ha de actualitzar el seu perfil durant el primer inici de sessi\u00F3.
+trust-email=Confiar en l''email
+trust-email.tooltip=Si est\u00E0 habilitat, l''email rebut d''aquest prove\u00EFdor no es verificar\u00E0 encara que la verificaci\u00F3 estigui habilitada per al domini.
+gui-order.tooltip=N\u00FAmero que defineix l''ordre del prove\u00EFdor en la interf\u00EDcie gr\u00E0fica (GUI) (ex. a la p\u00E0gina d''inici de sessi\u00F3)
+openid-connect-config=Configuraci\u00F3 d''OpenID Connect
+openid-connect-config.tooltip=Configuraci\u00F3 d''OIDC SP i IDP externs
+authorization-url=URL d''autoritzaci\u00F3
+authorization-url.tooltip=La URL d''autoritzaci\u00F3.
+token-url=Token URL
+token-url.tooltip=L''URL del token.
+logout-url=URL de desconnexi\u00F3
+identity-provider.logout-url.tooltip=Punt de tancament de sessi\u00F3 per utilitzar en la desconnexi\u00F3 d''usuaris des d''un prove\u00EFdor d''identitat (IDP) extern.
+backchannel-logout=Backchannel Logout
+backchannel-logout.tooltip=Does the external IDP support backchannel logout?
+user-info-url=URL d''informaci\u00F3 d''usuari
+user-info-url.tooltip=L''URL d''informaci\u00F3 d''usuari. Opcional.
+identity-provider.client-id.tooltip=El client o identificador de client registrat en el prove\u00EFdor d''identitat.
+client-secret=Secret de Client
+show-secret=Mostrar secret
+hide-secret=Amaga secret
+client-secret.tooltip=El client o el secret de client registrat en el prove\u00EFdor d''identitat.
+issuer=Emissor
+issuer.tooltip=L''identificador de l''emissor per a l''emissor de la resposta. Si no s''indica, no es realitzar\u00E0 cap validaci\u00F3.
+default-scopes=\u00C0mbits per defecte
+identity-provider.default-scopes.tooltip=Els \u00E0mbits que s''enviaran quan es sol\u00B7liciti autoritzaci\u00F3. Pot ser una llista d''\u00E0mbits separats per espais. El valor per defecte \u00E9s ''openid''.
+prompt=Prompt
+unspecified.option=no especificat
+none.option=cap
+consent.option=consentiment
+login.option=login
+select-account.option=select_account
+prompt.tooltip=Indica si el servidor d''autoritzaci\u00F3 sol\u00B7licita a l''usuari final per reautenticaci\u00F3n i consentiment.
+validate-signatures=Validar signatures
+identity-provider.validate-signatures.tooltip=Habilitar/deshabilitar la validaci\u00F3 de signatures de prove\u00EFdors d''identitat (IDP) externs
+validating-public-key=Validant clau p\u00FAblica
+identity-provider.validating-public-key.tooltip=La clau p\u00FAblica en format PEM que ha de fer-se servir per verificar les signatures de prove\u00EFdors d''identitat (IDP) externs.
+import-external-idp-config=Importar configuraci\u00F3 externa d''IDP
+import-external-idp-config.tooltip=Et permet carregar metadades d''un prove\u00EFdor d''identitat (IDP) extern d''un arxiu de coniguraci\u00F3n o descarregar des d''una URL.
+import-from-url=Importar des d''URL
+identity-provider.import-from-url.tooltip=Importa metadades des d''un descriptor d''un prove\u00EFdor d''identitat (IDP) remot.
+import-from-file=Importa des d''arxiu
+identity-provider.import-from-file.tooltip=Importa metadades des d''un descriptor d''un prove\u00EFdor d''identitat (IDP) descarregat.
+saml-config=Configuraci\u00F3 SAML
+identity-provider.saml-config.tooltip=Configuraci\u00F3 de prove\u00EFdor SAML i IDP extern
+single-signon-service-url=URL de servei de connexi\u00F3 \u00FAnic (SSO)
+saml.single-signon-service-url.tooltip=L''URL que s''ha de fer servir per enviar peticions d''autenticaci\u00F3 (SAML AuthnRequest).
+single-logout-service-url=URL de servei de desconnexi\u00F3 \u00FAnic
+saml.single-logout-service-url.tooltip=L''URL que ha de fer-se servir per enviar peticions de desconnexi\u00F3.
+nameid-policy-format=Format de pol\u00EDtica NameID
+nameid-policy-format.tooltip=Indica la refer\u00E8ncia a la URI corresponent a un format de NameID. El valor per defecte \u00E9s urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
+http-post-binding-response=HTTP-POST enlla\u00E7 de resposta
+http-post-binding-response.tooltip=Indica si es respon a les peticions fent servir HTTP-POST. Si no est\u00E0 activat, es far servir HTTP-REDIRECT.
+http-post-binding-for-authn-request=HTTP-POST per AuthnRequest
+http-post-binding-for-authn-request.tooltip=Indica si AuthnRequest ha de ser enviat usant HTTP-POST. Si no est\u00E0 activat es fa HTTP-REDIRECT.
+want-authn-requests-signed=Signar AuthnRequests
+want-authn-requests-signed.tooltip=Indica si el prove\u00EFdor d''identitat espera rebre signades les AuthnRequest.
+force-authentication=For\u00E7ar autenticaci\u00F3
+identity-provider.force-authentication.tooltip=Indica si el prove\u00EFdor d''identitat ha d'autenticar en presentar directament les credencials en lloc de dependre d''un context de seguretat previ.
+validate-signature=Validar signatura
+saml.validate-signature.tooltip=Habilitar/deshabilitar la validaci\u00F3 de signatura en respostes SAML.
+validating-x509-certificate=Validant certificat X509
+validating-x509-certificate.tooltip=El certificat en format PEM que ha de fer-se servir per comprovar les signatures.
+saml.import-from-url.tooltip=Importar metadades des d''un descriptor d'entitat remot d''un IDP de SAML
+social.client-id.tooltip=L''identificador del client registrat amb el prove\u00EFdor d''identitat.
+social.client-secret.tooltip=El secret del client registrat amb el prove\u00EFdor d''identitat.
+social.default-scopes.tooltip=\u00C0mbits que s''enviaran quan es sol\u00B7liciti autoritzaci\u00F3. Veure la documentaci\u00F3 per als possibles valors, separador i valor per defecte.
+key=Clau
+stackoverflow.key.tooltip=La clau obtinguda en el registre del client de Stack Overflow.
+
+realms=Dominis
+realm=Domini
+
+identity-provider-mappers=Assignadors de prove\u00EFdors d''identitat (IDP)
+create-identity-provider-mapper=Crea assignador de prove\u00EFdor d''identitat (IDP)
+add-identity-provider-mapper=Afegeix assignador de prove\u00EFdor d''identitat
+client.description.tooltip=Indica la descripci\u00F3 del client. Per exemple ''My Client for TimeSheets''. Tamb\u00E9 suporta claus per a valors localitzats. Per exemple: ${my_client_description}

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
old mode 100644
new mode 100755
index a9e74f7..b92f65b
--- a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -80,6 +80,8 @@ offline-session-idle=Offline Session Idle
 offline-session-idle.tooltip=Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period, otherwise offline session will expire.
 access-token-lifespan=Access Token Lifespan
 access-token-lifespan.tooltip=Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.
+access-token-lifespan-for-implicit-flow=Access Token Lifespan For Implicit Flow
+access-token-lifespan-for-implicit-flow.tooltip=Max time before an access token issued during OpenID Connect Implicit Flow is expired. This value is recommended to be shorter than SSO timeout. There is no possibility to refresh token during implicit flow, that's why there is separate timeout different to 'Access Token Lifespan'.
 client-login-timeout=Client login timeout
 client-login-timeout.tooltip=Max time an client has to finish the access token protocol. This should normally be 1 minute.
 login-timeout=Login timeout
@@ -109,6 +111,7 @@ realm-tab-email=Email
 realm-tab-themes=Themes
 realm-tab-cache=Cache
 realm-tab-tokens=Tokens
+realm-tab-client-initial-access=Initial Access Tokens
 realm-tab-security-defenses=Security Defenses
 realm-tab-general=General
 add-realm=Add Realm
@@ -163,19 +166,23 @@ add-client=Add Client
 select-file=Select file
 view-details=View details
 clear-import=Clear import
-client-id.tooltip=Specifies ID referenced in URI and tokens. For example 'my-client'
+client-id.tooltip=Specifies ID referenced in URI and tokens. For example 'my-client'.  For SAML this is also the expected issuer value from authn requests
 client.name.tooltip=Specifies display name of the client. For example 'My Client'. Supports keys for localized values as well. For example\: ${my_client}
 client.enabled.tooltip=Disabled clients cannot initiate a login or have obtain access tokens.
 consent-required=Consent Required
 consent-required.tooltip=If enabled users have to consent to client access.
-direct-grants-only=Direct Grants Only
-direct-grants-only.tooltip=When enabled, client can only obtain grants from grant REST API.
 client-protocol=Client Protocol
 client-protocol.tooltip='OpenID connect' allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.'SAML' enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO) and uses security tokens containing assertions to pass information.
 access-type=Access Type
 access-type.tooltip='Confidential' clients require a secret to initiate login protocol.  'Public' clients do not require a secret.  'Bearer-only' clients are web services that never initiate a login.
+standard-flow-enabled=Standard Flow Enabled
+standard-flow-enabled.tooltip=This enables standard OpenID Connect redirect based authentication with authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Authorization Code Flow' for this client.
+implicit-flow-enabled=Implicit Flow Enabled
+implicit-flow-enabled.tooltip=This enables support for OpenID Connect redirect based authentication without authorization code. In terms of OpenID Connect or OAuth2 specifications, this enables support of 'Implicit Flow' for this client.
+direct-access-grants-enabled=Direct Access Grants Enabled
+direct-access-grants-enabled.tooltip=This enables support for Direct Access Grants, which means that client has access to username/password of user and exchange it directly with Keycloak server for access token. In terms of OAuth2 specification, this enables support of 'Resource Owner Password Credentials Grant' for this client.
 service-accounts-enabled=Service Accounts Enabled
-service-accounts-enabled.tooltip=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client.
+service-accounts-enabled.tooltip=Allows you to authenticate this client to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of 'Client Credentials Grant' for this client.
 include-authnstatement=Include AuthnStatement
 include-authnstatement.tooltip=Should a statement specifying the method and timestamp be included in login responses?
 sign-documents=Sign Documents
@@ -270,7 +277,7 @@ client-certificate-import=Client Certificate Import
 import-client-certificate=Import Client Certificate
 jwt-import.key-alias.tooltip=Archive alias for your certificate.
 secret=Secret
-regenerate-secret=Regenerate Secretsecret=Secret
+regenerate-secret=Regenerate Secret
 registrationAccessToken=Registration access token
 registrationAccessToken.regenerate=Regenerate registration access token
 registrationAccessToken.tooltip=The registration access token provides access for clients to the client registration service.
@@ -470,3 +477,17 @@ identity-provider-mappers=Identity Provider Mappers
 create-identity-provider-mapper=Create Identity Provider Mapper
 add-identity-provider-mapper=Add Identity Provider Mapper
 client.description.tooltip=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description}
+
+expires=Expires
+expiration=Expiration
+count=Count
+remainingCount=Remaining count
+created=Created
+back=Back
+initial-access-tokens=Initial Access Tokens
+add-initial-access-tokens=Add Initial Access Token
+initial-access-token=Initial Access Token
+initial-access.copyPaste.tooltip=Copy/paste the initial access token before navigating away from this page as it's not posible to retrieve later
+continue=Continue
+initial-access-token.confirm.title=Copy Initial Access Token
+initial-access-token.confirm.text=Please copy and paste the initial access token before confirming as it can't be retrieved later

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_es.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_es.properties
index 170720a..5a353ab 100644
--- a/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_es.properties
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/admin-messages_es.properties
@@ -17,7 +17,7 @@ false=No
 # Realm settings
 realm-detail.enabled.tooltip=Los usuarios y clientes solo pueden acceder a un dominio si est\u00E1 habilitado
 registrationAllowed=Registro de usuario
-registrationAllowed.tooltip=Habilitar/deshabilitar la p\u00E1gina de registro. Un enlace para el registro se motrar\u00E1 tambi\u00E9n en la p\u00E1gina de inicio de sesi\u00F3n.
+registrationAllowed.tooltip=Habilitar/deshabilitar la p\u00E1gina de registro. Un enlace para el registro se mostrar\u00E1 tambi\u00E9n en la p\u00E1gina de inicio de sesi\u00F3n.
 registrationEmailAsUsername=Email como nombre de usuario
 registrationEmailAsUsername.tooltip=Si est\u00E1 habilitado el nombre de usuario queda oculto del formulario de registro y el email se usa como nombre de usuario para los nuevos usuarios.
 editUsernameAllowed=Editar nombre de usuario
@@ -32,7 +32,7 @@ sslRequired=Solicitar SSL
 sslRequired.option.all=todas las peticiones
 sslRequired.option.external=peticiones externas
 sslRequired.option.none=ninguna
-sslRequired.tooltip=\u00BFEs HTTP obligatorio? 'ninguna' significa que HTTPS no es obligatorio para ninguna direcic\u00F3n IP de cliente, 'peticiones externas' indica que localhost y las direcciones IP privadas pueden acceder sin HTTPS, 'todas las peticiones' significa que HTTPS es obligatorio para todas las direcciones IP.
+sslRequired.tooltip=\u00BFEs HTTP obligatorio? ''ninguna'' significa que HTTPS no es obligatorio para ninguna direcic\u00F3n IP de cliente, ''peticiones externas'' indica que localhost y las direcciones IP privadas pueden acceder sin HTTPS, ''todas las peticiones'' significa que HTTPS es obligatorio para todas las direcciones IP.
 publicKey=Clave p\u00FAblica
 gen-new-keys=Generar nuevas claves
 certificate=Certificado
@@ -51,7 +51,7 @@ password=Contrase\u00F1a
 login-password=Contrase\u00F1a
 login-theme=Tema de inicio de sesi\u00F3n
 select-one=Selecciona uno...
-login-theme.tooltip=Selecciona el tema para las p\u00E1gina de inicio de sesi\u00F3n, TOTP, permisos, registro y recordatorio de contrase\u00F1a.
+login-theme.tooltip=Selecciona el tema para las p\u00E1ginas de inicio de sesi\u00F3n, TOTP, permisos, registro y recordatorio de contrase\u00F1a.
 account-theme=Tema de cuenta
 account-theme.tooltip=Selecciona el tema para las p\u00E1ginas de gesti\u00F3n de la cuenta de usuario.
 admin-console-theme=Tema de consola de administraci\u00F3n
@@ -75,23 +75,23 @@ hours=Horas
 days=D\u00EDas
 sso-session-max=Tiempo m\u00E1ximo sesi\u00F3n SSO
 sso-session-idle.tooltip=Tiempo m\u00E1ximo que una sesi\u00F3n puede estar inactiva antes de que expire. Los tokens y sesiones de navegador son invalidadas cuando la sesi\u00F3n expira.
-sso-session-max.tooltip=Tiempo m\u00E1ximo antes de que una sesi\u00F3n expire. Los tokesn y sesiones de navegador son invalidados cuando una sesi\u00F3n expira.
+sso-session-max.tooltip=Tiempo m\u00E1ximo antes de que una sesi\u00F3n expire. Los tokens y sesiones de navegador son invalidados cuando una sesi\u00F3n expira.
 offline-session-idle=Inactividad de sesi\u00F3n sin conexi\u00F3n
 offline-session-idle.tooltip=Tiempo m\u00E1ximo inactivo de una sesi\u00F3n sin conexi\u00F3n antes de que expire. Necesitas usar un token sin conexi\u00F3n para refrescar al menos una vez dentro de este periodo, en otro caso la sesi\u00F3n sin conexi\u00F3n expirar\u00E1.
 access-token-lifespan=Duraci\u00F3n del token de acceso
-access-token-lifespan.tooltip=Tiempo m\u00E1ximo antes de que un token de acceso expire. Se recomiena que esta valor sea corto en relaci\u00F3n al tiempo m\u00E1ximo de SSO
+access-token-lifespan.tooltip=Tiempo m\u00E1ximo antes de que un token de acceso expire. Se recomienda que este valor sea corto en relaci\u00F3n al tiempo m\u00E1ximo de SSO
 client-login-timeout=Tiempo m\u00E1ximo de autenticaci\u00F3n
-client-login-timeout.tooltip=Tiempo m\u00E1ximo que un cliente tien para finalizar el protocolo de obtenci\u00F3n del token de acceso. Deber\u00EDa ser normalmente del orden de 1 minuto.
+client-login-timeout.tooltip=Tiempo m\u00E1ximo que un cliente tiene para finalizar el protocolo de obtenci\u00F3n del token de acceso. Deber\u00EDa ser normalmente del orden de 1 minuto.
 login-timeout=Tiempo m\u00E1ximo de desconexi\u00F3n
-login-timeout.tooltip=Tiempo m\u00E1xmo que un usuario tiene para completar el inicio de sesi\u00F3n. Se recomienda que sea relativamente alto. 30 minutos o m\u00E1s.
+login-timeout.tooltip=Tiempo m\u00E1ximo que un usuario tiene para completar el inicio de sesi\u00F3n. Se recomienda que sea relativamente alto. 30 minutos o m\u00E1s.
 login-action-timeout=Tiempo m\u00E1ximo de acci\u00F3n en el inicio de sesi\u00F3n
 login-action-timeout.tooltip=Tiempo m\u00E1ximo que un usuario tiene para completar acciones relacionadas con el inicio de sesi\u00F3n, como la actualizaci\u00F3n de contrase\u00F1a o configuraci\u00F3n de TOTP. Es recomendado que sea relativamente alto. 5 minutos o m\u00E1s.
 headers=Cabeceras
 brute-force-detection=Detecci\u00F3n de ataques por fuerza bruta
 x-frame-options=X-Frame-Options
-click-label-for-info=Haz clic en el enlace de la etiqueta para obtener m\u00E1s informaci\u00F3n. El valor por defecto evita que las p\u00E1ginas sean incluidaos desde iframes externos.
+click-label-for-info=Haz clic en el enlace de la etiqueta para obtener m\u00E1s informaci\u00F3n. El valor por defecto evita que las p\u00E1ginas sean incluidas desde iframes externos.
 content-sec-policy=Content-Security-Policy
-max-login-failures=N\u00FAmero m\u00E1ximo de fallos de inicios de sesi\u00F3n
+max-login-failures=N\u00FAmero m\u00E1ximo de fallos de inicio de sesi\u00F3n
 max-login-failures.tooltip=Indica cuantos fallos se permiten antes de que se dispare una espera.
 wait-increment=Incremento de espera
 wait-increment.tooltip=Cuando se ha alcanzado el umbral de fallo, \u00BFcuanto tiempo debe estar un usuario bloqueado?
@@ -107,7 +107,7 @@ realm-tab-login=Inicio de sesi\u00F3n
 realm-tab-keys=Claves
 realm-tab-email=Email
 realm-tab-themes=Temas
-realm-tab-cache=Cache
+realm-tab-cache=Cach\u00E9
 realm-tab-tokens=Tokens
 realm-tab-security-defenses=Defensas de seguridad
 realm-tab-general=General
@@ -123,11 +123,11 @@ not-before=No antes de
 not-before.tooltip=Revocar cualquier token emitido antes de esta fecha.
 set-to-now=Fijar a ahora
 push=Push
-push.tooltip=Para cada cliente que tiene una URL de administraci\u00F3n, notificarlos the las nuevas pol\u00EDticas de revocaci\u00F3n.
+push.tooltip=Para cada cliente que tiene una URL de administraci\u00F3n, notificarlos las nuevas pol\u00EDticas de revocaci\u00F3n.
 
 #Protocol Mapper
 usermodel.prop.label=Propiedad
-usermodel.prop.tooltip=Nombre del m\u00E9todo de propiedad in la interfaz UserModel. Por ejemplo, un valor de 'email' referenciar\u00EDa al m\u00E9todo UserModel.getEmail().
+usermodel.prop.tooltip=Nombre del m\u00E9todo de propiedad en la interfaz UserModel. Por ejemplo, un valor de ''email'' referenciar\u00EDa al m\u00E9todo UserModel.getEmail().
 usermodel.attr.label=Atributo de usuario
 usermodel.attr.tooltip=Nombre del atributo de usuario almacenado que es el nombre del atributo dentro del map UserModel.attribute.
 userSession.modelNote.label=Nota sesi\u00F3n usuario
@@ -137,7 +137,7 @@ multivalued.tooltip=Indica si el atributo soporta m\u00FAltiples valores. Si est
 selectRole.label=Selecciona rol
 selectRole.tooltip=Introduce el rol en la caja de texto de la izquierda, o haz clic en este bot\u00F3n para navegar y buscar el rol que quieres.
 tokenClaimName.label=Nombre de reclamo del token
-tokenClaimName.tooltip=Nombre del reclamo a insertar en el token. Puede ser un nombre completo como 'address.street'. En este caso, se crear\u00E1 un objeto JSON anidado.
+tokenClaimName.tooltip=Nombre del reclamo a insertar en el token. Puede ser un nombre completo como ''address.street''. En este caso, se crear\u00E1 un objeto JSON anidado.
 jsonType.label=Tipo JSON de reclamaci\u00F3n
 jsonType.tooltip=El tipo de JSON que deber\u00EDa ser usado para rellenar la petici\u00F3n de JSON en el token. long, int, boolean y String son valores v\u00E1lidos
 includeInIdToken.label=A\u00F1adir al token de ID
@@ -162,21 +162,21 @@ add-client=A\u00F1adir Cliente
 select-file=Selecciona archivo
 view-details=Ver detalles
 clear-import=Limpiar importaci\u00F3n
-client-id.tooltip=Indica el identificador (ID) referenciado en URIs y tokens. Por ejemplo 'my-client'
-client.name.tooltip=Indica el nombre visible del cliente. Por ejemplo 'My Client'. Tambi\u00E9n soporta claves para vallores localizados. Por ejemplo: ${my_client}
+client-id.tooltip=Indica el identificador (ID) referenciado en URIs y tokens. Por ejemplo ''my-client''
+client.name.tooltip=Indica el nombre visible del cliente. Por ejemplo ''My Client''. Tambi\u00E9n soporta claves para valores localizados. Por ejemplo: ${my_client}
 client.enabled.tooltip=Los clientes deshabilitados no pueden iniciar una identificaci\u00F3n u obtener c\u00F3digos de acceso.
 consent-required=Consentimiento necesario
 consent-required.tooltip=Si est\u00E1 habilitado, los usuarios tienen que consentir el acceso del cliente.
 direct-grants-only=Solo permisos directos
 direct-grants-only.tooltip=Cuando est\u00E1 habilitado, el cliente solo puede obtener permisos de la API REST.
 client-protocol=Protocolo del Cliente
-client-protocol.tooltip='OpenID connect' permite a los clientes verificar la identidad del usuario final basado en la autenticaci\u00F3n realizada por un servidor de autorizaci\u00F3n. 'SAML' habilita la autenticaci\u00F3n y autorizaci\u00F3n de escenarios basados en web incluyendo cross-domain y single sign-on (SSO) y utiliza tokdne de seguridad que contienen afirmaciones para pasar informaci\u00F3n.
+client-protocol.tooltip=''OpenID connect'' permite a los clientes verificar la identidad del usuario final basado en la autenticaci\u00F3n realizada por un servidor de autorizaci\u00F3n. ''SAML'' habilita la autenticaci\u00F3n y autorizaci\u00F3n de escenarios basados en web incluyendo cross-domain y single sign-on (SSO) y utiliza tokens de seguridad que contienen afirmaciones para pasar informaci\u00F3n.
 access-type=Tipo de acceso
-access-type.tooltip=Los clientes 'Confidential' necesitan un secreto para iniciar el protocolo de identificaci\u00F3n. Los clientes 'Public' no requieren un secreto. Los clientes 'Bearer-only' son servicios web que nunca inician un login.
+access-type.tooltip=Los clientes ''Confidential'' necesitan un secreto para iniciar el protocolo de identificaci\u00F3n. Los clientes ''Public'' no requieren un secreto. Los clientes ''Bearer-only'' son servicios web que nunca inician un login.
 service-accounts-enabled=Cuentas de servicio habilitadas
-service-accounts-enabled.tooltip=Permitir autenticar este cliente contra Keycloak y recivir un token de acceso dedicado para este cliente.
+service-accounts-enabled.tooltip=Permitir autenticar este cliente contra Keycloak y recibir un token de acceso dedicado para este cliente.
 include-authnstatement=Incluir AuthnStatement
-include-authnstatement.tooltip=null
+include-authnstatement.tooltip=\u00BFDeber\u00EDa incluirse una declaraci\u00F3n especificando el m\u00E9todo y la marca de tiempo en la respuesta de inicio de sesi\u00F3n?
 sign-documents=Firmar documentos
 sign-documents.tooltip=\u00BFDeber\u00EDa el dominio firmar los documentos SAML?
 sign-assertions=Firmar aserciones
@@ -200,22 +200,22 @@ name-id-format.tooltip=El formato de NameID que se usar\u00E1 para el t\u00EDtul
 root-url=URL ra\u00EDz
 root-url.tooltip=URL ra\u00EDz a\u00F1adida a las URLs relativas
 valid-redirect-uris=URIs de redirecci\u00F3n v\u00E1lidas
-valid-redirect-uris.tooltip=Patr\u00F3n de URI v\u00E1lida para la cual un navegador puede solicitar la redirecci\u00F3n tras un inicio o cierre de sesi\u00F3n completado. Se permiten comodines simples p.ej. 'http://example.com/*'. Tambi\u00E9n se pueden indicar rutas relativas p.ej. '/my/relative/path/*'. Las rutas relativas generar\u00E1n una URI de redirecci\u00F3n usando el host y puerto de la petici\u00F3n. Para SAML, se deben fijar patrones de URI v\u00E1lidos si quieres confiar en la URL del servicio del consumidor indicada en la petici\u00F3n de inicio de sesi\u00F3n.
+valid-redirect-uris.tooltip=Patr\u00F3n de URI v\u00E1lida para la cual un navegador puede solicitar la redirecci\u00F3n tras un inicio o cierre de sesi\u00F3n completado. Se permiten comodines simples p.ej. ''http://example.com/*''. Tambi\u00E9n se pueden indicar rutas relativas p.ej. ''/my/relative/path/*''. Las rutas relativas generar\u00E1n una URI de redirecci\u00F3n usando el host y puerto de la petici\u00F3n. Para SAML, se deben fijar patrones de URI v\u00E1lidos si quieres confiar en la URL del servicio del consumidor indicada en la petici\u00F3n de inicio de sesi\u00F3n.
 base-url.tooltip=URL por defecto para usar cuando el servidor de autorizaci\u00F3n necesita redirigir o enviar de vuelta al cliente.
 admin-url=URL de administraci\u00F3n
 admin-url.tooltip=URL a la interfaz de administraci\u00F3n del cliente. Fija este valor si el cliente soporta el adaptador de REST. Esta API REST permite al servidor de autenticaci\u00F3n enviar al cliente pol\u00EDticas de revocaci\u00F3n y otras tareas administrativas. Normalment se fija a la URL base del cliente.
 master-saml-processing-url=URL principal de procesamiento SAML
 master-saml-processing-url.tooltip=Si est\u00E1 configurada, esta URL se usar\u00E1 para cada enlace al proveedor del servicio del consumidor de aserciones y servicios de desconexi\u00F3n \u00FAnicos. Puede ser sobreescrito de forma individual para cada enlace y servicio en el punto final de configuraci\u00F3n fina de SAML.
 idp-sso-url-ref=Nombre de la URL de un SSO iniciado por el IDP
-idp-sso-url-ref.tooltip=Nombre del fragmento de la URL para referenciar al cliente cuando quieres un SSO iniciado por el IDP. Dejanto esto vac\u00EDo deshabilita los SSO iniciados por el IDP. La URL referenciada desde el navegador ser\u00E1: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
+idp-sso-url-ref.tooltip=Nombre del fragmento de la URL para referenciar al cliente cuando quieres un SSO iniciado por el IDP. Dejando esto vac\u00EDo deshabilita los SSO iniciados por el IDP. La URL referenciada desde el navegador ser\u00E1: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}
 idp-sso-relay-state=Estado de retransmisi\u00F3n de un SSO iniciado por el IDP
-idp-sso-relay-state.tooltip=Estado de retransmisi\u00F3n que quiees enviar con una petici\u00F3n SAML cuando se inicia un SSO inidicado por el IDP
-web-origins=Origenes web
-web-origins.tooltip=Origenes CORS permitidos. Para permitir todos los or\u00EDgenes de URIs de redirecci\u00F3n v\u00E1lidas a\u00F1ade '+'. Para permitir todos los or\u00EDgenes a\u00F1ade '*'.
+idp-sso-relay-state.tooltip=Estado de retransmisi\u00F3n que quieres enviar con una petici\u00F3n SAML cuando se inicia un SSO iniciado por el IDP
+web-origins=Or\u00EDgenes web
+web-origins.tooltip=Or\u00EDgenes CORS permitidos. Para permitir todos los or\u00EDgenes de URIs de redirecci\u00F3n v\u00E1lidas a\u00F1ade ''+''. Para permitir todos los or\u00EDgenes a\u00F1ade ''*''.
 fine-saml-endpoint-conf=Fine Grain SAML Endpoint Configuration
 fine-saml-endpoint-conf.tooltip=Expande esta secci\u00F3n para configurar las URL exactas para Assertion Consumer y Single Logout Service.
 assertion-consumer-post-binding-url=Assertion Consumer Service POST Binding URL
-assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client's assertion consumer service (login responses).  You can leave this blank if you do not have a URL for this binding.
+assertion-consumer-post-binding-url.tooltip=SAML POST Binding URL for the client''s assertion consumer service (login responses).  You can leave this blank if you do not have a URL for this binding.
 assertion-consumer-redirect-binding-url=Assertion Consumer Service Redirect Binding URL
 assertion-consumer-redirect-binding-url.tooltip=Assertion Consumer Service Redirect Binding URL
 logout-service-binding-post-url=URL de enlace SAML POST para la desconexi\u00F3n
@@ -252,7 +252,7 @@ client-authenticator=Cliente autenticador
 client-authenticator.tooltip=Cliente autenticador usado para autenticar este cliente contra el servidor Keycloak
 certificate.tooltip=Certificado de clinete para validar los JWT emitidos por este cliente y firmados con la clave privada del cliente de tu almac\u00E9n de claves.
 no-client-certificate-configured=No se ha configurado el certificado de cliente
-gen-new-keys-and-cert=Genearr nuevas claves y certificado
+gen-new-keys-and-cert=Generar nuevas claves y certificado
 import-certificate=Importar Certificado
 gen-client-private-key=Generar clave privada de cliente
 generate-private-key=Generar clave privada
@@ -278,7 +278,7 @@ no-client-roles-available=No hay roles de cliente disponibles
 scope-param-required=Par\u00E1metro de \u00E1mbito obligatorio
 scope-param-required.tooltip=Este rol solo ser\u00E1 concedido si el par\u00E1metro de \u00E1mbito con el nombre del rol es usado durante la petici\u00F3n de autorizaci\u00F3n/obtenci\u00F3n de token.
 composite-roles=Roles compuestos
-composite-roles.tooltip=Cuanto este rol es asignado/desasignado a un usuario cualquier rol asociado con \u00E9l ser\u00E1 asignado/desasignado de forma impl\u00EDcita.
+composite-roles.tooltip=Cuando este rol es asignado/desasignado a un usuario cualquier rol asociado con \u00E9l ser\u00E1 asignado/desasignado de forma impl\u00EDcita.
 realm-roles=Roles de dominio
 available-roles=Roles Disponibles
 add-selected=A\u00F1adir seleccionado
@@ -317,7 +317,7 @@ test-cluster-availability=Probar disponibilidad del cluster
 last-registration=\u00DAltimo registro
 node-host=Host del nodo
 no-registered-cluster-nodes=No hay nodos de cluster registrados disponibles
-cluster-nodes=Nodos de cluster
+cluster-nodes=Nodos de cl\u00FAster
 add-node=A\u00F1adir Nodo
 active-sessions.tooltip=N\u00FAmero total de sesiones activas para este cliente.
 show-sessions=Mostrar sesiones
@@ -362,7 +362,7 @@ protocol=Protocolo
 protocol.tooltip=Protocolo.
 id=ID
 mapper.name.tooltip=Nombre del asignador.
-mapper.consent-required.tooltip=Cuando se concede acceso temporal, \u00BFes necesario el consentimiento del usuario para proporcinar estos datos al cliente cliente?
+mapper.consent-required.tooltip=Cuando se concede acceso temporal, \u00BFes necesario el consentimiento del usuario para proporcinar estos datos al cliente?
 consent-text=Texto del consentimiento
 consent-text.tooltip=Texto para mostrar en la p\u00E1gina de consentimiento.
 mapper-type=Tipo de asignador
@@ -381,14 +381,14 @@ identity-provider.enabled.tooltip=Habilita/deshabilita este proveedor de identid
 authenticate-by-default=Autenticar por defecto
 identity-provider.authenticate-by-default.tooltip=Indica si este proveedor deber\u00EDa ser probado por defecto para autenticacaci\u00F3n incluso antes de mostrar la p\u00E1gina de inicio de sesi\u00F3n.
 store-tokens=Almacenar tokens
-identity-provider.store-tokens.tooltip=Hablitar/deshabilitar si los tokens deben ser almacenados despu\u00E9s de autenticar a los usuarios.
+identity-provider.store-tokens.tooltip=Habiltar/deshabilitar si los tokens deben ser almacenados despu\u00E9s de autenticar a los usuarios.
 stored-tokens-readable=Tokens almacenados legibles
-identity-provider.stored-tokens-readable.tooltip=Habilitar/deshabilitar is los nuevos usuarios pueden leear los tokens almacenados. Esto asigna el rol 'broker.read-token'.
+identity-provider.stored-tokens-readable.tooltip=Habilitar/deshabilitar si los nuevos usuarios pueden leer los tokens almacenados. Esto asigna el rol ''broker.read-token''.
 update-profile-on-first-login=Actualizar perfil en el primer inicio de sesi\u00F3n
 on=Activado
 on-missing-info=Si falta informaci\u00F3n
 off=Desactivado
-update-profile-on-first-login.tooltip=Define condiciones bajos las cuales un usuario tiene que actualizar su perfil durante el primer inicio de sesi\u00F3n.
+update-profile-on-first-login.tooltip=Define condiciones bajo las cuales un usuario tiene que actualizar su perfil durante el primer inicio de sesi\u00F3n.
 trust-email=Confiar en el email
 trust-email.tooltip=Si est\u00E1 habilitado, el email recibido de este proveedor no se verificar\u00E1 aunque la verificaci\u00F3n est\u00E9 habilitada para el dominio.
 gui-order.tooltip=N\u00FAmero que define el orden del proveedor en la interfaz gr\u00E1fica (GUI) (ej. en la p\u00E1gina de inicio de sesi\u00F3n)
@@ -403,7 +403,7 @@ identity-provider.logout-url.tooltip=Punto de cierre de sesi\u00F3n para usar en
 backchannel-logout=Backchannel Logout
 backchannel-logout.tooltip=Does the external IDP support backchannel logout?
 user-info-url=URL de informaci\u00F3n de usuario
-user-info-url.tooltip=.La URL de informaci\u00F3n de usuario. Opcional
+user-info-url.tooltip=La URL de informaci\u00F3n de usuario. Opcional.
 identity-provider.client-id.tooltip=El cliente o identificador de cliente registrado en el proveedor de identidad.
 client-secret=Secreto de Cliente
 show-secret=Mostrar secreto
@@ -412,7 +412,7 @@ client-secret.tooltip=El cliente o el secreto de cliente registrado en el provee
 issuer=Emisor
 issuer.tooltip=El identificador del emisor para el emisor de la respuesta. Si no se indica, no se realizar\u00E1 ninguna validaci\u00F3n.
 default-scopes=\u00C1mbitos por defecto
-identity-provider.default-scopes.tooltip=Los \u00E1mbitos que se enviar\u00E1n cuando se solicite autorizaci\u00F3n. Puede ser una lista de \u00E1mbitos separados por espacios. El valor por defecto es 'openid'.
+identity-provider.default-scopes.tooltip=Los \u00E1mbitos que se enviar\u00E1n cuando se solicite autorizaci\u00F3n. Puede ser una lista de \u00E1mbitos separados por espacios. El valor por defecto es ''openid''.
 prompt=Prompt
 unspecified.option=no especificado
 none.option=ninguno
@@ -431,7 +431,7 @@ identity-provider.import-from-url.tooltip=Importar metadatos desde un descriptor
 import-from-file=Importar desde archivo
 identity-provider.import-from-file.tooltip=Importar metadatos desde un descriptor de un proveedor de identidad (IDP) descargado.
 saml-config=Configuraci\u00F3n SAML
-identity-provider.saml-config.tooltip=Configurci\u00F3n de proveedor SAML e IDP externo
+identity-provider.saml-config.tooltip=Configuraci\u00F3n de proveedor SAML e IDP externo
 single-signon-service-url=URL de servicio de conexi\u00F3n \u00FAnico (SSO)
 saml.single-signon-service-url.tooltip=La URL que debe ser usada para enviar peticiones de autenticaci\u00F3n (SAML AuthnRequest).
 single-logout-service-url=URL de servicio de desconexi\u00F3n \u00FAnico
@@ -441,7 +441,7 @@ nameid-policy-format.tooltip=Indica la referencia a la URI correspondiente a un 
 http-post-binding-response=HTTP-POST enlace de respuesta
 http-post-binding-response.tooltip=Indica si se reponde a las peticiones usando HTTP-POST. Si no est\u00E1 activado, se usa HTTP-REDIRECT. 
 http-post-binding-for-authn-request=HTTP-POST para AuthnRequest
-http-post-binding-for-authn-request.tooltip=Indica si AuthnRequest debe ser envianda usando HTTP-POST. Si no est\u00E1 activado se hace HTTP-REDIRECT.
+http-post-binding-for-authn-request.tooltip=Indica si AuthnRequest debe ser enviada usando HTTP-POST. Si no est\u00E1 activado se hace HTTP-REDIRECT.
 want-authn-requests-signed=Firmar AuthnRequests
 want-authn-requests-signed.tooltip=Indica si el proveedor de identidad espera recibir firmadas las AuthnRequest.
 force-authentication=Forzar autenticaci\u00F3n
@@ -463,4 +463,4 @@ realm=Dominio
 identity-provider-mappers=Asignadores de proveedores de identidad (IDP)
 create-identity-provider-mapper=Crear asignador de proveedor de identidad (IDP)
 add-identity-provider-mapper=A\u00F1adir asignador de proveedor de identidad
-client.description.tooltip=Indica la descripci\u00F3n del cliente. Por ejemplo 'My Client for TimeSheets'. Tambi\u00E9n soporta claves para valores localizzados. Por ejemplo: ${my_client_description}
+client.description.tooltip=Indica la descripci\u00F3n del cliente. Por ejemplo ''My Client for TimeSheets''. Tambi\u00E9n soporta claves para valores localizados. Por ejemplo: ${my_client_description}

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_ca.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_ca.properties
new file mode 100644
index 0000000..50aa0a0
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_ca.properties
@@ -0,0 +1,8 @@
+invalidPasswordHistoryMessage=Contrasenya incorrecta: no pot ser igual a cap de les \u00FAltimes {0} contrasenyes.
+invalidPasswordMinDigitsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} caracteres num\u00E9ricos.
+invalidPasswordMinLengthMessage=Contrasenya incorrecta: longitud m\u00EDnima {0}.
+invalidPasswordMinLowerCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres min\u00FAscules.
+invalidPasswordMinSpecialCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} car\u00E0cters especials.
+invalidPasswordMinUpperCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres maj\u00FAscules.
+invalidPasswordNotUsernameMessage=Contrasenya incorrecta: no pot ser igual al nom d''usuari.
+invalidPasswordRegexPatternMessage=Contrasenya incorrecta: no compleix l''expressi\u00F3 regular.

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_es.properties b/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_es.properties
index b5b7ca8..70e3d73 100644
--- a/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_es.properties
+++ b/forms/common-themes/src/main/resources/theme/base/admin/messages/messages_es.properties
@@ -1,6 +1,6 @@
 invalidPasswordMinLengthMessage=Contrase\u00F1a incorrecta: longitud m\u00EDnima {0}.
 invalidPasswordMinLowerCaseCharsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} letras min\u00FAsculas.
-invalidPasswordMinDigitsMessage=Contrase\u00F1a incorrecta: debe contaner al menos {0} caracteres num\u00E9ricos.
+invalidPasswordMinDigitsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} caracteres num\u00E9ricos.
 invalidPasswordMinUpperCaseCharsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} letras may\u00FAsculas.
 invalidPasswordMinSpecialCharsMessage=Contrase\u00F1a incorrecta: debe contener al menos {0} caracteres especiales.
 invalidPasswordNotUsernameMessage=Contrase\u00F1a incorrecta: no puede ser igual al nombre de usuario.

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
index fe74ff2..bfbcee9 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/app.js
@@ -176,6 +176,27 @@ module.config([ '$routeProvider', function($routeProvider) {
             },
             controller : 'RealmTokenDetailCtrl'
         })
+        .when('/realms/:realm/client-initial-access', {
+            templateUrl : resourceUrl + '/partials/client-initial-access.html',
+            resolve : {
+                realm : function(RealmLoader) {
+                    return RealmLoader();
+                },
+                clientInitialAccess : function(ClientInitialAccessLoader) {
+                    return ClientInitialAccessLoader();
+                }
+            },
+            controller : 'ClientInitialAccessCtrl'
+        })
+        .when('/realms/:realm/client-initial-access/create', {
+            templateUrl : resourceUrl + '/partials/client-initial-access-create.html',
+            resolve : {
+                realm : function(RealmLoader) {
+                    return RealmLoader();
+                }
+            },
+            controller : 'ClientInitialAccessCreateCtrl'
+        })
         .when('/realms/:realm/keys-settings', {
             templateUrl : resourceUrl + '/partials/realm-keys.html',
             resolve : {
@@ -676,6 +697,18 @@ module.config([ '$routeProvider', function($routeProvider) {
             },
             controller : 'GroupRoleMappingCtrl'
         })
+        .when('/realms/:realm/default-groups', {
+            templateUrl : resourceUrl + '/partials/default-groups.html',
+            resolve : {
+                realm : function(RealmLoader) {
+                    return RealmLoader();
+                },
+                groups : function(GroupListLoader) {
+                    return GroupListLoader();
+                }
+            },
+            controller : 'DefaultGroupsCtrl'
+        })
 
 
         .when('/create/role/:realm/clients/:client', {
@@ -1974,6 +2007,15 @@ module.directive('kcTabsGroup', function () {
     }
 });
 
+module.directive('kcTabsGroupList', function () {
+    return {
+        scope: true,
+        restrict: 'E',
+        replace: true,
+        templateUrl: resourceUrl + '/templates/kc-tabs-group-list.html'
+    }
+});
+
 module.directive('kcTabsClient', function () {
     return {
         scope: true,

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
index 971b0c4..11bb11b 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
@@ -799,13 +799,75 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, $route, se
         } else if ($scope.client.attributes['saml_name_id_format'] == 'persistent') {
             $scope.nameIdFormat = $scope.nameIdFormats[3];
         }
+        if ($scope.client.attributes["saml.server.signature"]) {
+            if ($scope.client.attributes["saml.server.signature"] == "true") {
+                $scope.samlServerSignature = true;
+            } else {
+                $scope.samlServerSignature = false;
+
+            }
+        }
+        if ($scope.client.attributes["saml.assertion.signature"]) {
+            if ($scope.client.attributes["saml.assertion.signature"] == "true") {
+                $scope.samlAssertionSignature = true;
+            } else {
+                $scope.samlAssertionSignature = false;
+            }
+        }
+        if ($scope.client.attributes["saml.client.signature"]) {
+            if ($scope.client.attributes["saml.client.signature"] == "true") {
+                $scope.samlClientSignature = true;
+            } else {
+                $scope.samlClientSignature = false;
+            }
+        }
+        if ($scope.client.attributes["saml.encrypt"]) {
+            if ($scope.client.attributes["saml.encrypt"] == "true") {
+                $scope.samlEncrypt = true;
+            } else {
+                $scope.samlEncrypt = false;
+            }
+        }
+        if ($scope.client.attributes["saml.authnstatement"]) {
+            if ($scope.client.attributes["saml.authnstatement"] == "true") {
+                $scope.samlAuthnStatement = true;
+            } else {
+                $scope.samlAuthnStatement = false;
+            }
+        }
+        if ($scope.client.attributes["saml_force_name_id_format"]) {
+            if ($scope.client.attributes["saml_force_name_id_format"] == "true") {
+                $scope.samlForceNameIdFormat = true;
+            } else {
+                $scope.samlForceNameIdFormat = false;
+            }
+        }
+        if ($scope.client.attributes["saml.multivalued.roles"]) {
+            if ($scope.client.attributes["saml.multivalued.roles"] == "true") {
+                $scope.samlMultiValuedRoles = true;
+            } else {
+                $scope.samlMultiValuedRoles = false;
+            }
+        }
+        if ($scope.client.attributes["saml.force.post.binding"]) {
+            if ($scope.client.attributes["saml.force.post.binding"] == "true") {
+                $scope.samlForcePostBinding = true;
+            } else {
+                $scope.samlForcePostBinding = false;
+            }
+        }
     }
 
     if (!$scope.create) {
         $scope.client = angular.copy(client);
         updateProperties();
     } else {
-        $scope.client = { enabled: true, attributes: {}};
+        $scope.client = {
+            enabled: true,
+            standardFlowEnabled: true,
+            directAccessGrantsEnabled: true,
+            attributes: {}
+        };
         $scope.client.attributes['saml_signature_canonicalization_method'] = $scope.canonicalization[0].value;
         $scope.client.redirectUris = [];
         $scope.accessType = $scope.accessTypes[0];
@@ -816,63 +878,6 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, $route, se
         $scope.samlForceNameIdFormat = false;
     }
 
-    if ($scope.client.attributes["saml.server.signature"]) {
-        if ($scope.client.attributes["saml.server.signature"] == "true") {
-            $scope.samlServerSignature = true;
-        } else {
-            $scope.samlServerSignature = false;
-
-        }
-    }
-    if ($scope.client.attributes["saml.assertion.signature"]) {
-        if ($scope.client.attributes["saml.assertion.signature"] == "true") {
-            $scope.samlAssertionSignature = true;
-        } else {
-            $scope.samlAssertionSignature = false;
-        }
-    }
-    if ($scope.client.attributes["saml.client.signature"]) {
-        if ($scope.client.attributes["saml.client.signature"] == "true") {
-            $scope.samlClientSignature = true;
-        } else {
-            $scope.samlClientSignature = false;
-        }
-    }
-    if ($scope.client.attributes["saml.encrypt"]) {
-        if ($scope.client.attributes["saml.encrypt"] == "true") {
-            $scope.samlEncrypt = true;
-        } else {
-            $scope.samlEncrypt = false;
-        }
-    }
-    if ($scope.client.attributes["saml.authnstatement"]) {
-        if ($scope.client.attributes["saml.authnstatement"] == "true") {
-            $scope.samlAuthnStatement = true;
-        } else {
-            $scope.samlAuthnStatement = false;
-        }
-    }
-    if ($scope.client.attributes["saml_force_name_id_format"]) {
-        if ($scope.client.attributes["saml_force_name_id_format"] == "true") {
-            $scope.samlForceNameIdFormat = true;
-        } else {
-            $scope.samlForceNameIdFormat = false;
-        }
-    }
-    if ($scope.client.attributes["saml.multivalued.roles"]) {
-        if ($scope.client.attributes["saml.multivalued.roles"] == "true") {
-            $scope.samlMultiValuedRoles = true;
-        } else {
-            $scope.samlMultiValuedRoles = false;
-        }
-    }
-    if ($scope.client.attributes["saml.force.post.binding"]) {
-        if ($scope.client.attributes["saml.force.post.binding"] == "true") {
-            $scope.samlForcePostBinding = true;
-        } else {
-            $scope.samlForcePostBinding = false;
-        }
-    }
 
     $scope.importFile = function(fileContent){
         console.debug(fileContent);
@@ -1039,7 +1044,7 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, $route, se
         $scope.client.attributes['saml.signature.algorithm'] = $scope.signatureAlgorithm;
         $scope.client.attributes['saml_name_id_format'] = $scope.nameIdFormat;
 
-        if ($scope.client.protocol != 'saml' && !$scope.client.bearerOnly && !$scope.client.directGrantsOnly && (!$scope.client.redirectUris || $scope.client.redirectUris.length == 0)) {
+        if ($scope.client.protocol != 'saml' && !$scope.client.bearerOnly && ($scope.client.standardFlowEnabled || $scope.client.implicitFlowEnabled) && (!$scope.client.redirectUris || $scope.client.redirectUris.length == 0)) {
             Notifications.error("You must specify at least one redirect uri");
         } else {
             if ($scope.create) {

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/groups.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/groups.js
index 4e3b986..00c8e93 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/groups.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/groups.js
@@ -8,6 +8,7 @@ module.controller('GroupListCtrl', function($scope, $route, realm, groups, Group
     $scope.tree = [];
 
     $scope.edit = function(selected) {
+        if (selected.id == 'realm') return;
         $location.url("/realms/" + realm.realm + "/groups/" + selected.id);
     }
 
@@ -23,6 +24,7 @@ module.controller('GroupListCtrl', function($scope, $route, realm, groups, Group
     $scope.paste = function(selected) {
         if (selected == null) return;
         if ($scope.cutNode == null) return;
+        if (selected.id == $scope.cutNode.id) return;
         if (selected.id == 'realm') {
             Groups.save({realm: realm.realm}, {id:$scope.cutNode.id}, function() {
                 $route.reload();
@@ -95,7 +97,7 @@ module.controller('GroupCreateCtrl', function($scope, $route, realm, parentId, G
         console.log('save!!!');
         if (parentId == 'realm') {
             console.log('realm')
-            Groups.save({realm: realm.realm, groupId: parentId}, $scope.group, function(data, headers) {
+            Groups.save({realm: realm.realm}, $scope.group, function(data, headers) {
                 var l = headers().location;
 
 
@@ -323,7 +325,7 @@ module.controller('GroupRoleMappingCtrl', function($scope, $http, realm, group, 
 module.controller('GroupMembersCtrl', function($scope, realm, group, GroupMembership) {
     $scope.realm = realm;
     $scope.page = 0;
-
+    $scope.group = group;
 
     $scope.query = {
         realm: realm.realm,
@@ -366,3 +368,63 @@ module.controller('GroupMembersCtrl', function($scope, realm, group, GroupMember
 
 });
 
+module.controller('DefaultGroupsCtrl', function($scope, $route, realm, groups, DefaultGroups, Notifications, $location, Dialog) {
+    $scope.realm = realm;
+    $scope.groupList = groups;
+    $scope.selectedGroup = null;
+    $scope.tree = [];
+
+    DefaultGroups.query({realm: realm.realm}, function(data) {
+        $scope.defaultGroups = data;
+
+    });
+
+    $scope.addDefaultGroup = function() {
+        if (!$scope.tree.currentNode) {
+            Notifications.error('Please select a group to add');
+            return;
+        };
+
+        DefaultGroups.update({realm: realm.realm, groupId: $scope.tree.currentNode.id}, function() {
+            Notifications.success('Added default group');
+            $route.reload();
+        });
+
+    };
+
+    $scope.removeDefaultGroup = function() {
+        DefaultGroups.remove({realm: realm.realm, groupId: $scope.selectedGroup.id}, function() {
+            Notifications.success('Removed default group');
+            $route.reload();
+        });
+
+    };
+
+    var isLeaf = function(node) {
+        return node.id != "realm" && (!node.subGroups || node.subGroups.length == 0);
+    };
+
+    $scope.getGroupClass = function(node) {
+        if (node.id == "realm") {
+            return 'pficon pficon-users';
+        }
+        if (isLeaf(node)) {
+            return 'normal';
+        }
+        if (node.subGroups.length && node.collapsed) return 'collapsed';
+        if (node.subGroups.length && !node.collapsed) return 'expanded';
+        return 'collapsed';
+
+    }
+
+    $scope.getSelectedClass = function(node) {
+        if (node.selected) {
+            return 'selected';
+        } else if ($scope.cutNode && $scope.cutNode.id == node.id) {
+            return 'cut';
+        }
+        return undefined;
+    }
+
+});
+

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
index 6cd5bea..a66e205 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
@@ -327,6 +327,8 @@ module.controller('RealmLoginSettingsCtrl', function($scope, Current, Realm, rea
 });
 
 module.controller('RealmOtpPolicyCtrl', function($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications) {
+    $scope.optionsDigits = [ 6, 8 ];
+
     genericRealmUpdate($scope, Current, Realm, realm, serverInfo, $http, $location, Dialog, Notifications, "/realms/" + realm.realm + "/authentication/otp-policy");
 });
 
@@ -337,7 +339,7 @@ module.controller('RealmThemeCtrl', function($scope, Current, Realm, realm, serv
     $scope.supportedLocalesOptions = {
         'multiple' : true,
         'simple_tags' : true,
-        'tags' : ['en', 'de', 'pt-BR', 'it', 'es']
+        'tags' : ['en', 'de', 'pt-BR', 'it', 'es', 'ca']
     };
 
     $scope.$watch('realm.supportedLocales', function(oldVal, newVal) {
@@ -897,6 +899,12 @@ module.controller('RealmTokenDetailCtrl', function($scope, Realm, realm, $http, 
         $scope.realm.accessTokenLifespan = TimeUnit.convert($scope.realm.accessTokenLifespan, from, to);
     });
 
+    $scope.realm.accessTokenLifespanForImplicitFlowUnit = TimeUnit.autoUnit(realm.accessTokenLifespanForImplicitFlow);
+    $scope.realm.accessTokenLifespanForImplicitFlow = TimeUnit.toUnit(realm.accessTokenLifespanForImplicitFlow, $scope.realm.accessTokenLifespanForImplicitFlowUnit);
+    $scope.$watch('realm.accessTokenLifespanForImplicitFlowUnit', function(to, from) {
+        $scope.realm.accessTokenLifespanForImplicitFlow = TimeUnit.convert($scope.realm.accessTokenLifespanForImplicitFlow, from, to);
+    });
+
     $scope.realm.ssoSessionIdleTimeoutUnit = TimeUnit.autoUnit(realm.ssoSessionIdleTimeout);
     $scope.realm.ssoSessionIdleTimeout = TimeUnit.toUnit(realm.ssoSessionIdleTimeout, $scope.realm.ssoSessionIdleTimeoutUnit);
     $scope.$watch('realm.ssoSessionIdleTimeoutUnit', function(to, from) {
@@ -945,6 +953,7 @@ module.controller('RealmTokenDetailCtrl', function($scope, Realm, realm, $http, 
     $scope.save = function() {
         var realmCopy = angular.copy($scope.realm);
         delete realmCopy["accessTokenLifespanUnit"];
+        delete realmCopy["accessTokenLifespanForImplicitFlowUnit"];
         delete realmCopy["ssoSessionMaxLifespanUnit"];
         delete realmCopy["offlineSessionIdleTimeoutUnit"];
         delete realmCopy["accessCodeLifespanUnit"];
@@ -953,6 +962,7 @@ module.controller('RealmTokenDetailCtrl', function($scope, Realm, realm, $http, 
         delete realmCopy["accessCodeLifespanLoginUnit"];
 
         realmCopy.accessTokenLifespan = TimeUnit.toSeconds($scope.realm.accessTokenLifespan, $scope.realm.accessTokenLifespanUnit)
+        realmCopy.accessTokenLifespanForImplicitFlow = TimeUnit.toSeconds($scope.realm.accessTokenLifespanForImplicitFlow, $scope.realm.accessTokenLifespanForImplicitFlowUnit)
         realmCopy.ssoSessionIdleTimeout = TimeUnit.toSeconds($scope.realm.ssoSessionIdleTimeout, $scope.realm.ssoSessionIdleTimeoutUnit)
         realmCopy.ssoSessionMaxLifespan = TimeUnit.toSeconds($scope.realm.ssoSessionMaxLifespan, $scope.realm.ssoSessionMaxLifespanUnit)
         realmCopy.offlineSessionIdleTimeout = TimeUnit.toSeconds($scope.realm.offlineSessionIdleTimeout, $scope.realm.offlineSessionIdleTimeoutUnit)
@@ -1193,7 +1203,7 @@ module.controller('RealmSMTPSettingsCtrl', function($scope, Current, Realm, real
             }
         }
 
-        obj['port'] = obj['port'].toString();
+        obj['port'] = obj['port'] && obj['port'].toString();
 
         return obj;
     }
@@ -1986,6 +1996,65 @@ module.controller('AuthenticationConfigCreateCtrl', function($scope, realm, flow
 
 });
 
+module.controller('ClientInitialAccessCtrl', function($scope, realm, clientInitialAccess, ClientInitialAccess, Dialog, Notifications, $route) {
+    $scope.realm = realm;
+    $scope.clientInitialAccess = clientInitialAccess;
+
+    $scope.remove = function(id) {
+        Dialog.confirmDelete(id, 'initial access token', function() {
+            ClientInitialAccess.remove({ realm: realm.realm, id: id }, function() {
+                Notifications.success("The initial access token was deleted.");
+                $route.reload();
+            });
+        });
+    }
+});
+
+module.controller('ClientInitialAccessCreateCtrl', function($scope, realm, ClientInitialAccess, TimeUnit, Dialog, $location, $translate) {
+    $scope.expirationUnit = 'Days';
+    $scope.expiration = TimeUnit.toUnit(0, $scope.expirationUnit);
+    $scope.count = 1;
+    $scope.realm = realm;
+
+    $scope.$watch('expirationUnit', function(to, from) {
+        $scope.expiration = TimeUnit.convert($scope.expiration, from, to);
+    });
+
+    $scope.save = function() {
+        var expiration = TimeUnit.toSeconds($scope.expiration, $scope.expirationUnit);
+        ClientInitialAccess.save({
+            realm: realm.realm
+        }, { expiration: expiration, count: $scope.count}, function (data) {
+            console.debug(data);
+            $scope.id = data.id;
+            $scope.token = data.token;
+        });
+    };
+
+    $scope.cancel = function() {
+        $location.url('/realms/' + realm.realm + '/client-initial-access');
+    };
+
+    $scope.done = function() {
+        var btns = {
+            ok: {
+                label: $translate.instant('continue'),
+                cssClass: 'btn btn-primary'
+            },
+            cancel: {
+                label: $translate.instant('cancel'),
+                cssClass: 'btn btn-default'
+            }
+        }
+
+        var title = $translate.instant('initial-access-token.confirm.title');
+        var message = $translate.instant('initial-access-token.confirm.text');
+        Dialog.open(title, message, btns, function() {
+            $location.url('/realms/' + realm.realm + '/client-initial-access');
+        });
+    };
+});
+
 
 
 

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/loaders.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/loaders.js
index bcd98b1..61b608f 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/loaders.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/loaders.js
@@ -475,6 +475,13 @@ module.factory('GroupLoader', function(Loader, Group, $route, $q) {
     });
 });
 
+module.factory('ClientInitialAccessLoader', function(Loader, ClientInitialAccess, $route) {
+    return Loader.query(ClientInitialAccess, function() {
+        return {
+            realm: $route.current.params.realm
+        }
+    });
+});
 
 
 

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/services.js b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/services.js
index 34fdc9d..4365291 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/js/services.js
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/js/services.js
@@ -102,6 +102,10 @@ module.service('Dialog', function($modal) {
         openDialog(title, message, btns, '/templates/kc-modal-message.html').then(success, cancel);
     }
 
+    dialog.open = function(title, message, btns, success, cancel) {
+        openDialog(title, message, btns, '/templates/kc-modal.html').then(success, cancel);
+    }
+
     return dialog
 });
 
@@ -138,31 +142,32 @@ module.factory('Notifications', function($rootScope, $timeout) {
 	var delay = 5000;
 
 	var notifications = {};
+    notifications.current = { display: false };
+    notifications.current.remove = function() {
+        if (notifications.scheduled) {
+            $timeout.cancel(notifications.scheduled);
+            delete notifications.scheduled;
+        }
+        delete notifications.current.type;
+        delete notifications.current.header;
+        delete notifications.current.message;
+        notifications.current.display = false;
+        console.debug("Remove message");
+    }
 
-	var scheduled = null;
-	var schedulePop = function() {
-		if (scheduled) {
-			$timeout.cancel(scheduled);
-		}
-
-		scheduled = $timeout(function() {
-			$rootScope.notification = null;
-			scheduled = null;
-		}, delay);
-	};
-
-	if (!$rootScope.notifications) {
-		$rootScope.notifications = [];
-	}
+    $rootScope.notification = notifications.current;
 
 	notifications.message = function(type, header, message) {
-		$rootScope.notification = {
-			type : type,
-			header: header,
-			message : message
-		};
+        notifications.current.type = type;
+        notifications.current.header = header;
+        notifications.current.message = message;
+        notifications.current.display = true;
 
-		schedulePop();
+        notifications.scheduled = $timeout(function() {
+            notifications.current.remove();
+        }, delay);
+
+        console.debug("Added message");
 	}
 
 	notifications.info = function(message) {
@@ -284,6 +289,13 @@ module.service('ServerInfo', function($resource, $q, $http) {
     }
 });
 
+module.factory('ClientInitialAccess', function($resource) {
+    return $resource(authUrl + '/admin/realms/:realm/clients-initial-access/:id', {
+        realm : '@realm',
+        id : '@id'
+    });
+});
+
 
 module.factory('ClientProtocolMapper', function($resource) {
     return $resource(authUrl + '/admin/realms/:realm/clients/:client/protocol-mappers/models/:id', {
@@ -1550,9 +1562,13 @@ module.factory('UserGroupMapping', function($resource) {
     });
 });
 
-
-
-
-
-
-
+module.factory('DefaultGroups', function($resource) {
+    return $resource(authUrl + '/admin/realms/:realm/default-groups/:groupId', {
+        realm : '@realm',
+        groupId : '@groupId'
+    }, {
+        update : {
+            method : 'PUT'
+        }
+    });
+});

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
index 443cbe9..eb54741 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
@@ -59,13 +59,6 @@
                 </div>
                 <kc-tooltip>{{:: 'consent-required.tooltip' | translate}}</kc-tooltip>
             </div>
-            <div class="form-group clearfix block">
-                <label class="col-md-2 control-label" for="directGrantsOnly">{{:: 'direct-grants-only' | translate}}</label>
-                <div class="col-sm-6">
-                    <input ng-model="client.directGrantsOnly" name="directGrantsOnly" id="directGrantsOnly" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
-                </div>
-                <kc-tooltip>{{:: 'direct-grants-only.tooltip' | translate}}</kc-tooltip>
-            </div>
             <div class="form-group">
                 <label class="col-md-2 control-label" for="protocol">{{:: 'client-protocol' | translate}}</label>
                 <div class="col-sm-6">
@@ -92,6 +85,27 @@
                 </div>
                 <kc-tooltip>{{:: 'access-type.tooltip' | translate}}</kc-tooltip>
             </div>
+            <div class="form-group" data-ng-show="protocol == 'openid-connect' && !client.bearerOnly">
+                <label class="col-md-2 control-label" for="standardFlowEnabled">{{:: 'standard-flow-enabled' | translate}}</label>
+                <kc-tooltip>{{:: 'standard-flow-enabled.tooltip' | translate}}</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="client.standardFlowEnabled" name="standardFlowEnabled" id="standardFlowEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+                </div>
+            </div>
+            <div class="form-group" data-ng-show="protocol == 'openid-connect' && client.publicClient && !client.bearerOnly">
+                <label class="col-md-2 control-label" for="implicitFlowEnabled">{{:: 'implicit-flow-enabled' | translate}}</label>
+                <kc-tooltip>{{:: 'implicit-flow-enabled.tooltip' | translate}}</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="client.implicitFlowEnabled" name="implicitFlowEnabled" id="implicitFlowEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+                </div>
+            </div>
+            <div class="form-group" data-ng-show="protocol == 'openid-connect' && !client.bearerOnly">
+                <label class="col-md-2 control-label" for="directAccessGrantsEnabled">{{:: 'direct-access-grants-enabled' | translate}}</label>
+                <kc-tooltip>{{:: 'direct-access-grants-enabled.tooltip' | translate}}</kc-tooltip>
+                <div class="col-md-6">
+                    <input ng-model="client.directAccessGrantsEnabled" name="directAccessGrantsEnabled" id="directAccessGrantsEnabled" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+                </div>
+            </div>
             <div class="form-group" data-ng-show="protocol == 'openid-connect' && !client.publicClient && !client.bearerOnly">
                 <label class="col-md-2 control-label" for="serviceAccountsEnabled">{{:: 'service-accounts-enabled' | translate}}</label>
                 <kc-tooltip>{{:: 'service-accounts-enabled.tooltip' | translate}}</kc-tooltip>
@@ -202,7 +216,7 @@
                 <kc-tooltip>{{:: 'root-url.tooltip' | translate}}</kc-tooltip>
             </div>
 
-            <div class="form-group clearfix block" data-ng-hide="client.bearerOnly || client.directGrantsOnly">
+            <div class="form-group clearfix block" data-ng-hide="client.bearerOnly || (!client.standardFlowEnabled && !client.implicitFlowEnabled)">
                 <label class="col-md-2 control-label" for="newRedirectUri"><span class="required" data-ng-show="protocol != 'saml'">*</span> {{:: 'valid-redirect-uris' | translate}}</label>
 
                 <div class="col-sm-6">

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access.html
new file mode 100755
index 0000000..7b7c90e
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access.html
@@ -0,0 +1,52 @@
+<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
+    <kc-tabs-realm></kc-tabs-realm>
+
+    <table class="table table-striped table-bordered">
+        <thead>
+        <tr>
+            <th class="kc-table-actions" colspan="6">
+                <div class="form-inline">
+                    <div class="form-group">
+                        <div class="input-group">
+                            <input type="text" placeholder="{{:: 'search.placeholder' | translate}}" data-ng-model="search.id" class="form-control search" onkeyup="if(event.keyCode == 13){$(this).next('I').click();}">
+                            <div class="input-group-addon">
+                                <i class="fa fa-search" type="submit"></i>
+                            </div>
+                        </div>
+                    </div>
+
+                    <div class="pull-right" data-ng-show="access.manageRealm">
+                        <a id="createClient" class="btn btn-default" href="#/realms/{{realm.realm}}/client-initial-access/create">{{:: 'create' | translate}}</a>
+                    </div>
+                </div>
+            </th>
+        </tr>
+        <tr data-ng-hide="clients.length == 0">
+            <th>{{:: 'id' | translate}}</th>
+            <th>{{:: 'created' | translate}}</th>
+            <th>{{:: 'expires' | translate}}</th>
+            <th>{{:: 'count' | translate}}</th>
+            <th>{{:: 'remainingCount' | translate}}</th>
+            <th>{{:: 'actions' | translate}}</th>
+        </tr>
+        </thead>
+        <tbody>
+        <tr ng-repeat="ia in clientInitialAccess | filter:search | orderBy:'timestamp'">
+            <td>{{ia.id}}</td>
+            <td>{{(ia.timestamp * 1000)|date:'shortDate'}}&nbsp;{{(ia.timestamp * 1000)|date:'mediumTime'}}</td>
+            <td><span data-ng-show="ia.expiration > 0">{{((ia.timestamp + ia.expiration) * 1000)|date:'shortDate'}}&nbsp;{{((ia.timestamp + ia.expiration) * 1000)|date:'mediumTime'}}</span></td>
+            <td>{{ia.count}}</td>
+            <td>{{ia.remainingCount}}</td>
+            <td class="kc-action-cell">
+                <button class="btn btn-default btn-block btn-sm" data-ng-click="remove(ia.id)">{{:: 'delete' | translate}}</button>
+            </td>
+        </tr>
+        <tr data-ng-show="(clients | filter:search).length == 0">
+            <td class="text-muted" colspan="3" data-ng-show="search.clientId">{{:: 'no-results' | translate}}</td>
+            <td class="text-muted" colspan="3" data-ng-hide="search.clientId">{{:: 'no-clients-available' | translate}}</td>
+        </tr>
+        </tbody>
+    </table>
+</div>
+
+<kc-menu></kc-menu>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access-create.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access-create.html
new file mode 100755
index 0000000..ef54939
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-initial-access-create.html
@@ -0,0 +1,63 @@
+<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
+
+    <ol class="breadcrumb">
+        <li><a href="#/realms/{{realm.realm}}/client-initial-access">{{:: 'initial-access-tokens' | translate}}</a></li>
+        <li>{{:: 'add-initial-access-tokens' | translate}}</li>
+    </ol>
+
+    <h1 data-ng-show="create">{{:: 'add-client' | translate}}</h1>
+
+    <form class="form-horizontal" name="createForm" novalidate kc-read-only="!access.manageRealm" data-ng-hide="token">
+
+        <div class="form-group">
+            <label class="col-md-2 control-label" for="expiration">{{:: 'expiration' | translate}}</label>
+
+            <div class="col-md-6 time-selector">
+                <input class="form-control" type="number" required min="0" max="31536000" data-ng-model="expiration" id="expiration"
+                       name="expiration"/>
+                <select class="form-control" name="expirationUnit" data-ng-model="expirationUnit">
+                    <option data-ng-selected="!expirationUnit" value="Seconds">{{:: 'seconds' | translate}}</option>
+                    <option value="Minutes">{{:: 'minutes' | translate}}</option>
+                    <option value="Hours">{{:: 'hours' | translate}}</option>
+                    <option value="Days">{{:: 'days' | translate}}</option>
+                </select>
+            </div>
+            <kc-tooltip>{{:: 'expiration.tooltip' | translate}}</kc-tooltip>
+        </div>
+
+        <div class="form-group">
+            <label class="col-md-2 control-label" for="count">{{:: 'count' | translate}} </label>
+            <div class="col-sm-6">
+                <input class="form-control" type="text" id="count" name="count" required min="1" max="100" data-ng-model="count">
+            </div>
+            <kc-tooltip>{{:: 'count.tooltip' | translate}}</kc-tooltip>
+        </div>
+
+        <div class="form-group">
+            <div class="col-md-10 col-md-offset-2" data-ng-show="access.manageRealm">
+                <button kc-save>{{:: 'save' | translate}}</button>
+                <button kc-cancel data-ng-click="cancel()">{{:: 'cancel' | translate}}</button>
+            </div>
+        </div>
+    </form>
+
+    <form name="displayForm" data-ng-show="token">
+        <div class="form-group">
+            <label for="initialAccessToken">{{:: 'initial-access-token' | translate}}</label>
+
+            <div>
+                <textarea type="text" id="initialAccessToken" name="initialAccessToken" class="form-control" rows="6" kc-select-action="click">{{token}}</textarea>
+            </div>
+
+            <kc-tooltip>{{:: 'initial-access.copyPaste.tooltip' | translate}}</kc-tooltip>
+        </div>
+
+        <div class="form-group">
+            <div>
+                <button class="btn btn-default" data-ng-click="done()">{{:: 'Back' | translate}}</button>
+            </div>
+        </div>
+    </form>
+</div>
+
+<kc-menu></kc-menu>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/default-groups.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/default-groups.html
new file mode 100755
index 0000000..bcfd547
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/default-groups.html
@@ -0,0 +1,80 @@
+ <div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
+     <kc-tabs-group-list></kc-tabs-group-list>
+
+     <form class="form-horizontal" name="realmForm" novalidate>
+         <div class="form-group" kc-read-only="!access.manageRealm">
+             <label class="col-md-1 control-label" class="control-label"></label>
+
+             <div class="col-md-8" >
+                  <div class="row">
+                     <div class="col-md-5">
+                         <table class="table table-striped table-bordered">
+                             <thead>
+                             <tr>
+                                 <th class="kc-table-actions" colspan="5">
+                                     <div class="form-inline">
+                                         <label class="control-label">Default Groups</label>
+                                         <kc-tooltip>Newly created or registered users will automatically be added to these groups</kc-tooltip>
+
+                                         <div class="pull-right" data-ng-show="access.manageRealm">
+                                             <button id="removeDefaultGroup" class="btn btn-default" ng-click="removeDefaultGroup()">Remove</button>
+                                         </div>
+                                     </div>
+                                 </th>
+                             </tr>
+                             </thead>
+                             <tbody>
+                             <tr>
+                                 <td>
+                                     <select id="defaultGroups" class="form-control" size=5
+                                                            ng-model="selectedGroup"
+                                                            ng-options="r.path for r in defaultGroups">
+                                         <option style="display:none" value="">select a type</option>
+                                 </select>
+
+
+                                 </td>
+                             </tr>
+                             </tbody>
+                         </table>
+                     </div>
+                     <div class="col-md-5">
+                         <table class="table table-striped table-bordered">
+                             <thead>
+                             <tr>
+                                 <th class="kc-table-actions" colspan="5">
+
+                                     <div class="form-inline">
+                                         <label class="control-label">Available Groups</label>
+                                         <kc-tooltip>Select a group you want to add as a default.</kc-tooltip>
+
+                                         <div class="pull-right" data-ng-show="access.manageRealm">
+                                             <button id="addDefaultGroup" class="btn btn-default" ng-click="addDefaultGroup()">Add</button>
+                                         </div>
+                                     </div>
+                                 </th>
+                             </tr>
+                             </thead>
+                         <tbody>
+                             <tr>
+                                 <td>                             <div
+                                         tree-id="tree"
+                                         angular-treeview="true"
+                                         tree-model="groupList"
+                                         node-id="id"
+                                         node-label="name"
+                                         node-children="subGroups" >
+                                 </div>
+
+                                 </td>
+                             </tr>
+                             </tbody>
+                         </table>
+                     </div>
+                 </div>
+             </div>
+         </div>
+     </form>
+ </div>
+
+<kc-menu></kc-menu>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-attributes.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-attributes.html
index 9fcfc8b..3885f8c 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-attributes.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-attributes.html
@@ -20,14 +20,14 @@
                 <td>{{key}}</td>
                 <td><input ng-model="group.attributes[key]" class="form-control" type="text" name="{{key}}" id="attribute-{{key}}" /></td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" data-ng-click="removeAttribute(key)">Delete</button>
+                    <button type="button" class="btn btn-default btn-block btn-sm" data-ng-click="removeAttribute(key)">Delete</button>
                 </td>
             </tr>
             <tr>
                 <td><input ng-model="newAttribute.key" class="form-control" type="text" id="newAttributeKey" /></td>
                 <td><input ng-model="newAttribute.value" class="form-control" type="text" id="newAttributeValue" /></td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" data-ng-click="addAttribute()">Add</button>
+                    <button class="btn btn-default btn-block btn-sm" data-ng-click="addAttribute()" data-ng-disabled="!newAttribute.key.length || !newAttribute.value.length">Add</button>
                 </td>
             </tr>
             </tbody>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-list.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-list.html
index 14acbae..ac8267c 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-list.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-list.html
@@ -1,8 +1,5 @@
  <div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
-    <h1>
-        <span>User Groups</span>
-        <kc-tooltip>User groups</kc-tooltip>
-    </h1>
+     <kc-tabs-group-list></kc-tabs-group-list>
 
     <table class="table table-striped table-bordered">
          <thead>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-members.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-members.html
index 6c20930..50bc11b 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-members.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/group-members.html
@@ -14,7 +14,7 @@
             <th>Last Name</th>
             <th>First Name</th>
             <th>Email</th>
-            <th>Actions</th>
+            <th></th>
         </tr>
         </tr>
         </thead>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/role-selector.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/role-selector.html
index 43b165b..531c3b2 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/role-selector.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/modal/role-selector.html
@@ -15,7 +15,7 @@
                     ng-options="r.name for r in realmRoles | orderBy:'toString()'">
                 <option style="display:none" value="">Select a role</option>
             </select>
-            <button class="btn btn-default" type="submit" ng-click="selectRealmRole()" tooltip-trigger="mouseover mouseout" tooltip="Select realm role" tooltip-placement="right">
+            <button class="btn btn-default" type="submit" data-ng-disabled="!selectedRealmRole.role" ng-click="selectRealmRole()" tooltip-trigger="mouseover mouseout" tooltip="Select realm role" tooltip-placement="right">
                 Select Realm Role</i>
             </button>
         </div>
@@ -32,7 +32,7 @@
                     ng-options="r.name for r in clientRoles | orderBy:'toString()'">
                 <option style="display:none" value="">Select a role</option>
             </select>
-            <button class="btn btn-default" type="submit" ng-click="selectClientRole()" tooltip-trigger="mouseover mouseout" tooltip="Select client role" tooltip-placement="right">
+            <button class="btn btn-default" type="submit" data-ng-disabled="!selectedClientRole.role" ng-click="selectClientRole()" tooltip-trigger="mouseover mouseout" tooltip="Select client role" tooltip-placement="right">
                 Select Client Role
             </button>
         </div>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/otp-policy.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/otp-policy.html
index 1f8890e..4abe5a2 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/otp-policy.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/otp-policy.html
@@ -34,9 +34,7 @@
             <label class="col-md-2 control-label" for="digits">Number of Digits</label>
             <div class="col-md-2">
                 <div>
-                    <select id="digits" ng-model="realm.otpPolicyDigits" class="form-control">
-                        <option value="6">6</option>
-                        <option value="8">8</option>
+                    <select id="digits" ng-model="realm.otpPolicyDigits" class="form-control" ng-options="item as item for item in optionsDigits">
                     </select>
                 </div>
             </div>
@@ -51,18 +49,18 @@
             <kc-tooltip>How far ahead should the server look just in case the token generator and server are out of time sync or counter sync?</kc-tooltip>
         </div>
 
-        <div class="form-group" data-ng-show="realm.otpPolicyType == 'hotp'">
+        <div class="form-group" data-ng-if="realm.otpPolicyType == 'hotp'">
             <label class="col-md-2 control-label" for="counter">Initial Counter</label>
             <div class="col-md-6">
-                <input class="form-control" type="number" required min="1" max="120" id="counter" name="counter" data-ng-model="realm.otpPolicyInitialCounter" autofocus>
+                <input class="form-control" type="number" data-ng-required="realm.otpPolicyType == 'hotp'" min="1" max="120" id="counter" name="counter" data-ng-model="realm.otpPolicyInitialCounter" autofocus>
             </div>
             <kc-tooltip>What should the initial counter value be?</kc-tooltip>
         </div>
 
-        <div class="form-group" data-ng-show="realm.otpPolicyType == 'totp'">
+        <div class="form-group" data-ng-if="realm.otpPolicyType == 'totp'">
             <label class="col-md-2 control-label" for="counter">OTP Token Period</label>
             <div class="col-md-6">
-                <input class="form-control" type="number" required min="1" max="120" id="period" name="period" data-ng-model="realm.otpPolicyPeriod">
+                <input class="form-control" type="number" data-ng-required="realm.otpPolicyType == 'totp'" min="1" max="120" id="period" name="period" data-ng-model="realm.otpPolicyPeriod">
             </div>
             <kc-tooltip>How many seconds should an OTP token be valid? Defaults to 30 seconds.</kc-tooltip>
         </div>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/protocol-mapper-detail.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/protocol-mapper-detail.html
index 4e4224a..afc9a5f 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/protocol-mapper-detail.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/protocol-mapper-detail.html
@@ -31,7 +31,7 @@
             <div class="form-group clearfix">
                 <label class="col-md-2 control-label" for="name">{{:: 'name' | translate}}</label>
                 <div class="col-md-6">
-                    <input class="form-control" id="name" type="text" ng-model="mapper.name" data-ng-readonly="!create">
+                    <input class="form-control" id="name" type="text" ng-model="mapper.name" data-ng-readonly="!create" required>
                 </div>
                 <kc-tooltip>{{:: 'mapper.name.tooltip' | translate}}</kc-tooltip>
             </div>
@@ -56,7 +56,8 @@
                     <div>
                         <select class="form-control" id="mapperTypeCreate"
                                 ng-model="mapperType"
-                                ng-options="mapperType.name for mapperType in mapperTypes">
+                                ng-options="mapperType.name for mapperType in mapperTypes"
+                                required>
                         </select>
                     </div>
                 </div>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
index dee13f6..bdfd390 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/realm-tokens.html
@@ -83,6 +83,23 @@
         </div>
 
         <div class="form-group">
+            <label class="col-md-2 control-label" for="accessTokenLifespanForImplicitFlow">{{:: 'access-token-lifespan-for-implicit-flow' | translate}}</label>
+
+            <div class="col-md-6 time-selector">
+                <input class="form-control" type="number" required min="1"
+                       max="31536000" data-ng-model="realm.accessTokenLifespanForImplicitFlow"
+                       id="accessTokenLifespanForImplicitFlow" name="accessTokenLifespanForImplicitFlow"/>
+                <select class="form-control" name="accessTokenLifespanForImplicitFlowUnit" data-ng-model="realm.accessTokenLifespanForImplicitFlowUnit">
+                    <option data-ng-selected="!realm.accessTokenLifespanForImplicitFlowUnit" value="Seconds">{{:: 'seconds' | translate}}</option>
+                    <option value="Minutes">{{:: 'minutes' | translate}}</option>
+                    <option value="Hours">{{:: 'hours' | translate}}</option>
+                    <option value="Days">{{:: 'days' | translate}}</option>
+                </select>
+            </div>
+            <kc-tooltip>{{:: 'access-token-lifespan-for-implicit-flow.tooltip' | translate}}</kc-tooltip>
+        </div>
+
+        <div class="form-group">
             <label class="col-md-2 control-label" for="accessCodeLifespan">{{:: 'client-login-timeout' | translate}}</label>
 
             <div class="col-md-6 time-selector">

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/user-attributes.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/user-attributes.html
index 9713a80..df969fb 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/user-attributes.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/partials/user-attributes.html
@@ -20,14 +20,14 @@
                 <td>{{key}}</td>
                 <td><input ng-model="user.attributes[key]" class="form-control" type="text" name="{{key}}" id="attribute-{{key}}" /></td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" data-ng-click="removeAttribute(key)">Delete</button>
+                    <button type="button" class="btn btn-default btn-block btn-sm" data-ng-click="removeAttribute(key)">Delete</button>
                 </td>
             </tr>
             <tr>
                 <td><input ng-model="newAttribute.key" class="form-control" type="text" id="newAttributeKey" /></td>
                 <td><input ng-model="newAttribute.value" class="form-control" type="text" id="newAttributeValue" /></td>
                 <td class="kc-action-cell">
-                    <button class="btn btn-default btn-block btn-sm" data-ng-click="addAttribute()">Add</button>
+                    <button class="btn btn-default btn-block btn-sm" data-ng-click="addAttribute()" data-ng-disabled="!newAttribute.key.length || !newAttribute.value.length">Add</button>
                 </td>
             </tr>
             </tbody>

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group-list.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group-list.html
new file mode 100755
index 0000000..390dce3
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group-list.html
@@ -0,0 +1,11 @@
+<div data-ng-controller="GroupTabCtrl">
+    <h1>
+        <span>User Groups</span>
+    </h1>
+
+    <ul class="nav nav-tabs">
+        <li ng-class="{active: path[2] == 'groups'}"><a href="#/realms/{{realm.realm}}/groups">Groups</a></li>
+        <li ng-class="{active: path[2] == 'default-groups'}"><a href="#/realms/{{realm.realm}}/default-groups">Default Groups</a><kc-tooltip>Set of groups that new users will automatically join.</kc-tooltip>
+        </li>
+    </ul>
+</div>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-realm.html b/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-realm.html
index 76f01ea..5d14503 100755
--- a/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-realm.html
+++ b/forms/common-themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-realm.html
@@ -13,6 +13,7 @@
         <li ng-class="{active: path[2] == 'theme-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/theme-settings">{{:: 'realm-tab-themes' | translate}}</a></li>
         <li ng-class="{active: path[2] == 'cache-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/cache-settings">{{:: 'realm-tab-cache' | translate}}</a></li>
         <li ng-class="{active: path[2] == 'token-settings'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/token-settings">{{:: 'realm-tab-tokens' | translate}}</a></li>
+        <li ng-class="{active: path[2] == 'client-initial-access'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/client-initial-access">{{:: 'realm-tab-client-initial-access' | translate}}</a></li>
         <li ng-class="{active: path[2] == 'defense'}" data-ng-show="access.viewRealm"><a href="#/realms/{{realm.realm}}/defense/headers">{{:: 'realm-tab-security-defenses' | translate}}</a></li>
     </ul>
 </div>
\ No newline at end of file

diff --git a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_ca.properties b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_ca.properties
new file mode 100644
index 0000000..55ccb7b
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_ca.properties
@@ -0,0 +1,206 @@
+doLogIn=Inicia sessi\u00F3
+doRegister=Registra''t
+doCancel=Cancel\u00B7lar
+doSubmit=Envia
+doYes=S\u00ED
+doNo=No
+doContinue=Continua
+doAccept=Accepta
+doDecline=Rebutja
+doForgotPassword=Has oblidat la teva contrasenya?
+doClickHere=Fes clic aqu\u00ED
+doImpersonate=Personifica
+kerberosNotConfigured=Kerberos no configurat
+kerberosNotConfiguredTitle=Kerberos no configurat
+bypassKerberosDetail=O b\u00E9 no est\u00E0s identificat mitjan\u00E7ant Kerberos o el teu navegador no est\u00E0 configurat per identificar-se mitjan\u00E7ant Kerberos. Si us plau fes clic per identificar-te per un altre mitj\u00E0.
+kerberosNotSetUp=Kerberos no est\u00E0 configurat. No pots identificar-te.
+registerWithTitle=Registra''t amb {0}
+registerWithTitleHtml=Registra''t amb <strong>{0}</strong>
+loginTitle=Inicia sessi\u00F3 a {0}
+loginTitleHtml=Inicia sessi\u00F3 a <strong>{0}</strong>
+impersonateTitle={0}\u00A0Personifica Usuari
+impersonateTitleHtml=<strong>{0}</strong> Personifica Usuari</strong>
+realmChoice=Domini
+unknownUser=Usuari desconegut
+loginTotpTitle=Configura la teva aplicaci\u00F3 d''identificaci\u00F3 m\u00F2bil
+loginProfileTitle=Actualitza la informaci\u00F3 del teu compte
+loginTimeout=Has trigat massa a identificar-te. Inicia de nou la identificaci\u00F3.
+oauthGrantTitle=Concessi\u00F3 OAuth
+oauthGrantTitleHtml=Acc\u00E9s temporal per <strong>{0}</strong> sol\u00B7licitat per
+errorTitle=Ho sentim...
+errorTitleHtml=Ho <strong>sentim</strong>...
+emailVerifyTitle=Verificaci\u00F3 de l''email
+emailForgotTitle=Has oblidat la teva contrasenya?
+updatePasswordTitle=Modificaci\u00F3 de contrasenya
+codeSuccessTitle=Codi d''\u00E8xit
+codeErrorTitle=Codi d''error: {0}
+
+termsTitle=Termes i Condicions
+termsTitleHtml=Termes i Condicions
+termsText=<p>Termes i condicions a definir</p>
+
+recaptchaFailed=Reconeixement de text inv\u00E0lid
+recaptchaNotConfigured=El reconeixement de text \u00E9s obligatori per\u00F2 no est\u00E0 configurat
+consentDenied=Consentiment rebutjat.
+
+noAccount=Usuari nou?
+username=Usuari
+usernameOrEmail=Usuari o email
+firstName=Nom
+givenName=Nom de pila
+fullName=Nom complet
+lastName=Cognoms
+familyName=Cognoms
+email=Email
+password=Contrasenya
+passwordConfirm=Confirma la contrasenya
+passwordNew=Nova contrasenya
+passwordNewConfirm=Confirma la nova contrasenya
+rememberMe=Seguir connectat
+authenticatorCode=Codi d''identificaci\u00F3
+address=Adre\u00E7a
+street=Carrer
+locality=Ciutat o Municipi
+region=Estat, Prov\u00EDncia, o Regi\u00F3
+postal_code=Codi Postal
+country=Pa\u00EDs
+emailVerified=Email verificat
+gssDelegationCredential=GSS Delegation Credential
+
+loginTotpStep1=Instal\u00B7la <a href=\"https://fedorahosted.org/freeotp/\" target=\"_blank\">FreeOTP</a> o Google Authenticator al teu tel\u00E8fon m\u00F2bil. Les dues aplicacions estan disponibles a <a href=\"https://play.google.com\">Google Play</a> i en l''App Store d''Apple.
+loginTotpStep2=Obre l''aplicaci\u00F3 i escaneja el codi o introdueix la clau.
+loginTotpStep3=Introdueix el codi \u00FAnic que et mostra l''aplicaci\u00F3 d''autenticaci\u00F3 i fes clic a Envia per finalitzar la configuraci\u00F3
+loginTotpOneTime=Codi d''un sol \u00FAs
+
+oauthGrantRequest=Vols permetre aquests privilegis d''acc\u00E9s?
+inResource=a
+
+emailVerifyInstruction1=T''hem enviat un email amb instruccions per verificar el teu email.
+emailVerifyInstruction2=No has rebut un codi de verificaci\u00F3 al teu email?
+emailVerifyInstruction3=per reenviar l''email.
+
+backToLogin=&laquo; Torna a la identificaci\u00F3
+
+emailInstruction=Indica el teu usuari o email i t''enviarem instruccions indicant com generar una nova contrasenya.
+
+copyCodeInstruction=Si us plau, copia i enganxa aquest codi a la teva aplicaci\u00F3:
+
+personalInfo=Informaci\u00F3 personal:
+role_admin=Admin
+role_realm-admin=Administrador del domini
+role_create-realm=Crear domini
+role_create-client=Crear client
+role_view-realm=Veure domini
+role_view-users=Veure usuaris
+role_view-applications=Veure aplicacions
+role_view-clients=Veure clients
+role_view-events=Veure events
+role_view-identity-providers=Veure prove\u00EFdors d''identitat
+role_manage-realm=Gestionar domini
+role_manage-users=Gestionar usuaris
+role_manage-applications=Gestionar aplicacions
+role_manage-identity-providers=Gestionar prove\u00EFdors d''identitat
+role_manage-clients=Gestionar clients
+role_manage-events=Gestionar events
+role_view-profile=Veure perfil
+role_manage-account=Gestionar compte
+role_read-token=Llegir token
+role_offline-access=Acc\u00E9s sense connexi\u00F3
+client_account=Compte
+client_security-admin-console=Consola d''Administraci\u00F3 de Seguretat
+client_realm-management=Gesti\u00F3 del domini
+client_broker=Broker
+
+invalidUserMessage=Usuari o contrasenya incorrectes.
+invalidEmailMessage=Email no v\u00E0lid
+accountDisabledMessage=El compte est\u00E0 desactivat, contacta amb l''administrador.
+accountTemporarilyDisabledMessage=El compte est\u00E0 temporalment desactivat, contacta amb l''administrador o intenta-ho de nou m\u00E9s tard.
+expiredCodeMessage=S''ha esgotat el temps m\u00E0xim per a la identificaci\u00F3. Si us plau identifica''t de nou.
+
+missingFirstNameMessage=Si us plau indica el teu nom.
+missingLastNameMessage=Si us plau indica els teus cognoms.
+missingEmailMessage=Si us plau indica el teu email.
+missingUsernameMessage=Si us plau indica el teu usuari.
+missingPasswordMessage=Si us plau indica la teva contrasenya.
+missingTotpMessage=Si us plau indica el teu codi d''autenticaci\u00F3
+notMatchPasswordMessage=Les contrasenyes no coincideixen.
+
+invalidPasswordExistingMessage=La contrasenya actual no \u00E9s correcta.
+invalidPasswordConfirmMessage=La confirmaci\u00F3 de contrasenya no coincideix.
+invalidTotpMessage=El codi d''autenticaci\u00F3 no \u00E9s v\u00E0lid.
+
+usernameExistsMessage=El nom d''usuari ja existeix
+emailExistsMessage=L''email ja existeix
+
+federatedIdentityEmailExistsMessage=Ja existeix un usuari amb aquest email. Si us plau accedeix a la gesti\u00F3 del teu compte per enlla\u00E7ar-lo.
+federatedIdentityUsernameExistsMessage=Ja existeix un usuari amb aquest nom d''usuari. Si us plau accedeix a la gesti\u00F3 del teu compte per enlla\u00E7ar-lo.
+
+configureTotpMessage=Has de configurar l''aplicaci\u00F3 m\u00F2bil 'd'identificaci\u00F3 per activar el teu compte.
+updateProfileMessage=Has d''actualitzar el teu perfil d''usuari per activar el teu compte.
+updatePasswordMessage=Has de canviar la contrasenya per activar el teu compte.
+verifyEmailMessage=Has de verificar el teu email per activar el teu compte.
+
+emailSentMessage=En breu hauries de rebre un missatge amb m\u00E9s instruccions
+emailSendErrorMessage=Ha fallat l''enviament de l''email, si us plau intenta-ho de nou m\u00E9s tard.
+
+accountUpdatedMessage=El teu compte s''ha actualitzat.
+accountPasswordUpdatedMessage=La contrasenya s''ha actualitzat.
+
+noAccessMessage=Sense acc\u00E9s
+
+invalidPasswordMinLengthMessage=Contrasenya incorrecta: longitud m\u00EDnima {0}.
+invalidPasswordMinDigitsMessage=Contrasenya incorrecta: ha de contenir almenys {0} car\u00E0cters num\u00E8rics.
+invalidPasswordMinLowerCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres min\u00FAscules.
+invalidPasswordMinUpperCaseCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} lletres maj\u00FAscules.
+invalidPasswordMinSpecialCharsMessage=Contrasenya incorrecta: ha de contenir almenys {0} car\u00E0cters especials.
+invalidPasswordNotUsernameMessage=Contrasenya incorrecta: no pot ser igual al nom d''usuari.
+invalidPasswordRegexPatternMessage=Contrasenya incorrecta: no compleix l''expressi\u00F3 regular.
+invalidPasswordHistoryMessage=Contrasenya incorrecta: no pot ser igual a cap de les \u00FAltimes {0} contrasenyes.
+
+failedToProcessResponseMessage=Fallada en processar la resposta
+httpsRequiredMessage=HTTPS obligatori
+realmNotEnabledMessage=El domini no est\u00E0 activat
+invalidRequestMessage=Petici\u00F3 incorrecta
+failedLogout=Ha fallat la desconnexi\u00F3.
+unknownLoginRequesterMessage=Sol\u00B7licitant d''identificaci\u00F3 desconegut
+loginRequesterNotEnabledMessage=El sol\u00B7licitant d''inici de sessi\u00F3 est\u00E0 desactivat
+bearerOnlyMessage=Les aplicacions Bearer-only no poden iniciar sessi\u00F3 des del navegador.
+directGrantsOnlyMessage=Els clients de tipus Direct-grants-only no poden iniciar sessi\u00F3 des del navegador.
+invalidRedirectUriMessage=L''URI de redirecci\u00F3 no \u00E9s correcta
+unsupportedNameIdFormatMessage=NameIDFormat no suportat
+invlidRequesterMessage=Sol\u00B7licitant no v\u00E0lid
+registrationNotAllowedMessage=El registre no est\u00E0 perm\u00E8s
+resetCredentialNotAllowedMessage=El reinici de les credencials no est\u00E0 perm\u00E8s
+
+permissionNotApprovedMessage=Perm\u00EDs no aprovat.
+noRelayStateInResponseMessage=Sense estat de retransmissi\u00F3 en la resposta del prove\u00EFdor d''identitat.
+identityProviderAlreadyLinkedMessage=La identitat retornada pel prove\u00EFdor d''identitat ja est\u00E0 associada a un altre usuari.
+insufficientPermissionMessage=Permisos insuficients per enlla\u00E7ar identitats.
+couldNotProceedWithAuthenticationRequestMessage=No s''ha pogut continuar amb la petici\u00F3 d''autenticaci\u00F3 al prove\u00EFdor d''identitat.
+couldNotObtainTokenMessage=No s''ha pogut obtenir el codi del prove\u00EFdor d''identitat.
+unexpectedErrorRetrievingTokenMessage=Error inesperat obtenint el token del prove\u00EFdor d''identitat
+unexpectedErrorHandlingResponseMessage=Error inesperat processant la resposta del prove\u00EFdor d''identitat.
+identityProviderAuthenticationFailedMessage=Ha fallat l''autenticaci\u00F3. No ha estat possible autenticar-se en el prove\u00EFdor d''identitat.
+couldNotSendAuthenticationRequestMessage=No s''ha pogut enviar la petici\u00F3 d''identificaci\u00F3 al prove\u00EFdor d''identitat.
+unexpectedErrorHandlingRequestMessage=Error inesperat durant la petici\u00F3 d''identificaci\u00F3 al prove\u00EFdor d''identitat.
+invalidAccessCodeMessage=Codi d''acc\u00E9s no v\u00E0lid.
+sessionNotActiveMessage=La sessi\u00F3 no est\u00E0 activa
+invalidCodeMessage=Hi ha hagut un error, si us plau identifica''t de nou des de la teva aplicaci\u00F3.
+identityProviderUnexpectedErrorMessage=Error no esperat intentant autenticar en el prove\u00EFdor d''identitat.
+identityProviderNotFoundMessage=No s''ha trobat cap prove\u00EFdor d''identitat.
+realmSupportsNoCredentialsMessage=El domini no suporta cap tipus de credencials.
+identityProviderNotUniqueMessage=El domini suporta m\u00FAltiples prove\u00EFdors d''identitat. No s''ha pogut determinar el prove\u00EFdor d''identitat que hauria de ser utilitzat per identificar-se.
+emailVerifiedMessage=El teu email ha estat verificat.
+
+locale_de=German
+locale_en=English
+locale_it=Italian
+locale_pt-BR=Portugu\u00EAs (Brasil)
+locale_fr=Français
+locale_es=Espa\u00F1ol
+locale_ca=Catal\u00E0
+
+backToApplication=&laquo; Torna a l''aplicaci\u00F3
+missingParameterMessage=Par\u00E0metres que falten: {0}
+clientNotFoundMessage=Client no trobat
+invalidParameterMessage=Par\u00E0metre no v\u00E0lid: {0}

diff --git a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
index 6885308..ffe8328 100644
--- a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
+++ b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_en.properties
@@ -176,7 +176,8 @@ failedLogout=Logout failed
 unknownLoginRequesterMessage=Unknown login requester
 loginRequesterNotEnabledMessage=Login requester not enabled
 bearerOnlyMessage=Bearer-only applications are not allowed to initiate browser login
-directGrantsOnlyMessage=Direct-grants-only clients are not allowed to initiate browser login
+standardFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client.
+implicitFlowDisabledMessage=Client is not allowed to initiate browser login with given response_type. Implicit flow is disabled for the client.
 invalidRedirectUriMessage=Invalid redirect uri
 unsupportedNameIdFormatMessage=Unsupported NameIDFormat
 invlidRequesterMessage=Invalid requester

diff --git a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_es.properties b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_es.properties
index ff43eed..f497d07 100644
--- a/forms/common-themes/src/main/resources/theme/base/login/messages/messages_es.properties
+++ b/forms/common-themes/src/main/resources/theme/base/login/messages/messages_es.properties
@@ -198,6 +198,7 @@ locale_it=Italian
 locale_pt-BR=Portugu\u00EAs (Brasil)
 locale_fr=Fran\u00C3\u00A7ais
 locale_es=Espa\u00F1ol
+locale_ca=Catal\u00E0
 
 backToApplication=« Volver a la aplicaci\u00F3n
 missingParameterMessage=Par\u00E1metros que faltan: {0}

diff --git a/forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_ca.properties b/forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_ca.properties
new file mode 100644
index 0000000..7f8504a
--- /dev/null
+++ b/forms/common-themes/src/main/resources/theme/keycloak/email/messages/messages_ca.properties
@@ -0,0 +1,21 @@
+emailVerificationSubject=Verificaci\u00F3 d''email
+emailVerificationBody=Alg\u00FA ha creat un compte de {2} amb aquesta adre\u00E7a de correu electr\u00F2nic. Si has estat tu, fes clic a l''enlla\u00E7 seg\u00FCent per verificar la teva adre\u00E7a de correu electr\u00F2nic.\n\n{0}\n\nAquest enlla\u00E7 expirar\u00E0 en {1} minuts.\n\nSi tu no has creat aquest compte, simplement ignora aquest missatge.
+emailVerificationBodyHtml=<p>Alg\u00FA ha creat un compte de {2} amb aquesta adre\u00E7a de correu electr\u00F2nic. Si has estat tu, fes clic a l''enlla\u00E7 seg\u00FCent per verificar la teva adre\u00E7a de correu electr\u00F2nic.</p><p><a href=\"{0}\">{0}</a></p><p> Aquest enlla\u00E7 expirar\u00E0 en {1} minuts.</p><p> Si tu no has creat aquest compte, simplement ignora aquest missatge.</p>
+passwordResetSubject=Reinicia contrasenya
+passwordResetBody=Alg\u00FA ha demanat de canviar les credencials del teu compte de {2}. Si has estat tu, fes clic a l''enlla\u00E7 seg\u00FCent per a reiniciar-les.\n\n{0}\n\nAquest enlla\u00E7 expirar\u00E0 en {1} minuts.\n\nSi no vols reiniciar les teves credencials, simplement ignora aquest missatge i no es realitzar\u00E0 cap canvi.
+passwordResetBodyHtml=<p>Alg\u00FA ha demanat de canviar les credencials del teu compte de {2}. Si has estat tu, fes clic a l''enlla\u00E7 seg\u00FCent per a reiniciar-les.</p><p><a href=\"{0}\">{0}</a></p><p>Aquest enlla\u00E7 expirar\u00E0 en {1} minuts.</p><p>Si no vols reiniciar les teves credencials, simplement ignora aquest missatge i no es realitzar\u00E0 cap canvi.</p>
+executeActionsSubject=Actualitza el teu compte
+executeActionsBody=L''administrador ha sol\u00B7licitat que actualitzis el teu compte de {2}. Fes clic a l''enlla\u00E7 inferior per iniciar aquest proc\u00E9s.\n\n{0}\n\nAquest enlla\u00E7 expirar\u00E0 en {1} minutes.\n\nSi no est\u00E0s al tant que l''administrador hagi sol\u00B7licitat aix\u00F2, simplement ignora aquest missatge i no es realitzar\u00E0 cap canvi.
+executeActionsBodyHtml=<p>L''administrador ha sol\u00B7licitat que actualitzis el teu compte de {2}. Fes clic a l''enlla\u00E7 inferior per iniciar aquest proc\u00E9s.</p><p><a href=\"{0}\">{0}</a></p><p>Aquest enlla\u00E7 expirar\u00E0 en {1} minutes.</p><p>Si no est\u00E0s al tant que l''administrador hagi sol\u00B7licitat aix\u00F2, simplement ignora aquest missatge i no es realitzar\u00E0 cap canvi.</p>
+eventLoginErrorSubject=Fallada en l''inici de sessi\u00F3
+eventLoginErrorBody=S''ha detectat un intent d''acc\u00E9s fallit al teu compte el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.
+eventLoginErrorBodyHtml=<p>S''ha detectat un intent d''acc\u00E9s fallit al teu compte el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.</p>
+eventRemoveTotpSubject=Esborrat TOTP
+eventRemoveTotpBody=TOTP s''ha eliminat del teu compte el {0} des de {1}. Si no has estat tu, per favor contacta amb l''administrador.
+eventRemoveTotpBodyHtml=<p>TOTP s''ha eliminat del teu compte el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador. </ P>
+eventUpdatePasswordSubject=Actualitzaci\u00F3 de contrasenya
+eventUpdatePasswordBody=La teva contrasenya s''ha actualitzat el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.
+eventUpdatePasswordBodyHtml=<p>La teva contrasenya s''ha actualitzat el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.</p>
+eventUpdateTotpSubject=Actualitzaci\u00F3 de TOTP
+eventUpdateTotpBody=TOTP s''ha actualitzat al teu compte el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.
+eventUpdateTotpBodyHtml=<p>TOTP s''ha actualitzat al teu compte el {0} des de {1}. Si no has estat tu, si us plau contacta amb l''administrador.</p>

diff --git a/forms/common-themes/src/main/resources/theme/keycloak/login/resources/css/login.css b/forms/common-themes/src/main/resources/theme/keycloak/login/resources/css/login.css
index 55939b6..8f09a97 100644
--- a/forms/common-themes/src/main/resources/theme/keycloak/login/resources/css/login.css
+++ b/forms/common-themes/src/main/resources/theme/keycloak/login/resources/css/login.css
@@ -5,6 +5,7 @@
 
 .kc-dropdown{
     position: relative;
+    z-index: 9999;
 }
 .kc-dropdown > a{
     position: absolute;

diff --git a/forms/email-api/src/main/java/org/keycloak/email/EmailSenderProvider.java b/forms/email-api/src/main/java/org/keycloak/email/EmailSenderProvider.java
new file mode 100755
index 0000000..95ccabe
--- /dev/null
+++ b/forms/email-api/src/main/java/org/keycloak/email/EmailSenderProvider.java
@@ -0,0 +1,14 @@
+package org.keycloak.email;
+
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.UserModel;
+import org.keycloak.provider.Provider;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface EmailSenderProvider extends Provider {
+
+    void send(RealmModel realm, UserModel user, String subject, String textBody, String htmlBody) throws EmailException;
+
+}

diff --git a/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateProviderFactory.java b/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateProviderFactory.java
new file mode 100644
index 0000000..bc934cb
--- /dev/null
+++ b/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateProviderFactory.java
@@ -0,0 +1,9 @@
+package org.keycloak.email;
+
+import org.keycloak.provider.ProviderFactory;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface EmailTemplateProviderFactory extends ProviderFactory<EmailTemplateProvider> {
+}

diff --git a/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateSpi.java b/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateSpi.java
new file mode 100644
index 0000000..c84c87c
--- /dev/null
+++ b/forms/email-api/src/main/java/org/keycloak/email/EmailTemplateSpi.java
@@ -0,0 +1,31 @@
+package org.keycloak.email;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class EmailTemplateSpi implements Spi {
+
+    @Override
+    public boolean isInternal() {
+        return true;
+    }
+
+    @Override
+    public String getName() {
+        return "emailTemplate";
+    }
+
+    @Override
+    public Class<? extends Provider> getProviderClass() {
+        return EmailTemplateProvider.class;
+    }
+
+    @Override
+    public Class<? extends ProviderFactory> getProviderFactoryClass() {
+        return org.keycloak.email.EmailTemplateProviderFactory.class;
+    }
+}

diff --git a/forms/email-api/src/main/resources/META-INF/services/org.keycloak.provider.Spi b/forms/email-api/src/main/resources/META-INF/services/org.keycloak.provider.Spi
index 4110dba..80967a2 100644
--- a/forms/email-api/src/main/resources/META-INF/services/org.keycloak.provider.Spi
+++ b/forms/email-api/src/main/resources/META-INF/services/org.keycloak.provider.Spi
@@ -1 +1,2 @@
-org.keycloak.email.EmailSpi
\ No newline at end of file
+org.keycloak.email.EmailSenderSpi
+org.keycloak.email.EmailTemplateSpi
\ No newline at end of file

diff --git a/forms/email-freemarker/src/main/resources/META-INF/services/org.keycloak.email.EmailTemplateProviderFactory b/forms/email-freemarker/src/main/resources/META-INF/services/org.keycloak.email.EmailTemplateProviderFactory
new file mode 100644
index 0000000..aa87e53
--- /dev/null
+++ b/forms/email-freemarker/src/main/resources/META-INF/services/org.keycloak.email.EmailTemplateProviderFactory
@@ -0,0 +1 @@
+org.keycloak.email.freemarker.FreeMarkerEmailTemplateProviderFactory
\ No newline at end of file

diff --git a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java
index d1b4df9..1cbd328 100755
--- a/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java
+++ b/forms/login-freemarker/src/main/java/org/keycloak/login/freemarker/FreeMarkerLoginFormsProvider.java
@@ -24,7 +24,7 @@ import org.keycloak.authentication.requiredactions.util.UserUpdateProfileContext
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.common.util.ObjectUtil;
 import org.keycloak.email.EmailException;
-import org.keycloak.email.EmailProvider;
+import org.keycloak.email.EmailTemplateProvider;
 import org.keycloak.freemarker.BrowserSecurityHeaderSetup;
 import org.keycloak.freemarker.FreeMarkerException;
 import org.keycloak.freemarker.FreeMarkerUtil;
@@ -153,7 +153,7 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
                     String link = builder.build(realm.getName()).toString();
                     long expiration = TimeUnit.SECONDS.toMinutes(realm.getAccessCodeLifespanUserAction());
 
-                    session.getProvider(EmailProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expiration);
+                    session.getProvider(EmailTemplateProvider.class).setRealm(realm).setUser(user).sendVerifyEmail(link, expiration);
                 } catch (EmailException e) {
                     logger.error("Failed to send verification email", e);
                     return setError(Messages.EMAIL_SENT_ERROR).createErrorPage();

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
index 5e243de..8083654 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/AuthenticatedActionsHandler.java
@@ -57,7 +57,7 @@ public class AuthenticatedActionsHandler {
     protected boolean abortTokenResponse() {
         if (facade.getSecurityContext() == null) {
             log.debugv("Not logged in, sending back 401: {0}",facade.getRequest().getURI());
-            facade.getResponse().setStatus(401);
+            facade.getResponse().sendError(401);
             facade.getResponse().end();
             return true;
         }
@@ -94,7 +94,7 @@ public class AuthenticatedActionsHandler {
                     log.debugv("allowedOrigins did not contain origin");
 
                 }
-                facade.getResponse().setStatus(403);
+                facade.getResponse().sendError(403);
                 facade.getResponse().end();
                 return true;
             }

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java
old mode 100644
new mode 100755
index 6b90105..7f260ab
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/BasicAuthRequestAuthenticator.java
@@ -33,7 +33,7 @@ public class BasicAuthRequestAuthenticator extends BearerTokenRequestAuthenticat
     public AuthOutcome authenticate(HttpFacade exchange)  {
         List<String> authHeaders = exchange.getRequest().getHeaders("Authorization");
         if (authHeaders == null || authHeaders.size() == 0) {
-            challenge = challengeResponse(exchange, null, null);
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_AUTHORIZATION_HEADER, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
@@ -46,7 +46,7 @@ public class BasicAuthRequestAuthenticator extends BearerTokenRequestAuthenticat
         }
 
         if (tokenString == null) {
-            challenge = challengeResponse(exchange, null, null);
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
@@ -59,7 +59,7 @@ public class BasicAuthRequestAuthenticator extends BearerTokenRequestAuthenticat
             tokenString = atr.getToken();
         } catch (Exception e) {
             log.debug("Failed to obtain token", e);
-            challenge = challengeResponse(exchange, "no_token", e.getMessage());
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "no_token", e.getMessage());
             return AuthOutcome.FAILED;
         }
 

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
index 92b03da..686b802 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
@@ -45,7 +45,7 @@ public class BearerTokenRequestAuthenticator {
     public AuthOutcome authenticate(HttpFacade exchange)  {
         List<String> authHeaders = exchange.getRequest().getHeaders("Authorization");
         if (authHeaders == null || authHeaders.size() == 0) {
-            challenge = challengeResponse(exchange, null, null);
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
@@ -58,7 +58,7 @@ public class BearerTokenRequestAuthenticator {
         }
 
         if (tokenString == null) {
-            challenge = challengeResponse(exchange, null, null);
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
             return AuthOutcome.NOT_ATTEMPTED;
         }
 
@@ -70,12 +70,12 @@ public class BearerTokenRequestAuthenticator {
             token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
         } catch (VerificationException e) {
             log.error("Failed to verify token", e);
-            challenge = challengeResponse(exchange, "invalid_token", e.getMessage());
+            challenge = challengeResponse(exchange, OIDCAuthenticationError.Reason.INVALID_TOKEN, "invalid_token", e.getMessage());
             return AuthOutcome.FAILED;
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");
-            challenge = challengeResponse(exchange, "invalid_token", "Stale token");
+            challenge = challengeResponse(exchange,  OIDCAuthenticationError.Reason.STALE_TOKEN, "invalid_token", "Stale token");
             return AuthOutcome.FAILED;
         }
         boolean verifyCaller = false;
@@ -113,11 +113,6 @@ public class BearerTokenRequestAuthenticator {
     protected AuthChallenge clientCertChallenge() {
         return new AuthChallenge() {
             @Override
-            public boolean errorPage() {
-                return false;
-            }
-
-            @Override
             public int getResponseCode() {
                 return 0;
             }
@@ -131,7 +126,7 @@ public class BearerTokenRequestAuthenticator {
     }
 
 
-    protected AuthChallenge challengeResponse(HttpFacade facade, String error, String description) {
+    protected AuthChallenge challengeResponse(HttpFacade facade, final OIDCAuthenticationError.Reason reason, final String error, final String description) {
         StringBuilder header = new StringBuilder("Bearer realm=\"");
         header.append(deployment.getRealm()).append("\"");
         if (error != null) {
@@ -143,19 +138,16 @@ public class BearerTokenRequestAuthenticator {
         final String challenge = header.toString();
         return new AuthChallenge() {
             @Override
-            public boolean errorPage() {
-                return true;
-            }
-
-            @Override
             public int getResponseCode() {
                 return 401;
             }
 
             @Override
             public boolean challenge(HttpFacade facade) {
-                facade.getResponse().setStatus(401);
+                OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description);
+                facade.getRequest().setError(error);
                 facade.getResponse().addHeader("WWW-Authenticate", challenge);
+                facade.getResponse().sendError(401);
                 return true;
             }
         };

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java
index b1bd124..b385592 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/CookieTokenStore.java
@@ -9,6 +9,7 @@ import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.common.VerificationException;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.IDToken;
 import org.keycloak.common.util.KeycloakUriBuilder;
@@ -58,10 +59,10 @@ public class CookieTokenStore {
             AccessToken accessToken = RSATokenVerifier.verifyToken(accessTokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl(), false, true);
             IDToken idToken;
             if (idTokenString != null && idTokenString.length() > 0) {
-                JWSInput input = new JWSInput(idTokenString);
                 try {
+                    JWSInput input = new JWSInput(idTokenString);
                     idToken = input.readJsonContent(IDToken.class);
-                } catch (IOException e) {
+                } catch (JWSInputException e) {
                     throw new VerificationException(e);
                 }
             } else {

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
index 908d239..cc6b188 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@@ -11,6 +11,7 @@ import org.keycloak.common.VerificationException;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.enums.TokenStore;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
@@ -174,32 +175,11 @@ public class OAuthRequestAuthenticator {
         final String state = getStateCode();
         final String redirect = getRedirectUri(state);
         if (redirect == null) {
-            return new AuthChallenge() {
-                @Override
-                public boolean challenge(HttpFacade exchange) {
-                    exchange.getResponse().setStatus(403);
-                    return true;
-                }
-
-                @Override
-                public boolean errorPage() {
-                    return true;
-                }
-
-                @Override
-                public int getResponseCode() {
-                    return 403;
-                }
-            };
+            return challenge(403, OIDCAuthenticationError.Reason.NO_REDIRECT_URI, null);
         }
         return new AuthChallenge() {
 
             @Override
-            public boolean errorPage() {
-                return false;
-            }
-
-            @Override
             public int getResponseCode() {
                 return 0;
             }
@@ -221,7 +201,7 @@ public class OAuthRequestAuthenticator {
 
         if (stateCookie == null) {
             log.warn("No state cookie");
-            return challenge(400);
+            return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         // reset the cookie
         log.debug("** reseting application state cookie");
@@ -231,13 +211,13 @@ public class OAuthRequestAuthenticator {
         String state = getQueryParamValue(OAuth2Constants.STATE);
         if (state == null) {
             log.warn("state parameter was null");
-            return challenge(400);
+            return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         if (!state.equals(stateCookieValue)) {
             log.warn("state parameter invalid");
             log.warn("cookie: " + stateCookieValue);
             log.warn("queryParam: " + state);
-            return challenge(400);
+            return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null);
         }
         return null;
 
@@ -251,7 +231,7 @@ public class OAuthRequestAuthenticator {
             if (error != null) {
                 // todo how do we send a response?
                 log.warn("There was an error: " + error);
-                challenge = challenge(400);
+                challenge = challenge(400, OIDCAuthenticationError.Reason.OAUTH_ERROR, error);
                 return AuthOutcome.FAILED;
             } else {
                 log.debug("redirecting to auth server");
@@ -269,21 +249,18 @@ public class OAuthRequestAuthenticator {
 
     }
 
-    protected AuthChallenge challenge(final int code) {
+    protected AuthChallenge challenge(final int code, final OIDCAuthenticationError.Reason reason, final String description) {
         return new AuthChallenge() {
             @Override
-            public boolean errorPage() {
-                return true;
-            }
-
-            @Override
             public int getResponseCode() {
                 return code;
             }
 
             @Override
             public boolean challenge(HttpFacade exchange) {
-                exchange.getResponse().setStatus(code);
+                OIDCAuthenticationError error = new OIDCAuthenticationError(reason, description);
+                exchange.getRequest().setError(error);
+                exchange.getResponse().sendError(code);
                 return true;
             }
         };
@@ -305,7 +282,7 @@ public class OAuthRequestAuthenticator {
         // abort if not HTTPS
         if (!isRequestSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) {
             log.error("Adapter requires SSL. Request: " + facade.getRequest().getURI());
-            return challenge(403);
+            return challenge(403, OIDCAuthenticationError.Reason.SSL_REQUIRED, null);
         }
 
         log.debug("checking state cookie for after code");
@@ -324,11 +301,11 @@ public class OAuthRequestAuthenticator {
             if (failure.getStatus() == 400 && failure.getError() != null) {
                 log.error("   " + failure.getError());
             }
-            return challenge(403);
+            return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
 
         } catch (IOException e) {
             log.error("failed to turn code into token", e);
-            return challenge(403);
+            return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
         }
 
         tokenString = tokenResponse.getToken();
@@ -337,24 +314,24 @@ public class OAuthRequestAuthenticator {
         try {
             token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
             if (idTokenString != null) {
-                JWSInput input = new JWSInput(idTokenString);
                 try {
+                    JWSInput input = new JWSInput(idTokenString);
                     idToken = input.readJsonContent(IDToken.class);
-                } catch (IOException e) {
+                } catch (JWSInputException e) {
                     throw new VerificationException();
                 }
             }
             log.debug("Token Verification succeeded!");
         } catch (VerificationException e) {
             log.error("failed verification of token: " + e.getMessage());
-            return challenge(403);
+            return challenge(403, OIDCAuthenticationError.Reason.INVALID_TOKEN, null);
         }
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {
             deployment.setNotBefore(tokenResponse.getNotBeforePolicy());
         }
         if (token.getIssuedAt() < deployment.getNotBefore()) {
             log.error("Stale token");
-            return challenge(403);
+            return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);
         }
         log.debug("successful authenticated");
         return null;

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/OIDCAuthenticationError.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/OIDCAuthenticationError.java
new file mode 100755
index 0000000..089b689
--- /dev/null
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/OIDCAuthenticationError.java
@@ -0,0 +1,46 @@
+package org.keycloak.adapters;
+
+import org.keycloak.adapters.spi.AuthenticationError;
+
+/**
+ * Object that describes the OIDC error that happened.
+ *
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class OIDCAuthenticationError implements AuthenticationError {
+    public static enum Reason {
+        NO_BEARER_TOKEN,
+        NO_REDIRECT_URI,
+        INVALID_STATE_COOKIE,
+        OAUTH_ERROR,
+        SSL_REQUIRED,
+        CODE_TO_TOKEN_FAILURE,
+        INVALID_TOKEN,
+        STALE_TOKEN,
+        NO_AUTHORIZATION_HEADER
+    }
+
+    private Reason reason;
+    private String description;
+
+    public OIDCAuthenticationError(Reason reason, String description) {
+        this.reason = reason;
+        this.description = description;
+    }
+
+    public Reason getReason() {
+        return reason;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    @Override
+    public String toString() {
+        return "OIDCAuthenticationError [reason=" + reason + ", description=" + description + "]";
+    }
+    
+    
+}

diff --git a/integration/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java b/integration/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
index 2588c40..a332f83 100755
--- a/integration/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
+++ b/integration/adapter-core/src/main/java/org/keycloak/adapters/PreAuthActionsHandler.java
@@ -3,6 +3,7 @@ package org.keycloak.adapters;
 import org.jboss.logging.Logger;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.adapters.spi.UserSessionManagement;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.VersionRepresentation;
 import org.keycloak.constants.AdapterConstants;
 import org.keycloak.jose.jws.JWSInput;
@@ -178,18 +179,17 @@ public class PreAuthActionsHandler {
             return null;
         }
 
-        JWSInput input = new JWSInput(token);
-        boolean verified = false;
         try {
-            verified = RSAProvider.verify(input, deployment.getRealmKey());
-        } catch (Exception ignore) {
-        }
-        if (!verified) {
-            log.warn("admin request failed, unable to verify token");
-            facade.getResponse().sendError(403, "no token");
-            return null;
+            JWSInput input = new JWSInput(token);
+            if (RSAProvider.verify(input, deployment.getRealmKey())) {
+                return input;
+            }
+        } catch (JWSInputException ignore) {
         }
-        return input;
+
+        log.warn("admin request failed, unable to verify token");
+        facade.getResponse().sendError(403, "no token");
+        return null;
     }
 
 

diff --git a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthChallenge.java b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthChallenge.java
index ff0960f..8bb2f71 100755
--- a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthChallenge.java
+++ b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthChallenge.java
@@ -13,15 +13,7 @@ public interface AuthChallenge {
     boolean challenge(HttpFacade exchange);
 
     /**
-     * Whether or not an error page should be displayed if possible along with the challenge
-     *
-     * @return
-     */
-    boolean errorPage();
-
-    /**
-     * If errorPage is true, this is the response code the challenge will send.  This is used by platforms
-     * that call HttpServletResponse.sendError() to forward to error page.
+     * Some platforms need the error code that will be sent (i.e. Undertow)
      *
      * @return
      */

diff --git a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthenticationError.java b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthenticationError.java
new file mode 100755
index 0000000..238a7d8
--- /dev/null
+++ b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthenticationError.java
@@ -0,0 +1,13 @@
+package org.keycloak.adapters.spi;
+
+/**
+ * Common marker interface used by keycloak client adapters when there is an error.  For servlets, you'll be able
+ * to extract this error from the HttpServletRequest.getAttribute(AuthenticationError.class.getName()).  Each protocol
+ * will have their own subclass of this interface.
+ *
+ *
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public interface AuthenticationError {
+}

diff --git a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthOutcome.java b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthOutcome.java
index 60a34b2..2479884 100755
--- a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthOutcome.java
+++ b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/AuthOutcome.java
@@ -5,8 +5,5 @@ package org.keycloak.adapters.spi;
  * @version $Revision: 1 $
  */
 public enum AuthOutcome {
-    NOT_ATTEMPTED,
-    FAILED,
-    AUTHENTICATED,
-    LOGGED_OUT
+    NOT_ATTEMPTED, FAILED, AUTHENTICATED, NOT_AUTHENTICATED, LOGGED_OUT
 }

diff --git a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java
index fb3804e..ead316a 100755
--- a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java
+++ b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/HttpFacade.java
@@ -47,6 +47,8 @@ public interface HttpFacade {
         InputStream getInputStream();
 
         String getRemoteAddr();
+        void setError(AuthenticationError error);
+        void setError(LogoutError error);
     }
 
     interface Response {
@@ -56,6 +58,7 @@ public interface HttpFacade {
         void resetCookie(String name, String path);
         void setCookie(String name, String value, String path, String domain, int maxAge, boolean secure, boolean httpOnly);
         OutputStream getOutputStream();
+        void sendError(int code);
         void sendError(int code, String message);
 
         /**

diff --git a/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/LogoutError.java b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/LogoutError.java
new file mode 100755
index 0000000..2d846ec
--- /dev/null
+++ b/integration/adapter-spi/src/main/java/org/keycloak/adapters/spi/LogoutError.java
@@ -0,0 +1,12 @@
+package org.keycloak.adapters.spi;
+
+/**
+ * Common marker interface used by keycloak client adapters when there is an error.  For servlets, you'll be able
+ * to extract this error from the HttpServletRequest.getAttribute(LogoutError.class.getName()).  Each protocol
+ * will have their own subclass of this interface.
+ *
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public interface LogoutError {
+}

diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientInitialAccessResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientInitialAccessResource.java
new file mode 100644
index 0000000..8875a4c
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientInitialAccessResource.java
@@ -0,0 +1,31 @@
+package org.keycloak.admin.client.resource;
+
+import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
+import org.keycloak.representations.idm.ClientInitialAccessPresentation;
+
+import javax.ws.rs.*;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface ClientInitialAccessResource {
+
+    @POST
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    ClientInitialAccessPresentation create(ClientInitialAccessCreatePresentation rep);
+    
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    List<ClientInitialAccessPresentation> list();
+
+    @DELETE
+    @Path("{id}")
+    void delete(final @PathParam("id") String id);
+
+}

diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupResource.java
new file mode 100755
index 0000000..84af76e
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupResource.java
@@ -0,0 +1,80 @@
+package org.keycloak.admin.client.resource;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.GroupRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public interface GroupResource {
+
+    /**
+     * Does not expand hierarchy.  Subgroups will not be set.
+     *
+     * @return
+     */
+    @GET
+    @NoCache
+    @Produces(MediaType.APPLICATION_JSON)
+    public GroupRepresentation toRepresentation();
+
+    /**
+     * Update group
+     *
+     * @param rep
+     */
+    @PUT
+    @Consumes(MediaType.APPLICATION_JSON)
+    public void update(GroupRepresentation rep);
+
+    @DELETE
+    public void remove();
+
+
+    /**
+     * Set or create child.  This will just set the parent if it exists.  Create it and set the parent
+     * if the group doesn't exist.
+     *
+     * @param rep
+     */
+    @POST
+    @Path("children")
+    @NoCache
+    @Produces(MediaType.APPLICATION_JSON)
+    @Consumes(MediaType.APPLICATION_JSON)
+    public Response subGroup(GroupRepresentation rep);
+
+
+    @Path("role-mappings")
+    public RoleMappingResource roles();
+
+    /**
+     * Get users
+     * <p/>
+     * Returns a list of users, filtered according to query parameters
+     *
+     * @param firstResult Pagination offset
+     * @param maxResults  Pagination size
+     * @return
+     */
+    @GET
+    @NoCache
+    @Path("/members")
+    @Produces(MediaType.APPLICATION_JSON)
+    public List<UserRepresentation> members(@QueryParam("first") Integer firstResult,
+                                            @QueryParam("max") Integer maxResults);
+}

diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupsResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupsResource.java
new file mode 100755
index 0000000..f917d49
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/GroupsResource.java
@@ -0,0 +1,39 @@
+package org.keycloak.admin.client.resource;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.GroupRepresentation;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public interface GroupsResource {
+    @GET
+    @NoCache
+    @Produces(MediaType.APPLICATION_JSON)
+    public List<GroupRepresentation> groups();
+
+    /**
+     * create or add a top level realm groupSet or create child.  This will update the group and set the parent if it exists.  Create it and set the parent
+     * if the group doesn't exist.
+     *
+     * @param rep
+     */
+    @POST
+    @Consumes(MediaType.APPLICATION_JSON)
+    public Response add(GroupRepresentation rep);
+
+    @Path("{id}")
+    public GroupResource group(@PathParam("id") String id);
+
+}

diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java
old mode 100644
new mode 100755
index 87513ec..6dee1cb
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java
@@ -1,6 +1,8 @@
 package org.keycloak.admin.client.resource;
 
+import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.GroupRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 
 import javax.ws.rs.*;
@@ -36,6 +38,28 @@ public interface RealmResource {
     @Path("roles")
     RolesResource roles();
 
+    @Path("groups")
+    GroupsResource groups();
+
+    @GET
+    @Path("group-by-path/{path: .*}")
+    @NoCache
+    @Produces(MediaType.APPLICATION_JSON)
+    public GroupRepresentation getGroupByPath(@PathParam("path") String path);
+
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    @Path("default-groups")
+    public List<GroupRepresentation> getDefaultGroups();
+
+    @PUT
+    @Path("default-groups/{groupId}")
+    public void addDefaultGroup(@PathParam("groupId") String groupId);
+
+    @DELETE
+    @Path("default-groups/{groupId}")
+    public void removeDefaultGroup(@PathParam("groupId") String groupId);
+
     @Path("identity-provider")
     IdentityProvidersResource identityProviders();
 
@@ -45,5 +69,8 @@ public interface RealmResource {
     @Path("client-session-stats")
     @GET
     List<Map<String, String>> getClientSessionStats();
-    
+
+    @Path("clients-initial-access")
+    ClientInitialAccessResource clientInitialAccess();
+
 }

diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java
index a2490b6..cc70e24 100755
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserResource.java
@@ -2,6 +2,7 @@ package org.keycloak.admin.client.resource;
 
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.FederatedIdentityRepresentation;
+import org.keycloak.representations.idm.GroupRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.idm.UserSessionRepresentation;
 
@@ -34,6 +35,21 @@ public interface UserResource {
     @DELETE
     public void remove();
 
+    @Path("groups")
+    @GET
+    List<GroupRepresentation> groups();
+
+    @Path("groups/{groupId}")
+    @PUT
+    void joinGroup(@PathParam("groupId") String groupId);
+
+    @Path("groups/{groupId}")
+    @DELETE
+    void leaveGroup(@PathParam("groupId") String groupId);
+
+
+
+
     @POST
     @Path("logout")
     public void logout();

diff --git a/integration/as7-eap6/pom.xml b/integration/as7-eap6/pom.xml
index e1bca6a..52a1053 100755
--- a/integration/as7-eap6/pom.xml
+++ b/integration/as7-eap6/pom.xml
@@ -17,6 +17,5 @@
         <module>as7-adapter-spi</module>
         <module>as7-adapter</module>
         <module>as7-subsystem</module>
-        <module>as7-server-subsystem</module>
     </modules>
 </project>
\ No newline at end of file

diff --git a/integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java b/integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
index c468f8d..652860b 100644
--- a/integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
+++ b/integration/installed/src/main/java/org/keycloak/adapters/installed/KeycloakInstalled.java
@@ -8,6 +8,7 @@ import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.KeycloakDeploymentBuilder;
 import org.keycloak.adapters.ServerRequest;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
@@ -195,10 +196,10 @@ public class KeycloakInstalled {
 
         token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealmInfoUrl());
         if (idTokenString != null) {
-            JWSInput input = new JWSInput(idTokenString);
             try {
+                JWSInput input = new JWSInput(idTokenString);
                 idToken = input.readJsonContent(IDToken.class);
-            } catch (IOException e) {
+            } catch (JWSInputException e) {
                 throw new VerificationException();
             }
         }

diff --git a/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsHttpFacade.java b/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsHttpFacade.java
index cce85d5..4af3b90 100755
--- a/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsHttpFacade.java
+++ b/integration/jaxrs-oauth-client/src/main/java/org/keycloak/jaxrs/JaxrsHttpFacade.java
@@ -12,6 +12,8 @@ import javax.ws.rs.core.SecurityContext;
 
 import org.keycloak.KeycloakSecurityContext;
 import org.keycloak.adapters.OIDCHttpFacade;
+import org.keycloak.adapters.spi.AuthenticationError;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.common.util.HostUtils;
 
 /**
@@ -93,6 +95,17 @@ public class JaxrsHttpFacade implements OIDCHttpFacade {
             // TODO: implement properly
             return HostUtils.getIpAddress();
         }
+
+        @Override
+        public void setError(AuthenticationError error) {
+            requestContext.setProperty(AuthenticationError.class.getName(), error);
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            requestContext.setProperty(LogoutError.class.getName(), error);
+
+        }
     }
 
     protected class ResponseFacade implements OIDCHttpFacade.Response {
@@ -133,6 +146,13 @@ public class JaxrsHttpFacade implements OIDCHttpFacade {
         }
 
         @Override
+        public void sendError(int code) {
+            javax.ws.rs.core.Response response = responseBuilder.status(code).build();
+            requestContext.abortWith(response);
+            responseFinished = true;
+        }
+
+        @Override
         public void sendError(int code, String message) {
             javax.ws.rs.core.Response response = responseBuilder.status(code).entity(message).build();
             requestContext.abortWith(response);

diff --git a/integration/jetty/jetty-adapter-spi/src/main/java/org/keycloak/adapters/jetty/spi/JettyHttpFacade.java b/integration/jetty/jetty-adapter-spi/src/main/java/org/keycloak/adapters/jetty/spi/JettyHttpFacade.java
index ea2b3af..42ff201 100755
--- a/integration/jetty/jetty-adapter-spi/src/main/java/org/keycloak/adapters/jetty/spi/JettyHttpFacade.java
+++ b/integration/jetty/jetty-adapter-spi/src/main/java/org/keycloak/adapters/jetty/spi/JettyHttpFacade.java
@@ -1,6 +1,8 @@
 package org.keycloak.adapters.jetty.spi;
 
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.UriUtils;
 
@@ -125,6 +127,18 @@ public class JettyHttpFacade implements HttpFacade {
         public String getRemoteAddr() {
             return request.getRemoteAddr();
         }
+
+        @Override
+        public void setError(AuthenticationError error) {
+            request.setAttribute(AuthenticationError.class.getName(), error);
+
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            request.setAttribute(LogoutError.class.getName(), error);
+        }
+
     }
 
     protected class ResponseFacade implements Response {
@@ -171,6 +185,15 @@ public class JettyHttpFacade implements HttpFacade {
         }
 
         @Override
+        public void sendError(int code) {
+            try {
+                response.sendError(code);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
         public void sendError(int code, String message) {
             try {
                 response.sendError(code, message);

diff --git a/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/core/AbstractKeycloakJettyAuthenticator.java b/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/core/AbstractKeycloakJettyAuthenticator.java
index d3790af..dad7570 100755
--- a/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/core/AbstractKeycloakJettyAuthenticator.java
+++ b/integration/jetty/jetty-core/src/main/java/org/keycloak/adapters/jetty/core/AbstractKeycloakJettyAuthenticator.java
@@ -265,15 +265,6 @@ public abstract class AbstractKeycloakJettyAuthenticator extends LoginAuthentica
         AuthChallenge challenge = authenticator.getChallenge();
         if (challenge != null) {
             challenge.challenge(facade);
-            if (challenge.errorPage() && errorPage != null) {
-                Response response = (Response)res;
-                try {
-                   response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(), errorPage)));
-                } catch (IOException e) {
-                    throw new RuntimeException(e);
-                }
-
-            }
         }
         return Authentication.SEND_CONTINUE;
     }

diff --git a/integration/js/src/main/resources/keycloak.js b/integration/js/src/main/resources/keycloak.js
index 09e0d86..a74e1cc 100755
--- a/integration/js/src/main/resources/keycloak.js
+++ b/integration/js/src/main/resources/keycloak.js
@@ -36,6 +36,39 @@
                 if (initOptions.onLoad === 'login-required') {
                     kc.loginRequired = true;
                 }
+
+                if (initOptions.responseMode) {
+                    if (initOptions.responseMode === 'query' || initOptions.responseMode === 'fragment') {
+                        kc.responseMode = initOptions.responseMode;
+                    } else {
+                        throw 'Invalid value for responseMode';
+                    }
+                }
+
+                if (initOptions.flow) {
+                    switch (initOptions.flow) {
+                        case 'standard':
+                            kc.responseType = 'code';
+                            break;
+                        case 'implicit':
+                            kc.responseType = 'id_token token';
+                            break;
+                        case 'hybrid':
+                            kc.responseType = 'code id_token token';
+                            break;
+                        default:
+                            throw 'Invalid value for flow';
+                    }
+                    kc.flow = initOptions.flow;
+                }
+            }
+
+            if (!kc.responseMode) {
+                kc.responseMode = 'fragment';
+            }
+            if (!kc.responseType) {
+                kc.responseType = 'code';
+                kc.flow = 'standard';
             }
 
             var promise = createPromise();
@@ -95,7 +128,7 @@
                     return;
                 } else if (initOptions) {
                     if (initOptions.token || initOptions.refreshToken) {
-                        setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken);
+                        setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken, false);
 
                         if (loginIframe.enable) {
                             setupCheckLoginIframe().success(function() {
@@ -132,13 +165,14 @@
 
         kc.createLoginUrl = function(options) {
             var state = createUUID();
+            var nonce = createUUID();
 
             var redirectUri = adapter.redirectUri(options);
             if (options && options.prompt) {
                 redirectUri += (redirectUri.indexOf('?') == -1 ? '?' : '&') + 'prompt=' + options.prompt;
             }
 
-            sessionStorage.oauthState = JSON.stringify({ state: state, redirectUri: encodeURIComponent(redirectUri) });
+            sessionStorage.oauthState = JSON.stringify({ state: state, nonce: nonce, redirectUri: encodeURIComponent(redirectUri) });
 
             var action = 'auth';
             if (options && options.action == 'register') {
@@ -150,7 +184,9 @@
                 + '?client_id=' + encodeURIComponent(kc.clientId)
                 + '&redirect_uri=' + encodeURIComponent(redirectUri)
                 + '&state=' + encodeURIComponent(state)
-                + '&response_type=code';
+                + '&nonce=' + encodeURIComponent(nonce)
+                + '&response_mode=' + encodeURIComponent(kc.responseMode)
+                + '&response_type=' + encodeURIComponent(kc.responseType);
 
             if (options && options.prompt) {
                 url += '&prompt=' + encodeURIComponent(options.prompt);
@@ -277,7 +313,7 @@
         }
 
         kc.isTokenExpired = function(minValidity) {
-            if (!kc.tokenParsed || !kc.refreshToken) {
+            if (!kc.tokenParsed || (!kc.refreshToken && kc.flow != 'implicit' )) {
                 throw 'Not authenticated';
             }
 
@@ -327,7 +363,7 @@
                                     timeLocal = (timeLocal + new Date().getTime()) / 2;
 
                                     var tokenResponse = JSON.parse(req.responseText);
-                                    setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token']);
+                                    setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], true);
 
                                     kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
 
@@ -365,7 +401,7 @@
 
         kc.clearToken = function() {
             if (kc.token) {
-                setToken(null, null, null);
+                setToken(null, null, null, true);
                 kc.onAuthLogout && kc.onAuthLogout();
                 if (kc.loginRequired) {
                     kc.login();
@@ -394,7 +430,21 @@
             var error = oauth.error;
             var prompt = oauth.prompt;
 
-            if (code) {
+            var timeLocal = new Date().getTime();
+
+            if (error) {
+                if (prompt != 'none') {
+                    kc.onAuthError && kc.onAuthError();
+                    promise && promise.setError();
+                } else {
+                    promise && promise.setSuccess();
+                }
+                return;
+            } else if ((kc.flow != 'standard') && (oauth.access_token || oauth.id_token)) {
+                authSuccess(oauth.access_token, null, oauth.id_token, true);
+            }
+
+            if ((kc.flow != 'implicit') && code) {
                 var params = 'code=' + code + '&grant_type=authorization_code';
                 var url = getRealmUrl() + '/protocol/openid-connect/token';
 
@@ -412,20 +462,12 @@
 
                 req.withCredentials = true;
 
-                var timeLocal = new Date().getTime();
-
                 req.onreadystatechange = function() {
                     if (req.readyState == 4) {
                         if (req.status == 200) {
-                            timeLocal = (timeLocal + new Date().getTime()) / 2;
 
                             var tokenResponse = JSON.parse(req.responseText);
-                            setToken(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token']);
-
-                            kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
-
-                            kc.onAuthSuccess && kc.onAuthSuccess();
-                            promise && promise.setSuccess();
+                            authSuccess(tokenResponse['access_token'], tokenResponse['refresh_token'], tokenResponse['id_token'], kc.flow === 'standard');
                         } else {
                             kc.onAuthError && kc.onAuthError();
                             promise && promise.setError();
@@ -434,14 +476,30 @@
                 };
 
                 req.send(params);
-            } else if (error) {
-                if (prompt != 'none') {
-                    kc.onAuthError && kc.onAuthError();
+            }
+
+            function authSuccess(accessToken, refreshToken, idToken, fulfillPromise) {
+                timeLocal = (timeLocal + new Date().getTime()) / 2;
+
+                setToken(accessToken, refreshToken, idToken, true);
+
+                if ((kc.tokenParsed && kc.tokenParsed.nonce != oauth.storedNonce) ||
+                    (kc.refreshTokenParsed && kc.refreshTokenParsed.nonce != oauth.storedNonce) ||
+                    (kc.idTokenParsed && kc.idTokenParsed.nonce != oauth.storedNonce)) {
+
+                    console.log('invalid nonce!');
+                    kc.clearToken();
                     promise && promise.setError();
                 } else {
-                    promise && promise.setSuccess();
+                    kc.timeSkew = Math.floor(timeLocal / 1000) - kc.tokenParsed.iat;
+
+                    if (fulfillPromise) {
+                        kc.onAuthSuccess && kc.onAuthSuccess();
+                        promise && promise.setSuccess();
+                    }
                 }
             }
+
         }
 
         function loadConfig(url) {
@@ -507,7 +565,12 @@
             return promise.promise;
         }
 
-        function setToken(token, refreshToken, idToken) {
+        function setToken(token, refreshToken, idToken, useTokenTime) {
+            if (kc.tokenTimeoutHandle) {
+                clearTimeout(kc.tokenTimeoutHandle);
+                kc.tokenTimeoutHandle = null;
+            }
+
             if (token) {
                 kc.token = token;
                 kc.tokenParsed = decodeToken(token);
@@ -520,6 +583,13 @@
                 kc.subject = kc.tokenParsed.sub;
                 kc.realmAccess = kc.tokenParsed.realm_access;
                 kc.resourceAccess = kc.tokenParsed.resource_access;
+
+                if (kc.onTokenExpired) {
+                    var start = useTokenTime ? kc.tokenParsed.iat : (new Date().getTime() / 1000);
+                    var expiresIn = kc.tokenParsed.exp - start;
+                    kc.tokenTimeoutHandle = setTimeout(kc.onTokenExpired, expiresIn * 1000);
+                }
+
             } else {
                 delete kc.token;
                 delete kc.tokenParsed;
@@ -597,53 +667,21 @@
         }
 
         function parseCallback(url) {
-            if (url.indexOf('?') != -1) {
-                var oauth = {};
+            var oauth = new CallbackParser(url, kc.responseMode).parseUri();
 
-                oauth.newUrl = url.split('?')[0];
-                var paramString = url.split('?')[1];
-                var fragIndex = paramString.indexOf('#');
-                if (fragIndex != -1) {
-                    paramString = paramString.substring(0, fragIndex);
-                }
-                var params = paramString.split('&');
-                for (var i = 0; i < params.length; i++) {
-                    var p = params[i].split('=');
-                    switch (decodeURIComponent(p[0])) {
-                        case 'code':
-                            oauth.code = p[1];
-                            break;
-                        case 'error':
-                            oauth.error = p[1];
-                            break;
-                        case 'state':
-                            oauth.state = decodeURIComponent(p[1]);
-                            break;
-                        case 'redirect_fragment':
-                            oauth.fragment = decodeURIComponent(p[1]);
-                            break;
-                        case 'prompt':
-                            oauth.prompt = p[1];
-                            break;
-                        default:
-                            oauth.newUrl += (oauth.newUrl.indexOf('?') == -1 ? '?' : '&') + p[0] + '=' + p[1];
-                            break;
-                    }
-                }
-
-                var sessionState = sessionStorage.oauthState && JSON.parse(sessionStorage.oauthState);
+            var sessionState = sessionStorage.oauthState && JSON.parse(sessionStorage.oauthState);
 
-                if (sessionState && (oauth.code || oauth.error) && oauth.state && oauth.state == sessionState.state) {
-                    delete sessionStorage.oauthState;
+            if (sessionState && (oauth.code || oauth.error || oauth.access_token || oauth.id_token) && oauth.state && oauth.state == sessionState.state) {
+                delete sessionStorage.oauthState;
 
-                    oauth.redirectUri = sessionState.redirectUri;
+                oauth.redirectUri = sessionState.redirectUri;
+                oauth.storedNonce = sessionState.nonce;
 
-                    if (oauth.fragment) {
-                        oauth.newUrl += '#' + oauth.fragment;
-                    }
-
-                    return oauth;
+                if (oauth.fragment) {
+                    oauth.newUrl += '#' + oauth.fragment;
                 }
+
+                return oauth;
             }
         }
 
@@ -907,6 +945,103 @@
 
             throw 'invalid adapter type: ' + type;
         }
+
+
+        var CallbackParser = function(uriToParse, responseMode) {
+            if (!(this instanceof CallbackParser)) {
+                return new CallbackParser(uriToParse, responseMode);
+            }
+            var parser = this;
+
+            var initialParse = function() {
+                var baseUri = null;
+                var queryString = null;
+                var fragmentString = null;
+
+                var questionMarkIndex = uriToParse.indexOf("?");
+                var fragmentIndex = uriToParse.indexOf("#", questionMarkIndex + 1);
+                if (questionMarkIndex == -1 && fragmentIndex == -1) {
+                    baseUri = uriToParse;
+                } else if (questionMarkIndex != -1) {
+                    baseUri = uriToParse.substring(0, questionMarkIndex);
+                    queryString = uriToParse.substring(questionMarkIndex + 1);
+                    if (fragmentIndex != -1) {
+                        fragmentIndex = queryString.indexOf("#");
+                        fragmentString = queryString.substring(fragmentIndex + 1);
+                        queryString = queryString.substring(0, fragmentIndex);
+                    }
+                } else {
+                    baseUri = uriToParse.substring(0, fragmentIndex);
+                    fragmentString = uriToParse.substring(fragmentIndex + 1);
+                }
+
+                return { baseUri: baseUri, queryString: queryString, fragmentString: fragmentString };
+            }
+
+            var parseParams = function(paramString) {
+                var result = {};
+                var params = paramString.split('&');
+                for (var i = 0; i < params.length; i++) {
+                    var p = params[i].split('=');
+                    var paramName = decodeURIComponent(p[0]);
+                    var paramValue = decodeURIComponent(p[1]);
+                    result[paramName] = paramValue;
+                }
+                return result;
+            }
+
+            var handleQueryParam = function(paramName, paramValue, oauth) {
+                var supportedOAuthParams = [ 'code', 'error', 'state' ];
+
+                for (var i = 0 ; i< supportedOAuthParams.length ; i++) {
+                    if (paramName === supportedOAuthParams[i]) {
+                        oauth[paramName] = paramValue;
+                        return true;
+                    }
+                }
+                return false;
+            }
+
+
+            parser.parseUri = function() {
+                var parsedUri = initialParse();
+
+                var queryParams = {};
+                if (parsedUri.queryString) {
+                    queryParams = parseParams(parsedUri.queryString);
+                }
+
+                var oauth = { newUrl: parsedUri.baseUri };
+                for (var param in queryParams) {
+                    switch (param) {
+                        case 'redirect_fragment':
+                            oauth.fragment = queryParams[param];
+                            break;
+                        case 'prompt':
+                            oauth.prompt = queryParams[param];
+                            break;
+                        default:
+                            if (responseMode != 'query' || !handleQueryParam(param, queryParams[param], oauth)) {
+                                oauth.newUrl += (oauth.newUrl.indexOf('?') == -1 ? '?' : '&') + param + '=' + queryParams[param];
+                            }
+                            break;
+                    }
+                }
+
+                if (responseMode === 'fragment') {
+                    var fragmentParams = {};
+                    if (parsedUri.fragmentString) {
+                        fragmentParams = parseParams(parsedUri.fragmentString);
+                    }
+                    for (var param in fragmentParams) {
+                        oauth[param] = fragmentParams[param];
+                    }
+                }
+
+                return oauth;
+            }
+        }
+
     }
 
     if ( typeof module === "object" && module && typeof module.exports === "object" ) {

diff --git a/integration/servlet-adapter-spi/src/main/java/org/keycloak/adapters/servlet/ServletHttpFacade.java b/integration/servlet-adapter-spi/src/main/java/org/keycloak/adapters/servlet/ServletHttpFacade.java
index 1550eaa..6d32bda 100755
--- a/integration/servlet-adapter-spi/src/main/java/org/keycloak/adapters/servlet/ServletHttpFacade.java
+++ b/integration/servlet-adapter-spi/src/main/java/org/keycloak/adapters/servlet/ServletHttpFacade.java
@@ -1,6 +1,8 @@
 package org.keycloak.adapters.servlet;
 
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.ServerCookie;
 import org.keycloak.common.util.UriUtils;
@@ -111,6 +113,18 @@ public class ServletHttpFacade implements HttpFacade {
         public String getRemoteAddr() {
             return request.getRemoteAddr();
         }
+
+
+        @Override
+        public void setError(AuthenticationError error) {
+            request.setAttribute(AuthenticationError.class.getName(), error);
+
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            request.setAttribute(LogoutError.class.getName(), error);
+        }
     }
     public boolean isEnded() {
         return responseFacade.isEnded();
@@ -157,6 +171,15 @@ public class ServletHttpFacade implements HttpFacade {
         }
 
         @Override
+        public void sendError(int code) {
+            try {
+                response.sendError(code);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
         public void sendError(int code, String message) {
             try {
                 response.sendError(code, message);

diff --git a/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java b/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
index 57bd93d..3cfc871 100755
--- a/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
+++ b/integration/servlet-filter/src/main/java/org/keycloak/adapters/servlet/KeycloakOIDCFilter.java
@@ -142,11 +142,6 @@ public class KeycloakOIDCFilter implements Filter {
         if (challenge != null) {
             log.fine("challenge");
             challenge.challenge(facade);
-            if (challenge.errorPage()) {
-                response.sendError(challenge.getResponseCode());
-                return;
-            }
-            log.fine("sending challenge");
             return;
         }
         response.sendError(403);

diff --git a/integration/servlet-oauth-client/src/main/java/org/keycloak/servlet/ServletOAuthClient.java b/integration/servlet-oauth-client/src/main/java/org/keycloak/servlet/ServletOAuthClient.java
index c3f1dfd..be92dea 100755
--- a/integration/servlet-oauth-client/src/main/java/org/keycloak/servlet/ServletOAuthClient.java
+++ b/integration/servlet-oauth-client/src/main/java/org/keycloak/servlet/ServletOAuthClient.java
@@ -6,7 +6,10 @@ import org.keycloak.adapters.AdapterDeploymentContext;
 import org.keycloak.adapters.KeycloakDeployment;
 import org.keycloak.adapters.OIDCHttpFacade;
 import org.keycloak.adapters.ServerRequest;
+import org.keycloak.adapters.spi.AuthenticationError;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
 import org.keycloak.common.util.KeycloakUriBuilder;
@@ -151,10 +154,10 @@ public class ServletOAuthClient extends KeycloakDeploymentDelegateOAuthClient {
 
     public static IDToken extractIdToken(String idToken) {
         if (idToken == null) return null;
-        JWSInput input = new JWSInput(idToken);
         try {
+            JWSInput input = new JWSInput(idToken);
             return input.readJsonContent(IDToken.class);
-        } catch (IOException e) {
+        } catch (JWSInputException e) {
             throw new RuntimeException(e);
         }
     }
@@ -237,6 +240,18 @@ public class ServletOAuthClient extends KeycloakDeploymentDelegateOAuthClient {
                 public String getRemoteAddr() {
                     return servletRequest.getRemoteAddr();
                 }
+
+                @Override
+                public void setError(AuthenticationError error) {
+                    servletRequest.setAttribute(AuthenticationError.class.getName(), error);
+
+                }
+
+                @Override
+                public void setError(LogoutError error) {
+                    servletRequest.setAttribute(LogoutError.class.getName(), error);
+                }
+
             };
         }
 

diff --git a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcher.java b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcher.java
new file mode 100644
index 0000000..fd2b927
--- /dev/null
+++ b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcher.java
@@ -0,0 +1,38 @@
+package org.keycloak.adapters.springsecurity.authentication;
+
+import org.apache.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * {@link RequestMatcher} that determines if a given request is an API request or an
+ * interactive login request.
+ *
+ * @author <a href="mailto:srossillo@smartling.com">Scott Rossillo</a>
+ * @see RequestMatcher
+ */
+public class HttpHeaderInspectingApiRequestMatcher implements RequestMatcher {
+
+    protected static final String X_REQUESTED_WITH_HEADER = "X-Requested-With";
+    protected static final String X_REQUESTED_WITH_HEADER_AJAX_VALUE = "XMLHttpRequest";
+
+    /**
+     * Returns true if the given request is an API request or false if it's an interactive
+     * login request.
+     *
+     * @param request the <code>HttpServletRequest</code>
+     * @return <code>true</code> if the given <code>request</code> is an API request;
+     * <code>false</code> otherwise
+     */
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        boolean ajax = X_REQUESTED_WITH_HEADER_AJAX_VALUE.equals(request.getHeader(X_REQUESTED_WITH_HEADER));
+        boolean html = request.getHeader(HttpHeaders.ACCEPT) != null && request.getHeader(HttpHeaders.ACCEPT).contains(
+                MediaType.TEXT_HTML_VALUE);
+
+        return ajax || !html;
+    }
+
+}

diff --git a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java
index 3357806..f498fe6 100644
--- a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java
+++ b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPoint.java
@@ -1,9 +1,12 @@
 package org.keycloak.adapters.springsecurity.authentication;
 
+import org.apache.http.HttpHeaders;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 import javax.servlet.ServletException;
@@ -12,10 +15,15 @@ import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 /**
- * Provides a Keycloak {@link AuthenticationEntryPoint authentication entry point}.
+ * Provides a Keycloak {@link AuthenticationEntryPoint authentication entry point}. Uses a
+ * {@link RequestMatcher} to determine if the request is an interactive login request or a
+ * API request, which should not be redirected to an interactive login page. By default,
+ * this entry point uses a {@link HttpHeaderInspectingApiRequestMatcher} but can be overridden using in the
+ * constructor.
  *
  * @author <a href="mailto:srossillo@smartling.com">Scott Rossillo</a>
- * @version $Revision: 1 $
+ *
+ * @see HttpHeaderInspectingApiRequestMatcher
  */
 public class KeycloakAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
@@ -23,23 +31,62 @@ public class KeycloakAuthenticationEntryPoint implements AuthenticationEntryPoin
      * Default Keycloak authentication login URI
      */
     public static final String DEFAULT_LOGIN_URI = "/sso/login";
+    private static final String DEFAULT_REALM = "Unknown";
+    private static final RequestMatcher DEFAULT_API_REQUEST_MATCHER = new HttpHeaderInspectingApiRequestMatcher();
 
     private final static Logger log = LoggerFactory.getLogger(KeycloakAuthenticationEntryPoint.class);
 
+    private final RequestMatcher apiRequestMatcher;
     private String loginUri = DEFAULT_LOGIN_URI;
+    private String realm = DEFAULT_REALM;
+
+    /**
+     * Creates a new Keycloak authentication entry point.
+     */
+    public KeycloakAuthenticationEntryPoint() {
+        this(DEFAULT_API_REQUEST_MATCHER);
+    }
+
+    /**
+     * Creates a new Keycloak authentication entry point using the given request
+     * matcher to determine if the current request is an API request or a browser request.
+     *
+     * @param apiRequestMatcher the <code>RequestMatcher</code> to use to determine
+     * if the current request is an API request or a browser request (required)
+     */
+    public KeycloakAuthenticationEntryPoint(RequestMatcher apiRequestMatcher) {
+        Assert.notNull(apiRequestMatcher, "apiRequestMatcher required");
+        this.apiRequestMatcher = apiRequestMatcher;
+    }
 
     @Override
-    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
-            throws IOException, ServletException {
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException
+    {
+        if (apiRequestMatcher.matches(request)) {
+            commenceUnauthorizedResponse(request, response);
+        } else {
+            commenceLoginRedirect(request, response);
+        }
+    }
 
+    protected void commenceLoginRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
         String contextAwareLoginUri = request.getContextPath() + loginUri;
-
         log.debug("Redirecting to login URI {}", contextAwareLoginUri);
         response.sendRedirect(contextAwareLoginUri);
     }
 
+    protected void commenceUnauthorizedResponse(HttpServletRequest request, HttpServletResponse response) throws IOException {
+        response.addHeader(HttpHeaders.WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", realm));
+        response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
+    }
+
     public void setLoginUri(String loginUri) {
         Assert.notNull(loginUri, "loginUri cannot be null");
         this.loginUri = loginUri;
     }
+
+    public void setRealm(String realm) {
+        Assert.notNull(realm, "realm cannot be null");
+        this.realm = realm;
+    }
 }

diff --git a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletRequest.java b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletRequest.java
index 79074da..ba9fa1a 100755
--- a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletRequest.java
+++ b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletRequest.java
@@ -1,7 +1,9 @@
 package org.keycloak.adapters.springsecurity.facade;
 
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade.Cookie;
 import org.keycloak.adapters.spi.HttpFacade.Request;
+import org.keycloak.adapters.spi.LogoutError;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
@@ -109,4 +111,17 @@ class WrappedHttpServletRequest implements Request {
     public String getRemoteAddr() {
         return request.getRemoteAddr();
     }
+
+    @Override
+    public void setError(AuthenticationError error) {
+        request.setAttribute(AuthenticationError.class.getName(), error);
+
+    }
+
+    @Override
+    public void setError(LogoutError error) {
+        request.setAttribute(LogoutError.class.getName(), error);
+    }
+
+
 }

diff --git a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletResponse.java b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletResponse.java
index c6b352f..c356ebd 100644
--- a/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletResponse.java
+++ b/integration/spring-security/src/main/java/org/keycloak/adapters/springsecurity/facade/WrappedHttpServletResponse.java
@@ -96,6 +96,15 @@ class WrappedHttpServletResponse implements Response {
     }
 
     @Override
+    public void sendError(int code) {
+        try {
+            response.sendError(code);
+        } catch (IOException e) {
+            throw new RuntimeException("Unable to set HTTP status", e);
+        }
+    }
+
+    @Override
     public void sendError(int code, String message) {
         try {
             response.sendError(code, message);

diff --git a/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcherTest.java b/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcherTest.java
new file mode 100644
index 0000000..faa800d
--- /dev/null
+++ b/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/HttpHeaderInspectingApiRequestMatcherTest.java
@@ -0,0 +1,43 @@
+package org.keycloak.adapters.springsecurity.authentication;
+
+import org.apache.http.HttpHeaders;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import static org.junit.Assert.*;
+
+/**
+ * HTTP header inspecting API request matcher tests.
+ */
+public class HttpHeaderInspectingApiRequestMatcherTest {
+
+    private RequestMatcher apiRequestMatcher = new HttpHeaderInspectingApiRequestMatcher();
+    private MockHttpServletRequest request;
+
+    @Before
+    public void setUp() throws Exception {
+        request = new MockHttpServletRequest();
+    }
+
+    @Test
+    public void testMatches() throws Exception {
+        assertTrue(apiRequestMatcher.matches(request));
+    }
+
+    @Test
+    public void testMatchesBrowserRequest() throws Exception {
+        request.addHeader(HttpHeaders.ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        assertFalse(apiRequestMatcher.matches(request));
+    }
+
+    @Test
+    public void testMatchesRequestedWith() throws Exception {
+        request.addHeader(
+                HttpHeaderInspectingApiRequestMatcher.X_REQUESTED_WITH_HEADER,
+                HttpHeaderInspectingApiRequestMatcher.X_REQUESTED_WITH_HEADER_AJAX_VALUE);
+        assertTrue(apiRequestMatcher.matches(request));
+    }
+
+}

diff --git a/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPointTest.java b/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPointTest.java
index b7204c3..f026015 100644
--- a/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPointTest.java
+++ b/integration/spring-security/src/test/java/org/keycloak/adapters/springsecurity/authentication/KeycloakAuthenticationEntryPointTest.java
@@ -1,5 +1,6 @@
 package org.keycloak.adapters.springsecurity.authentication;
 
+import org.apache.http.HttpHeaders;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.http.HttpStatus;
@@ -25,14 +26,16 @@ public class KeycloakAuthenticationEntryPointTest {
     }
 
     @Test
-    public void testCommence() throws Exception {
+    public void testCommenceWithRedirect() throws Exception {
+        configureBrowserRequest();
         authenticationEntryPoint.commence(request, response, null);
         assertEquals(HttpStatus.FOUND.value(), response.getStatus());
         assertEquals(KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI, response.getHeader("Location"));
     }
 
     @Test
-    public void testCommenceNotRootContext() throws Exception {
+    public void testCommenceWithRedirectNotRootContext() throws Exception {
+        configureBrowserRequest();
         String contextPath = "/foo";
         request.setContextPath(contextPath);
         authenticationEntryPoint.commence(request, response, null);
@@ -41,11 +44,24 @@ public class KeycloakAuthenticationEntryPointTest {
     }
 
     @Test
+    public void testCommenceWithUnauthorizedWithAccept() throws Exception {
+        request.addHeader(HttpHeaders.ACCEPT, "application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        authenticationEntryPoint.commence(request, response, null);
+        assertEquals(HttpStatus.UNAUTHORIZED.value(), response.getStatus());
+        assertNotNull(response.getHeader(HttpHeaders.WWW_AUTHENTICATE));
+    }
+
+    @Test
     public void testSetLoginUri() throws Exception {
+        configureBrowserRequest();
         final String logoutUri = "/foo";
         authenticationEntryPoint.setLoginUri(logoutUri);
         authenticationEntryPoint.commence(request, response, null);
         assertEquals(HttpStatus.FOUND.value(), response.getStatus());
         assertEquals(logoutUri, response.getHeader("Location"));
     }
+
+    private void configureBrowserRequest() {
+        request.addHeader(HttpHeaders.ACCEPT, "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+    }
 }

diff --git a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java
index cdac621..3638759 100755
--- a/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java
+++ b/integration/tomcat/tomcat-adapter-spi/src/main/java/org/keycloak/adapters/tomcat/CatalinaHttpFacade.java
@@ -1,6 +1,8 @@
 package org.keycloak.adapters.tomcat;
 
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.common.util.ServerCookie;
 import org.keycloak.common.util.UriUtils;
@@ -125,6 +127,18 @@ public class CatalinaHttpFacade implements HttpFacade {
         public String getRemoteAddr() {
             return request.getRemoteAddr();
         }
+
+        @Override
+        public void setError(AuthenticationError error) {
+            request.setAttribute(AuthenticationError.class.getName(), error);
+
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            request.setAttribute(LogoutError.class.getName(), error);
+        }
+
     }
 
     protected class ResponseFacade implements Response {
@@ -168,6 +182,15 @@ public class CatalinaHttpFacade implements HttpFacade {
         }
 
         @Override
+        public void sendError(int code) {
+            try {
+                response.sendError(code);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
         public void sendError(int code, String message) {
             try {
                 response.sendError(code, message);
@@ -176,6 +199,7 @@ public class CatalinaHttpFacade implements HttpFacade {
             }
         }
 
+
         @Override
         public void end() {
             ended = true;

diff --git a/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/AbstractKeycloakAuthenticatorValve.java b/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/AbstractKeycloakAuthenticatorValve.java
index 89bee43..20c87bd 100755
--- a/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/AbstractKeycloakAuthenticatorValve.java
+++ b/integration/tomcat/tomcat-core/src/main/java/org/keycloak/adapters/tomcat/AbstractKeycloakAuthenticatorValve.java
@@ -195,12 +195,6 @@ public abstract class AbstractKeycloakAuthenticatorValve extends FormAuthenticat
         }
         AuthChallenge challenge = authenticator.getChallenge();
         if (challenge != null) {
-            if (loginConfig == null) {
-                loginConfig = request.getContext().getLoginConfig();
-            }
-            if (challenge.errorPage()) {
-                if (forwardToErrorPageInternal(request, response, loginConfig))return false;
-            }
             challenge.challenge(facade);
         }
         return false;

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/AbstractUndertowKeycloakAuthMech.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/AbstractUndertowKeycloakAuthMech.java
index aded0ef..36e8aa4 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/AbstractUndertowKeycloakAuthMech.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/AbstractUndertowKeycloakAuthMech.java
@@ -56,11 +56,7 @@ public abstract class AbstractUndertowKeycloakAuthMech implements Authentication
     public ChallengeResult sendChallenge(HttpServerExchange exchange, SecurityContext securityContext) {
         AuthChallenge challenge = exchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
         if (challenge != null) {
-            if (challenge.errorPage() && errorPage != null) {
-                Integer code = servePage(exchange, errorPage);
-                return new ChallengeResult(true, code);
-            }
-            UndertowHttpFacade facade = new UndertowHttpFacade(exchange);
+            UndertowHttpFacade facade = createFacade(exchange);
             if (challenge.challenge(facade)) {
                 return new ChallengeResult(true, exchange.getResponseCode());
             }
@@ -68,6 +64,10 @@ public abstract class AbstractUndertowKeycloakAuthMech implements Authentication
         return new ChallengeResult(false);
     }
 
+    public UndertowHttpFacade createFacade(HttpServerExchange exchange) {
+        return new OIDCUndertowHttpFacade(exchange);
+    }
+
     protected Integer servePage(final HttpServerExchange exchange, final String location) {
         sendRedirect(exchange, location);
         return StatusCodes.TEMPORARY_REDIRECT;
@@ -89,7 +89,7 @@ public abstract class AbstractUndertowKeycloakAuthMech implements Authentication
                 if (notification.getEventType() != SecurityNotification.EventType.LOGGED_OUT) return;
 
                 HttpServerExchange exchange = notification.getExchange();
-                UndertowHttpFacade facade = new OIDCUndertowHttpFacade(exchange);
+                UndertowHttpFacade facade = createFacade(exchange);
                 KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
                 KeycloakSecurityContext ksc = exchange.getAttachment(OIDCUndertowHttpFacade.KEYCLOAK_SECURITY_CONTEXT_KEY);
                 if (ksc != null && ksc instanceof RefreshableKeycloakSecurityContext) {

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/OIDCServletUndertowHttpFacade.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/OIDCServletUndertowHttpFacade.java
new file mode 100755
index 0000000..ddf0f41
--- /dev/null
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/OIDCServletUndertowHttpFacade.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.adapters.undertow;
+
+import io.undertow.server.HttpServerExchange;
+import io.undertow.util.AttachmentKey;
+import org.keycloak.KeycloakSecurityContext;
+import org.keycloak.adapters.OIDCHttpFacade;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class OIDCServletUndertowHttpFacade extends ServletHttpFacade implements OIDCHttpFacade {
+    public static final AttachmentKey<KeycloakSecurityContext> KEYCLOAK_SECURITY_CONTEXT_KEY = AttachmentKey.create(KeycloakSecurityContext.class);
+
+    public OIDCServletUndertowHttpFacade(HttpServerExchange exchange) {
+        super(exchange);
+    }
+
+    @Override
+    public KeycloakSecurityContext getSecurityContext() {
+        return exchange.getAttachment(KEYCLOAK_SECURITY_CONTEXT_KEY);
+    }
+
+}

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
index b5984a4..b546e76 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletKeycloakAuthMech.java
@@ -79,7 +79,7 @@ public class ServletKeycloakAuthMech extends AbstractUndertowKeycloakAuthMech {
 
     @Override
     public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
-        UndertowHttpFacade facade = new OIDCUndertowHttpFacade(exchange);
+        UndertowHttpFacade facade = createFacade(exchange);
         KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
         if (!deployment.isConfigured()) {
             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;
@@ -119,4 +119,8 @@ public class ServletKeycloakAuthMech extends AbstractUndertowKeycloakAuthMech {
         }
     }
 
+    @Override
+    public UndertowHttpFacade createFacade(HttpServerExchange exchange) {
+        return new OIDCServletUndertowHttpFacade(exchange);
+    }
 }

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletPreAuthActionsHandler.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletPreAuthActionsHandler.java
index 362cdb0..05672db 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletPreAuthActionsHandler.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/ServletPreAuthActionsHandler.java
@@ -61,11 +61,13 @@ public class ServletPreAuthActionsHandler implements HttpHandler {
 
     @Override
     public void handleRequest(HttpServerExchange exchange) throws Exception {
-        UndertowHttpFacade facade = new OIDCUndertowHttpFacade(exchange);
+        UndertowHttpFacade facade = new OIDCServletUndertowHttpFacade(exchange);
         final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
         SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, servletRequestContext.getDeployment().getSessionManager());
         PreAuthActionsHandler handler = new PreAuthActionsHandler(bridge, deploymentContext, facade);
         if (handler.handleRequest()) return;
         next.handleRequest(exchange);
     }
+
+
 }

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticationMechanism.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticationMechanism.java
index 85b7581..88ba705 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticationMechanism.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowAuthenticationMechanism.java
@@ -25,7 +25,7 @@ public class UndertowAuthenticationMechanism extends AbstractUndertowKeycloakAut
 
     @Override
     public AuthenticationMechanismOutcome authenticate(HttpServerExchange exchange, SecurityContext securityContext) {
-        UndertowHttpFacade facade = new OIDCUndertowHttpFacade(exchange);
+        UndertowHttpFacade facade = createFacade(exchange);
         KeycloakDeployment deployment = deploymentContext.resolveDeployment(facade);
         if (!deployment.isConfigured()) {
             return AuthenticationMechanismOutcome.NOT_ATTEMPTED;

diff --git a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowPreAuthActionsHandler.java b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowPreAuthActionsHandler.java
index 77194e1..8ad97ef 100755
--- a/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowPreAuthActionsHandler.java
+++ b/integration/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowPreAuthActionsHandler.java
@@ -47,10 +47,14 @@ public class UndertowPreAuthActionsHandler implements HttpHandler {
 
     @Override
     public void handleRequest(HttpServerExchange exchange) throws Exception {
-        UndertowHttpFacade facade = new OIDCUndertowHttpFacade(exchange);
+        UndertowHttpFacade facade = createFacade(exchange);
         SessionManagementBridge bridge = new SessionManagementBridge(userSessionManagement, sessionManager);
         PreAuthActionsHandler handler = new PreAuthActionsHandler(bridge, deploymentContext, facade);
         if (handler.handleRequest()) return;
         next.handleRequest(exchange);
     }
+
+    public UndertowHttpFacade createFacade(HttpServerExchange exchange) {
+        return new OIDCUndertowHttpFacade(exchange);
+    }
 }

diff --git a/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/ServletHttpFacade.java b/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/ServletHttpFacade.java
index 0b10188..815b1ce 100755
--- a/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/ServletHttpFacade.java
+++ b/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/ServletHttpFacade.java
@@ -2,9 +2,13 @@ package org.keycloak.adapters.undertow;
 
 import io.undertow.server.HttpServerExchange;
 import io.undertow.servlet.handlers.ServletRequestContext;
+import org.keycloak.adapters.spi.AuthenticationError;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.spi.LogoutError;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -18,6 +22,7 @@ public class ServletHttpFacade extends UndertowHttpFacade {
         super(exchange);
         final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
         request = (HttpServletRequest)servletRequestContext.getServletRequest();
+        response = (HttpServletResponse)servletRequestContext.getServletResponse();
     }
 
     protected class RequestFacade extends UndertowHttpFacade.RequestFacade {
@@ -26,6 +31,47 @@ public class ServletHttpFacade extends UndertowHttpFacade {
             return request.getParameter(param);
         }
 
+        @Override
+        public void setError(AuthenticationError error) {
+            request.setAttribute(AuthenticationError.class.getName(), error);
+
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            request.setAttribute(LogoutError.class.getName(), error);
+        }
+
+
+    }
+
+    protected class ResponseFacade extends UndertowHttpFacade.ResponseFacade {
+        // can't call sendError from a challenge.  Undertow ends up calling send error.
+        /*
+        @Override
+        public void sendError(int code) {
+            try {
+                response.sendError(code);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
+        public void sendError(int code, String message) {
+            try {
+                response.sendError(code, message);
+            } catch (IOException e) {
+                throw new RuntimeException(e);
+            }
+        }
+        */
+
+    }
+
+    @Override
+    public Response getResponse() {
+        return new ResponseFacade();
     }
 
     @Override

diff --git a/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java b/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
index 3d37877..d38fe55 100755
--- a/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
+++ b/integration/undertow-adapter-spi/src/main/java/org/keycloak/adapters/undertow/UndertowHttpFacade.java
@@ -2,9 +2,12 @@ package org.keycloak.adapters.undertow;
 
 import io.undertow.server.HttpServerExchange;
 import io.undertow.server.handlers.CookieImpl;
+import io.undertow.util.AttachmentKey;
 import io.undertow.util.Headers;
 import io.undertow.util.HttpString;
+import org.keycloak.adapters.spi.AuthenticationError;
 import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.spi.LogoutError;
 import org.keycloak.common.util.KeycloakUriBuilder;
 
 import javax.security.cert.X509Certificate;
@@ -22,6 +25,9 @@ import java.util.Map;
  * @version $Revision: 1 $
  */
 public class UndertowHttpFacade implements HttpFacade {
+    public static final AttachmentKey<AuthenticationError> AUTH_ERROR_ATTACHMENT_KEY = AttachmentKey.create(AuthenticationError.class);
+    public static final AttachmentKey<LogoutError> LOGOUT_ERROR_ATTACHMENT_KEY = AttachmentKey.create(LogoutError.class);
+
     protected HttpServerExchange exchange;
     protected RequestFacade requestFacade = new RequestFacade();
     protected ResponseFacade responseFacade = new ResponseFacade();
@@ -127,6 +133,17 @@ public class UndertowHttpFacade implements HttpFacade {
             }
             return address.getHostAddress();
         }
+
+        @Override
+        public void setError(AuthenticationError error) {
+            exchange.putAttachment(AUTH_ERROR_ATTACHMENT_KEY, error);
+        }
+
+        @Override
+        public void setError(LogoutError error) {
+            exchange.putAttachment(LOGOUT_ERROR_ATTACHMENT_KEY, error);
+
+        }
     }
 
     protected class ResponseFacade implements Response {
@@ -171,6 +188,11 @@ public class UndertowHttpFacade implements HttpFacade {
         }
 
         @Override
+        public void sendError(int code) {
+            exchange.setResponseCode(code);
+        }
+
+        @Override
         public void sendError(int code, String message) {
             exchange.setResponseCode(code);
             exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/html");

diff --git a/integration/wildfly/pom.xml b/integration/wildfly/pom.xml
index 141cd87..74ee90a 100644
--- a/integration/wildfly/pom.xml
+++ b/integration/wildfly/pom.xml
@@ -15,9 +15,7 @@
 
     <modules>
         <module>wildfly-adapter</module>
-        <module>wildfly-extensions</module>
         <module>wf8-subsystem</module>
-        <module>wf9-subsystem</module>
-        <module>wf9-server-subsystem</module>
+        <module>wildfly-subsystem</module>
     </modules>
 </project>
\ No newline at end of file

diff --git a/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java b/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
index e5c9484..06df073 100755
--- a/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
+++ b/model/api/src/main/java/org/keycloak/migration/MigrationModelManager.java
@@ -5,6 +5,7 @@ import org.keycloak.migration.migrators.MigrateTo1_3_0;
 import org.keycloak.migration.migrators.MigrateTo1_4_0;
 import org.keycloak.migration.migrators.MigrateTo1_5_0;
 import org.keycloak.migration.migrators.MigrateTo1_6_0;
+import org.keycloak.migration.migrators.MigrateTo1_7_0;
 import org.keycloak.migration.migrators.MigrationTo1_2_0_CR1;
 import org.keycloak.models.KeycloakSession;
 
@@ -54,6 +55,12 @@ public class MigrationModelManager {
             }
             new MigrateTo1_6_0().migrate(session);
         }
+        if (stored == null || stored.lessThan(MigrateTo1_7_0.VERSION)) {
+            if (stored != null) {
+                logger.debug("Migrating older model to 1.7.0 updates");
+            }
+            new MigrateTo1_7_0().migrate(session);
+        }
 
         model.setStoredVersion(MigrationModel.LATEST_VERSION);
     }

diff --git a/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java
new file mode 100644
index 0000000..e4ead4d
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java
@@ -0,0 +1,23 @@
+package org.keycloak.migration.migrators;
+
+import java.util.List;
+
+import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.Constants;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class MigrateTo1_7_0 {
+
+    public static final ModelVersion VERSION = new ModelVersion("1.7.0");
+
+    public void migrate(KeycloakSession session) {
+        List<RealmModel> realms = session.realms().getRealms();
+        for (RealmModel realm : realms) {
+            realm.setAccessTokenLifespanForImplicitFlow(Constants.DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT);
+        }
+    }
+}

diff --git a/model/api/src/main/java/org/keycloak/models/ClientInitialAccessModel.java b/model/api/src/main/java/org/keycloak/models/ClientInitialAccessModel.java
new file mode 100755
index 0000000..7447319
--- /dev/null
+++ b/model/api/src/main/java/org/keycloak/models/ClientInitialAccessModel.java
@@ -0,0 +1,22 @@
+package org.keycloak.models;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public interface ClientInitialAccessModel {
+
+    String getId();
+
+    RealmModel getRealm();
+
+    int getTimestamp();
+
+    int getExpiration();
+
+    int getCount();
+
+    int getRemainingCount();
+
+    void decreaseRemainingCount();
+
+}

diff --git a/model/api/src/main/java/org/keycloak/models/ClientModel.java b/model/api/src/main/java/org/keycloak/models/ClientModel.java
index c421aea..492c2e1 100755
--- a/model/api/src/main/java/org/keycloak/models/ClientModel.java
+++ b/model/api/src/main/java/org/keycloak/models/ClientModel.java
@@ -90,8 +90,8 @@ public interface ClientModel extends RoleContainerModel {
     String getSecret();
     public void setSecret(String secret);
 
-    String getRegistrationSecret();
-    void setRegistrationSecret(String registrationSecret);
+    String getRegistrationToken();
+    void setRegistrationToken(String registrationToken);
 
     boolean isFullScopeAllowed();
     void setFullScopeAllowed(boolean value);
@@ -111,12 +111,18 @@ public interface ClientModel extends RoleContainerModel {
     boolean isPublicClient();
     void setPublicClient(boolean flag);
 
-    boolean isDirectGrantsOnly();
-    void setDirectGrantsOnly(boolean flag);
-
     boolean isConsentRequired();
     void setConsentRequired(boolean consentRequired);
 
+    boolean isStandardFlowEnabled();
+    void setStandardFlowEnabled(boolean standardFlowEnabled);
+
+    boolean isImplicitFlowEnabled();
+    void setImplicitFlowEnabled(boolean implicitFlowEnabled);
+
+    boolean isDirectAccessGrantsEnabled();
+    void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled);
+
     boolean isServiceAccountsEnabled();
     void setServiceAccountsEnabled(boolean serviceAccountsEnabled);
 

diff --git a/model/api/src/main/java/org/keycloak/models/Constants.java b/model/api/src/main/java/org/keycloak/models/Constants.java
index 3ecc51c..c50e4cd 100755
--- a/model/api/src/main/java/org/keycloak/models/Constants.java
+++ b/model/api/src/main/java/org/keycloak/models/Constants.java
@@ -20,6 +20,8 @@ public interface Constants {
     String[] BROKER_SERVICE_ROLES = {READ_TOKEN_ROLE};
     String OFFLINE_ACCESS_ROLE = OAuth2Constants.OFFLINE_ACCESS;
 
+    // 15 minutes
+    int DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT = 900;
     // 30 days
     int DEFAULT_OFFLINE_SESSION_IDLE_TIMEOUT = 2592000;
 

diff --git a/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java b/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java
index f15614f..b5edbaf 100755
--- a/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java
+++ b/model/api/src/main/java/org/keycloak/models/entities/ClientEntity.java
@@ -17,7 +17,7 @@ public class ClientEntity extends AbstractIdentifiableEntity {
     private boolean enabled;
     private String clientAuthenticatorType;
     private String secret;
-    private String registrationSecret;
+    private String registrationToken;
     private String protocol;
     private int notBefore;
     private boolean publicClient;
@@ -30,6 +30,9 @@ public class ClientEntity extends AbstractIdentifiableEntity {
     private String baseUrl;
     private boolean bearerOnly;
     private boolean consentRequired;
+    private boolean standardFlowEnabled;
+    private boolean implicitFlowEnabled;
+    private boolean directAccessGrantsEnabled;
     private boolean serviceAccountsEnabled;
     private boolean directGrantsOnly;
     private int nodeReRegistrationTimeout;
@@ -91,12 +94,12 @@ public class ClientEntity extends AbstractIdentifiableEntity {
         this.secret = secret;
     }
 
-    public String getRegistrationSecret() {
-        return registrationSecret;
+    public String getRegistrationToken() {
+        return registrationToken;
     }
 
-    public void setRegistrationSecret(String registrationSecret) {
-        this.registrationSecret = registrationSecret;
+    public void setRegistrationToken(String registrationToken) {
+        this.registrationToken = registrationToken;
     }
 
     public int getNotBefore() {
@@ -243,6 +246,30 @@ public class ClientEntity extends AbstractIdentifiableEntity {
         this.consentRequired = consentRequired;
     }
 
+    public boolean isStandardFlowEnabled() {
+        return standardFlowEnabled;
+    }
+
+    public void setStandardFlowEnabled(boolean standardFlowEnabled) {
+        this.standardFlowEnabled = standardFlowEnabled;
+    }
+
+    public boolean isImplicitFlowEnabled() {
+        return implicitFlowEnabled;
+    }
+
+    public void setImplicitFlowEnabled(boolean implicitFlowEnabled) {
+        this.implicitFlowEnabled = implicitFlowEnabled;
+    }
+
+    public boolean isDirectAccessGrantsEnabled() {
+        return directAccessGrantsEnabled;
+    }
+
+    public void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled) {
+        this.directAccessGrantsEnabled = directAccessGrantsEnabled;
+    }
+
     public boolean isServiceAccountsEnabled() {
         return serviceAccountsEnabled;
     }

diff --git a/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java b/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java
index 389ec0a..7a08bca 100755
--- a/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java
+++ b/model/api/src/main/java/org/keycloak/models/entities/RealmEntity.java
@@ -44,6 +44,7 @@ public class RealmEntity extends AbstractIdentifiableEntity {
     private int ssoSessionMaxLifespan;
     private int offlineSessionIdleTimeout;
     private int accessTokenLifespan;
+    private int accessTokenLifespanForImplicitFlow;
     private int accessCodeLifespan;
     private int accessCodeLifespanUserAction;
     private int accessCodeLifespanLogin;
@@ -61,6 +62,7 @@ public class RealmEntity extends AbstractIdentifiableEntity {
 
     // We are using names of defaultRoles (not ids)
     private List<String> defaultRoles = new ArrayList<String>();
+    private List<String> defaultGroups = new ArrayList<String>();
 
     private List<RequiredCredentialEntity> requiredCredentials = new ArrayList<RequiredCredentialEntity>();
     private List<UserFederationProviderEntity> userFederationProviders = new ArrayList<UserFederationProviderEntity>();
@@ -271,6 +273,14 @@ public class RealmEntity extends AbstractIdentifiableEntity {
         this.accessTokenLifespan = accessTokenLifespan;
     }
 
+    public int getAccessTokenLifespanForImplicitFlow() {
+        return accessTokenLifespanForImplicitFlow;
+    }
+
+    public void setAccessTokenLifespanForImplicitFlow(int accessTokenLifespanForImplicitFlow) {
+        this.accessTokenLifespanForImplicitFlow = accessTokenLifespanForImplicitFlow;
+    }
+
     public int getAccessCodeLifespan() {
         return accessCodeLifespan;
     }
@@ -629,6 +639,14 @@ public class RealmEntity extends AbstractIdentifiableEntity {
     public void setClientAuthenticationFlow(String clientAuthenticationFlow) {
         this.clientAuthenticationFlow = clientAuthenticationFlow;
     }
+
+    public List<String> getDefaultGroups() {
+        return defaultGroups;
+    }
+
+    public void setDefaultGroups(List<String> defaultGroups) {
+        this.defaultGroups = defaultGroups;
+    }
 }
 
 

diff --git a/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java b/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
index aff7d37..3674334 100755
--- a/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
+++ b/model/api/src/main/java/org/keycloak/models/PasswordPolicy.java
@@ -76,6 +76,8 @@ public class PasswordPolicy implements Serializable {
                 list.add(new PasswordHistory(arg));
             } else if (name.equals(ForceExpiredPasswordChange.NAME)) {
                 list.add(new ForceExpiredPasswordChange(arg));
+            } else {
+                throw new IllegalArgumentException("Unsupported policy");
             }
         }
         return list;

diff --git a/model/api/src/main/java/org/keycloak/models/RealmModel.java b/model/api/src/main/java/org/keycloak/models/RealmModel.java
index c3bb5c2..6c2c260 100755
--- a/model/api/src/main/java/org/keycloak/models/RealmModel.java
+++ b/model/api/src/main/java/org/keycloak/models/RealmModel.java
@@ -107,6 +107,9 @@ public interface RealmModel extends RoleContainerModel {
 
     void setAccessTokenLifespan(int seconds);
 
+    int getAccessTokenLifespanForImplicitFlow();
+    void setAccessTokenLifespanForImplicitFlow(int seconds);
+
     int getAccessCodeLifespan();
 
     void setAccessCodeLifespan(int seconds);
@@ -165,6 +168,12 @@ public interface RealmModel extends RoleContainerModel {
 
     void updateDefaultRoles(String[] defaultRoles);
 
+    List<GroupModel> getDefaultGroups();
+
+    void addDefaultGroup(GroupModel group);
+
+    void removeDefaultGroup(GroupModel group);
+
     // Key is clientId
     Map<String, ClientModel> getClientNameMap();
 
@@ -330,6 +339,7 @@ public interface RealmModel extends RoleContainerModel {
     void setDefaultLocale(String locale);
 
     GroupModel createGroup(String name);
+    GroupModel createGroup(String id, String name);
 
     /**
      * Move Group to top realm level.  Basically just sets group parent to null.  You need to call this though

diff --git a/model/api/src/main/java/org/keycloak/models/UserFederationManager.java b/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
index d75ed95..1a1709b 100755
--- a/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
+++ b/model/api/src/main/java/org/keycloak/models/UserFederationManager.java
@@ -462,6 +462,9 @@ public class UserFederationManager implements UserProvider {
     }
 
 
+
+
+
     @Override
     public boolean validCredentials(RealmModel realm, UserModel user, UserCredentialModel... input) {
         return validCredentials(realm, user, Arrays.asList(input));

diff --git a/model/api/src/main/java/org/keycloak/models/UserSessionProvider.java b/model/api/src/main/java/org/keycloak/models/UserSessionProvider.java
index 1a59f4f..0c1df9c 100755
--- a/model/api/src/main/java/org/keycloak/models/UserSessionProvider.java
+++ b/model/api/src/main/java/org/keycloak/models/UserSessionProvider.java
@@ -63,6 +63,11 @@ public interface UserSessionProvider extends Provider {
     UserSessionModel importUserSession(UserSessionModel persistentUserSession, boolean offline);
     ClientSessionModel importClientSession(ClientSessionModel persistentClientSession, boolean offline);
 
+    ClientInitialAccessModel createClientInitialAccessModel(RealmModel realm, int expiration, int count);
+    ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id);
+    void removeClientInitialAccessModel(RealmModel realm, String id);
+    List<ClientInitialAccessModel> listClientInitialAccess(RealmModel realm);
+
     void close();
 
 }

diff --git a/model/api/src/main/java/org/keycloak/models/utils/CredentialValidation.java b/model/api/src/main/java/org/keycloak/models/utils/CredentialValidation.java
index 7ce15d8..d3e4d4a 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/CredentialValidation.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/CredentialValidation.java
@@ -1,6 +1,7 @@
 package org.keycloak.models.utils;
 
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.models.OTPPolicy;
 import org.keycloak.models.PasswordPolicy;
@@ -51,6 +52,10 @@ public class CredentialValidation {
     }
 
     public static boolean validateHashedCredential(RealmModel realm, UserModel user, String unhashedCredValue, UserCredentialValueModel credential) {
+        if(unhashedCredValue == null){
+            return false;
+        }
+
         boolean validated = new Pbkdf2PasswordEncoder(credential.getSalt()).verify(unhashedCredValue, credential.getValue(), credential.getHashIterations());
         if (validated) {
             int iterations = hashIterations(realm);
@@ -69,11 +74,11 @@ public class CredentialValidation {
     }
 
     public static boolean validPasswordToken(RealmModel realm, UserModel user, String encodedPasswordToken) {
-        JWSInput jws = new JWSInput(encodedPasswordToken);
-        if (!RSAProvider.verify(jws, realm.getPublicKey())) {
-            return false;
-        }
         try {
+            JWSInput jws = new JWSInput(encodedPasswordToken);
+            if (!RSAProvider.verify(jws, realm.getPublicKey())) {
+                return false;
+            }
             PasswordToken passwordToken = jws.readJsonContent(PasswordToken.class);
             if (!passwordToken.getRealm().equals(realm.getName())) {
                 return false;
@@ -85,7 +90,7 @@ public class CredentialValidation {
                 return false;
             }
             return true;
-        } catch (IOException e) {
+        } catch (JWSInputException e) {
             return false;
         }
     }

diff --git a/model/api/src/main/java/org/keycloak/models/utils/HmacOTP.java b/model/api/src/main/java/org/keycloak/models/utils/HmacOTP.java
index 210f82b..1f42f57 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/HmacOTP.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/HmacOTP.java
@@ -3,7 +3,7 @@ package org.keycloak.models.utils;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.math.BigInteger;
-import java.util.Random;
+import java.security.SecureRandom;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -29,7 +29,7 @@ public class HmacOTP {
 
     public static String generateSecret(int length) {
         String chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW1234567890";
-        Random r = new Random();
+        SecureRandom r = new SecureRandom();
         StringBuilder sb = new StringBuilder();
         for (int i = 0; i < length; i++) {
             char c = chars.charAt(r.nextInt(chars.length()));

diff --git a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
index c35c58e..8c6af88 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
@@ -1,6 +1,7 @@
 package org.keycloak.models.utils;
 
 import org.bouncycastle.openssl.PEMWriter;
+import org.keycloak.common.util.Base64;
 import org.keycloak.common.util.Base64Url;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.AuthenticationFlowModel;
@@ -27,8 +28,15 @@ import org.keycloak.common.util.PemUtils;
 import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
 import java.io.StringWriter;
-import java.security.*;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
@@ -43,8 +51,6 @@ import java.util.UUID;
  */
 public final class KeycloakModelUtils {
 
-    private static final int RANDOM_PASSWORD_BYTES = 32;
-
     private KeycloakModelUtils() {
     }
 
@@ -52,6 +58,16 @@ public final class KeycloakModelUtils {
         return UUID.randomUUID().toString();
     }
 
+    public static String generateSecret() {
+        return generateSecret(32);
+    }
+
+    public static String generateSecret(int bytes) {
+        byte[] buf = new byte[bytes];
+        new SecureRandom().nextBytes(buf);
+        return Base64Url.encode(buf);
+    }
+
     public static PublicKey getPublicKey(String publicKeyPem) {
         if (publicKeyPem != null) {
             try {
@@ -182,16 +198,6 @@ public final class KeycloakModelUtils {
         return secret;
     }
 
-    public static void generateRegistrationAccessToken(ClientModel client) {
-        client.setRegistrationSecret(generatePassword());
-    }
-
-    public static String generatePassword() {
-        byte[] buf = new byte[RANDOM_PASSWORD_BYTES];
-        new SecureRandom().nextBytes(buf);
-        return Base64Url.encode(buf);
-    }
-
     public static String getDefaultClientAuthenticatorType() {
         return "client-secret";
     }
@@ -418,4 +424,101 @@ public final class KeycloakModelUtils {
             }
         }
     }
+
+    public static String resolveFirstAttribute(GroupModel group, String name) {
+        String value = group.getFirstAttribute(name);
+        if (value != null) return value;
+        if (group.getParentId() == null) return null;
+        return resolveFirstAttribute(group.getParent(), name);
+
+    }
+
+    /**
+     *
+     *
+     * @param user
+     * @param name
+     * @return
+     */
+    public static String resolveFirstAttribute(UserModel user, String name) {
+        String value = user.getFirstAttribute(name);
+        if (value != null) return value;
+        for (GroupModel group : user.getGroups()) {
+            value = resolveFirstAttribute(group, name);
+            if (value != null) return value;
+        }
+        return null;
+
+    }
+
+    public static List<String>  resolveAttribute(GroupModel group, String name) {
+        List<String> values = group.getAttribute(name);
+        if (values != null && !values.isEmpty()) return values;
+        if (group.getParentId() == null) return null;
+        return resolveAttribute(group.getParent(), name);
+
+    }
+
+
+    public static List<String> resolveAttribute(UserModel user, String name) {
+        List<String> values = user.getAttribute(name);
+        if (!values.isEmpty()) return values;
+        for (GroupModel group : user.getGroups()) {
+            values = resolveAttribute(group, name);
+            if (values != null) return values;
+        }
+        return Collections.emptyList();
+    }
+
+
+    private static GroupModel findSubGroup(String[] path, int index, GroupModel parent) {
+        for (GroupModel group : parent.getSubGroups()) {
+            if (group.getName().equals(path[index])) {
+                if (path.length == index + 1) {
+                    return group;
+                }
+                else {
+                    if (index + 1 < path.length) {
+                        GroupModel found = findSubGroup(path, index + 1, group);
+                        if (found != null) return found;
+                    } else {
+                        return null;
+                    }
+                }
+
+            }
+        }
+        return null;
+    }
+
+    public static GroupModel findGroupByPath(RealmModel realm, String path) {
+        if (path == null) {
+            return null;
+        }
+        if (path.startsWith("/")) {
+            path = path.substring(1);
+        }
+        if (path.endsWith("/")) {
+            path = path.substring(0, path.length() - 1);
+        }
+        String[] split = path.split("/");
+        if (split.length == 0) return null;
+        GroupModel found = null;
+        for (GroupModel group : realm.getTopLevelGroups()) {
+            if (group.getName().equals(split[0])) {
+                if (split.length == 1) {
+                    found = group;
+                    break;
+                }
+                else {
+                    if (split.length > 1) {
+                        found = findSubGroup(split, 1, group);
+                        if (found != null) break;
+                    }
+                }
+
+            }
+        }
+        return found;
+    }
 }

diff --git a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
index a69bb2b..e60d915 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@@ -205,6 +205,7 @@ public class ModelToRepresentation {
         rep.setEditUsernameAllowed(realm.isEditUsernameAllowed());
         rep.setRevokeRefreshToken(realm.isRevokeRefreshToken());
         rep.setAccessTokenLifespan(realm.getAccessTokenLifespan());
+        rep.setAccessTokenLifespanForImplicitFlow(realm.getAccessTokenLifespanForImplicitFlow());
         rep.setSsoSessionIdleTimeout(realm.getSsoSessionIdleTimeout());
         rep.setSsoSessionMaxLifespan(realm.getSsoSessionMaxLifespan());
         rep.setOfflineSessionIdleTimeout(realm.getOfflineSessionIdleTimeout());
@@ -239,6 +240,14 @@ public class ModelToRepresentation {
             roleStrings.addAll(defaultRoles);
             rep.setDefaultRoles(roleStrings);
         }
+        List<GroupModel> defaultGroups = realm.getDefaultGroups();
+        if (!defaultGroups.isEmpty()) {
+            List<String> groupPaths = new LinkedList<>();
+            for (GroupModel group : defaultGroups) {
+                groupPaths.add(ModelToRepresentation.buildGroupPath(group));
+            }
+            rep.setDefaultGroups(groupPaths);
+        }
 
         List<RequiredCredentialModel> requiredCredentialModels = realm.getRequiredCredentials();
         if (requiredCredentialModels.size() > 0) {
@@ -279,10 +288,16 @@ public class ModelToRepresentation {
         if (internal) {
             exportAuthenticationFlows(realm, rep);
             exportRequiredActions(realm, rep);
+            exportGroups(realm, rep);
         }
         return rep;
     }
 
+    public static void exportGroups(RealmModel realm, RealmRepresentation rep) {
+        List<GroupRepresentation> groups = toGroupHierarchy(realm, true);
+        rep.setGroups(groups);
+    }
+
     public static void exportAuthenticationFlows(RealmModel realm, RealmRepresentation rep) {
         rep.setAuthenticationFlows(new LinkedList<AuthenticationFlowRepresentation>());
         rep.setAuthenticatorConfig(new LinkedList<AuthenticatorConfigRepresentation>());
@@ -404,15 +419,16 @@ public class ModelToRepresentation {
         rep.setFullScopeAllowed(clientModel.isFullScopeAllowed());
         rep.setBearerOnly(clientModel.isBearerOnly());
         rep.setConsentRequired(clientModel.isConsentRequired());
+        rep.setStandardFlowEnabled(clientModel.isStandardFlowEnabled());
+        rep.setImplicitFlowEnabled(clientModel.isImplicitFlowEnabled());
+        rep.setDirectAccessGrantsEnabled(clientModel.isDirectAccessGrantsEnabled());
         rep.setServiceAccountsEnabled(clientModel.isServiceAccountsEnabled());
-        rep.setDirectGrantsOnly(clientModel.isDirectGrantsOnly());
         rep.setSurrogateAuthRequired(clientModel.isSurrogateAuthRequired());
         rep.setRootUrl(clientModel.getRootUrl());
         rep.setBaseUrl(clientModel.getBaseUrl());
         rep.setNotBefore(clientModel.getNotBefore());
         rep.setNodeReRegistrationTimeout(clientModel.getNodeReRegistrationTimeout());
         rep.setClientAuthenticatorType(clientModel.getClientAuthenticatorType());
-        rep.setRegistrationAccessToken(clientModel.getRegistrationSecret());
 
         Set<String> redirectUris = clientModel.getRedirectUris();
         if (redirectUris != null) {

diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index a46ee57..8360e48 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -12,6 +12,7 @@ import org.keycloak.models.BrowserSecurityHeaders;
 import org.keycloak.models.ClaimMask;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.FederatedIdentityModel;
+import org.keycloak.models.GroupModel;
 import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.KeycloakSession;
@@ -36,6 +37,7 @@ import org.keycloak.representations.idm.ClaimRepresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.FederatedIdentityRepresentation;
+import org.keycloak.representations.idm.GroupRepresentation;
 import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
 import org.keycloak.representations.idm.OAuthClientRepresentation;
@@ -67,12 +69,12 @@ public class RepresentationToModel {
     private static Logger logger = Logger.getLogger(RepresentationToModel.class);
     public static OTPPolicy toPolicy(RealmRepresentation rep) {
         OTPPolicy policy = new OTPPolicy();
-        policy.setType(rep.getOtpPolicyType());
-        policy.setLookAheadWindow(rep.getOtpPolicyLookAheadWindow());
-        policy.setInitialCounter(rep.getOtpPolicyInitialCounter());
-        policy.setAlgorithm(rep.getOtpPolicyAlgorithm());
-        policy.setDigits(rep.getOtpPolicyDigits());
-        policy.setPeriod(rep.getOtpPolicyPeriod());
+        if (rep.getOtpPolicyType() != null) policy.setType(rep.getOtpPolicyType());
+        if (rep.getOtpPolicyLookAheadWindow() != null) policy.setLookAheadWindow(rep.getOtpPolicyLookAheadWindow());
+        if (rep.getOtpPolicyInitialCounter() != null) policy.setInitialCounter(rep.getOtpPolicyInitialCounter());
+        if (rep.getOtpPolicyAlgorithm() != null) policy.setAlgorithm(rep.getOtpPolicyAlgorithm());
+        if (rep.getOtpPolicyDigits() != null) policy.setDigits(rep.getOtpPolicyDigits());
+        if (rep.getOtpPolicyPeriod() != null) policy.setPeriod(rep.getOtpPolicyPeriod());
         return policy;
 
     }
@@ -103,6 +105,9 @@ public class RepresentationToModel {
         if (rep.getAccessTokenLifespan() != null) newRealm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
         else newRealm.setAccessTokenLifespan(300);
 
+        if (rep.getAccessTokenLifespanForImplicitFlow() != null) newRealm.setAccessTokenLifespanForImplicitFlow(rep.getAccessTokenLifespanForImplicitFlow());
+        else newRealm.setAccessTokenLifespanForImplicitFlow(Constants.DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT);
+
         if (rep.getSsoSessionIdleTimeout() != null) newRealm.setSsoSessionIdleTimeout(rep.getSsoSessionIdleTimeout());
         else newRealm.setSsoSessionIdleTimeout(1800);
         if (rep.getSsoSessionMaxLifespan() != null) newRealm.setSsoSessionMaxLifespan(rep.getSsoSessionMaxLifespan());
@@ -311,6 +316,18 @@ public class RepresentationToModel {
             }
         }
 
+        if (rep.getGroups() != null) {
+            importGroups(newRealm, rep);
+            if (rep.getDefaultGroups() != null) {
+                for (String path : rep.getDefaultGroups()) {
+                    GroupModel found = KeycloakModelUtils.findGroupByPath(newRealm, path);
+                    if (found == null) throw new RuntimeException("default group in realm rep doesn't exist: " + path);
+                    newRealm.addDefaultGroup(found);
+                }
+            }
+        }
+
+
         // create users and their role mappings and social mappings
 
         if (rep.getUsers() != null) {
@@ -330,6 +347,59 @@ public class RepresentationToModel {
         }
     }
 
+    public static void importGroups(RealmModel realm, RealmRepresentation rep) {
+        List<GroupRepresentation> groups = rep.getGroups();
+        if (groups == null) return;
+
+        Map<String, ClientModel> clientMap = realm.getClientNameMap();
+        GroupModel parent = null;
+        for (GroupRepresentation group : groups) {
+            importGroup(realm, clientMap, parent, group);
+        }
+    }
+
+    public static void importGroup(RealmModel realm, Map<String, ClientModel> clientMap, GroupModel parent, GroupRepresentation group) {
+        GroupModel newGroup = realm.createGroup(group.getId(), group.getName());
+        if (group.getAttributes() != null) {
+            for (Map.Entry<String, List<String>> attr : group.getAttributes().entrySet()) {
+                newGroup.setAttribute(attr.getKey(), attr.getValue());
+            }
+        }
+        realm.moveGroup(newGroup, parent);
+
+        if (group.getRealmRoles() != null) {
+            for (String roleString : group.getRealmRoles()) {
+                RoleModel role = realm.getRole(roleString.trim());
+                if (role == null) {
+                    role = realm.addRole(roleString.trim());
+                }
+                newGroup.grantRole(role);
+            }
+        }
+        if (group.getClientRoles() != null) {
+            for (Map.Entry<String, List<String>> entry : group.getClientRoles().entrySet()) {
+                ClientModel client = clientMap.get(entry.getKey());
+                if (client == null) {
+                    throw new RuntimeException("Unable to find client role mappings for client: " + entry.getKey());
+                }
+                List<String> roleNames = entry.getValue();
+                for (String roleName : roleNames) {
+                    RoleModel role = client.getRole(roleName.trim());
+                    if (role == null) {
+                        role = client.addRole(roleName.trim());
+                    }
+                    newGroup.grantRole(role);
+
+                }
+            }
+        }
+        if (group.getSubGroups() != null) {
+            for (GroupRepresentation subGroup : group.getSubGroups()) {
+                importGroup(realm, clientMap, newGroup, subGroup);
+            }
+        }
+    }
+
     public static void importAuthenticationFlows(RealmModel newRealm, RealmRepresentation rep) {
         if (rep.getAuthenticationFlows() == null) {
             // assume this is an old version being imported
@@ -536,6 +606,7 @@ public class RepresentationToModel {
         if (rep.getNotBefore() != null) realm.setNotBefore(rep.getNotBefore());
         if (rep.getRevokeRefreshToken() != null) realm.setRevokeRefreshToken(rep.getRevokeRefreshToken());
         if (rep.getAccessTokenLifespan() != null) realm.setAccessTokenLifespan(rep.getAccessTokenLifespan());
+        if (rep.getAccessTokenLifespanForImplicitFlow() != null) realm.setAccessTokenLifespanForImplicitFlow(rep.getAccessTokenLifespanForImplicitFlow());
         if (rep.getSsoSessionIdleTimeout() != null) realm.setSsoSessionIdleTimeout(rep.getSsoSessionIdleTimeout());
         if (rep.getSsoSessionMaxLifespan() != null) realm.setSsoSessionMaxLifespan(rep.getSsoSessionMaxLifespan());
         if (rep.getOfflineSessionIdleTimeout() != null) realm.setOfflineSessionIdleTimeout(rep.getOfflineSessionIdleTimeout());
@@ -705,8 +776,17 @@ public class RepresentationToModel {
         if (resourceRep.getBaseUrl() != null) client.setBaseUrl(resourceRep.getBaseUrl());
         if (resourceRep.isBearerOnly() != null) client.setBearerOnly(resourceRep.isBearerOnly());
         if (resourceRep.isConsentRequired() != null) client.setConsentRequired(resourceRep.isConsentRequired());
+        if (resourceRep.isStandardFlowEnabled() != null) client.setStandardFlowEnabled(resourceRep.isStandardFlowEnabled());
+        if (resourceRep.isImplicitFlowEnabled() != null) client.setImplicitFlowEnabled(resourceRep.isImplicitFlowEnabled());
+        if (resourceRep.isDirectAccessGrantsEnabled() != null) client.setDirectAccessGrantsEnabled(resourceRep.isDirectAccessGrantsEnabled());
         if (resourceRep.isServiceAccountsEnabled() != null) client.setServiceAccountsEnabled(resourceRep.isServiceAccountsEnabled());
-        if (resourceRep.isDirectGrantsOnly() != null) client.setDirectGrantsOnly(resourceRep.isDirectGrantsOnly());
+
+        // Backwards compatibility only
+        if (resourceRep.isDirectGrantsOnly() != null) {
+            logger.warn("Using deprecated 'directGrantsOnly' configuration in JSON representation. It will be removed in future versions");
+            client.setStandardFlowEnabled(!resourceRep.isDirectGrantsOnly());
+        }
+
         if (resourceRep.isPublicClient() != null) client.setPublicClient(resourceRep.isPublicClient());
         if (resourceRep.isFrontchannelLogout() != null) client.setFrontchannelLogout(resourceRep.isFrontchannelLogout());
         if (resourceRep.getProtocol() != null) client.setProtocol(resourceRep.getProtocol());
@@ -737,8 +817,6 @@ public class RepresentationToModel {
             KeycloakModelUtils.generateSecret(client);
         }
 
-        client.setRegistrationSecret(resourceRep.getRegistrationAccessToken());
-
         if (resourceRep.getAttributes() != null) {
             for (Map.Entry<String, String> entry : resourceRep.getAttributes().entrySet()) {
                 client.setAttribute(entry.getKey(), entry.getValue());
@@ -804,8 +882,10 @@ public class RepresentationToModel {
         if (rep.isEnabled() != null) resource.setEnabled(rep.isEnabled());
         if (rep.isBearerOnly() != null) resource.setBearerOnly(rep.isBearerOnly());
         if (rep.isConsentRequired() != null) resource.setConsentRequired(rep.isConsentRequired());
+        if (rep.isStandardFlowEnabled() != null) resource.setStandardFlowEnabled(rep.isStandardFlowEnabled());
+        if (rep.isImplicitFlowEnabled() != null) resource.setImplicitFlowEnabled(rep.isImplicitFlowEnabled());
+        if (rep.isDirectAccessGrantsEnabled() != null) resource.setDirectAccessGrantsEnabled(rep.isDirectAccessGrantsEnabled());
         if (rep.isServiceAccountsEnabled() != null) resource.setServiceAccountsEnabled(rep.isServiceAccountsEnabled());
-        if (rep.isDirectGrantsOnly() != null) resource.setDirectGrantsOnly(rep.isDirectGrantsOnly());
         if (rep.isPublicClient() != null) resource.setPublicClient(rep.isPublicClient());
         if (rep.isFullScopeAllowed() != null) resource.setFullScopeAllowed(rep.isFullScopeAllowed());
         if (rep.isFrontchannelLogout() != null) resource.setFrontchannelLogout(rep.isFrontchannelLogout());
@@ -815,7 +895,6 @@ public class RepresentationToModel {
         if (rep.isSurrogateAuthRequired() != null) resource.setSurrogateAuthRequired(rep.isSurrogateAuthRequired());
         if (rep.getNodeReRegistrationTimeout() != null) resource.setNodeReRegistrationTimeout(rep.getNodeReRegistrationTimeout());
         if (rep.getClientAuthenticatorType() != null) resource.setClientAuthenticatorType(rep.getClientAuthenticatorType());
-        if (rep.getRegistrationAccessToken() != null) resource.setRegistrationSecret(rep.getRegistrationAccessToken());
         resource.updateClient();
 
         if (rep.getProtocol() != null) resource.setProtocol(rep.getProtocol());
@@ -932,14 +1011,14 @@ public class RepresentationToModel {
 
         // Import users just to user storage. Don't federate
         UserModel user = session.userStorage().addUser(newRealm, userRep.getId(), userRep.getUsername(), false, false);
-        user.setEnabled(userRep.isEnabled());
+        user.setEnabled(userRep.isEnabled() != null && userRep.isEnabled());
         user.setCreatedTimestamp(userRep.getCreatedTimestamp());
         user.setEmail(userRep.getEmail());
-        user.setEmailVerified(userRep.isEmailVerified());
+        if (userRep.isEmailVerified() != null) user.setEmailVerified(userRep.isEmailVerified());
         user.setFirstName(userRep.getFirstName());
         user.setLastName(userRep.getLastName());
         user.setFederationLink(userRep.getFederationLink());
-        user.setOtpEnabled(userRep.isTotp());
+        if (userRep.isTotp() != null) user.setOtpEnabled(userRep.isTotp());
         if (userRep.getAttributes() != null) {
             for (Map.Entry<String, Object> entry : userRep.getAttributes().entrySet()) {
                 Object value = entry.getValue();
@@ -1002,6 +1081,16 @@ public class RepresentationToModel {
             }
             user.setServiceAccountClientLink(client.getId());;
         }
+        if (userRep.getGroups() != null) {
+            for (String path : userRep.getGroups()) {
+                GroupModel group = KeycloakModelUtils.findGroupByPath(newRealm, path);
+                if (group == null) {
+                    throw new RuntimeException("Unable to find group specified by path: " + path);
+
+                }
+                user.joinGroup(group);
+            }
+        }
         return user;
     }
 

diff --git a/model/api/src/test/java/org/keycloak/models/PasswordPolicyTest.java b/model/api/src/test/java/org/keycloak/models/PasswordPolicyTest.java
index df76588..8c662fb 100755
--- a/model/api/src/test/java/org/keycloak/models/PasswordPolicyTest.java
+++ b/model/api/src/test/java/org/keycloak/models/PasswordPolicyTest.java
@@ -83,6 +83,15 @@ public class PasswordPolicyTest {
         Assert.assertEquals("invalidPasswordNotUsernameMessage", policy.validate("jdoe", "jdoe").getMessage());
         Assert.assertNull(policy.validate("jdoe", "ab&d1234"));
     }
+
+    @Test
+    public void testInvalidPolicyName() {
+        try {
+            PasswordPolicy policy = new PasswordPolicy("noSuchPolicy");
+            Assert.fail("Expected exception");
+        } catch (IllegalArgumentException e) {
+        }
+    }
     
     @Test
     public void testRegexPatterns() {

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/ClientAdapter.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/ClientAdapter.java
index 7a87373..20c8725 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/ClientAdapter.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/ClientAdapter.java
@@ -120,14 +120,14 @@ public class ClientAdapter implements ClientModel {
         getDelegateForUpdate();
         updated.setSecret(secret);
     }
-    public String getRegistrationSecret() {
-        if (updated != null) return updated.getRegistrationSecret();
-        return cached.getRegistrationSecret();
+    public String getRegistrationToken() {
+        if (updated != null) return updated.getRegistrationToken();
+        return cached.getRegistrationToken();
     }
 
-    public void setRegistrationSecret(String registrationsecret) {
+    public void setRegistrationToken(String registrationToken) {
         getDelegateForUpdate();
-        updated.setRegistrationSecret(registrationsecret);
+        updated.setRegistrationToken(registrationToken);
     }
 
     public boolean isPublicClient() {
@@ -163,16 +163,6 @@ public class ClientAdapter implements ClientModel {
 
     }
 
-    public boolean isDirectGrantsOnly() {
-        if (updated != null) return updated.isDirectGrantsOnly();
-        return cached.isDirectGrantsOnly();
-    }
-
-    public void setDirectGrantsOnly(boolean flag) {
-        getDelegateForUpdate();
-        updated.setDirectGrantsOnly(flag);
-    }
-
     public Set<RoleModel> getScopeMappings() {
         if (updated != null) return updated.getScopeMappings();
         Set<RoleModel> roles = new HashSet<RoleModel>();
@@ -452,6 +442,42 @@ public class ClientAdapter implements ClientModel {
     }
 
     @Override
+    public boolean isStandardFlowEnabled() {
+        if (updated != null) return updated.isStandardFlowEnabled();
+        return cached.isStandardFlowEnabled();
+    }
+
+    @Override
+    public void setStandardFlowEnabled(boolean standardFlowEnabled) {
+        getDelegateForUpdate();
+        updated.setStandardFlowEnabled(standardFlowEnabled);
+    }
+
+    @Override
+    public boolean isImplicitFlowEnabled() {
+        if (updated != null) return updated.isImplicitFlowEnabled();
+        return cached.isImplicitFlowEnabled();
+    }
+
+    @Override
+    public void setImplicitFlowEnabled(boolean implicitFlowEnabled) {
+        getDelegateForUpdate();
+        updated.setImplicitFlowEnabled(implicitFlowEnabled);
+    }
+
+    @Override
+    public boolean isDirectAccessGrantsEnabled() {
+        if (updated != null) return updated.isDirectAccessGrantsEnabled();
+        return cached.isDirectAccessGrantsEnabled();
+    }
+
+    @Override
+    public void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled) {
+        getDelegateForUpdate();
+        updated.setDirectAccessGrantsEnabled(directAccessGrantsEnabled);
+    }
+
+    @Override
     public boolean isServiceAccountsEnabled() {
         if (updated != null) return updated.isServiceAccountsEnabled();
         return cached.isServiceAccountsEnabled();

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanCacheUserProviderFactory.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanCacheUserProviderFactory.java
index b046efc..60c089b 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanCacheUserProviderFactory.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/InfinispanCacheUserProviderFactory.java
@@ -1,11 +1,14 @@
 package org.keycloak.models.cache.infinispan;
 
 import org.infinispan.Cache;
+import org.infinispan.commands.write.RemoveCommand;
+import org.infinispan.container.entries.CacheEntry;
+import org.infinispan.context.InvocationContext;
+import org.infinispan.interceptors.base.CommandInterceptor;
 import org.infinispan.notifications.Listener;
-import org.infinispan.notifications.cachelistener.annotation.CacheEntryCreated;
-import org.infinispan.notifications.cachelistener.annotation.CacheEntryRemoved;
-import org.infinispan.notifications.cachelistener.event.CacheEntryCreatedEvent;
-import org.infinispan.notifications.cachelistener.event.CacheEntryRemovedEvent;
+import org.infinispan.notifications.cachelistener.annotation.*;
+import org.infinispan.notifications.cachelistener.event.*;
+import org.jboss.logging.Logger;
 import org.keycloak.Config;
 import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
 import org.keycloak.models.KeycloakSession;
@@ -21,6 +24,8 @@ import java.util.concurrent.ConcurrentHashMap;
  */
 public class InfinispanCacheUserProviderFactory implements CacheUserProviderFactory {
 
+    private static final Logger log = Logger.getLogger(InfinispanCacheUserProviderFactory.class);
+
     protected InfinispanUserCache userCache;
 
     protected final RealmLookup usernameLookup = new RealmLookup();
@@ -82,36 +87,63 @@ public class InfinispanCacheUserProviderFactory implements CacheUserProviderFact
         @CacheEntryCreated
         public void userCreated(CacheEntryCreatedEvent<String, CachedUser> event) {
             if (!event.isPre()) {
-
-                CachedUser cachedUser;
+                CachedUser user;
 
                 // Try optimized version if available
                 if (isNewInfinispan) {
-                    cachedUser = event.getValue();
+                    user = event.getValue();
                 } else {
                     String userId = event.getKey();
-                    cachedUser = event.getCache().get(userId);
+                    user = event.getCache().get(userId);
                 }
 
-                if (cachedUser != null) {
-                    String realm = cachedUser.getRealm();
-                    usernameLookup.put(realm, cachedUser.getUsername(), cachedUser.getId());
-                    if (cachedUser.getEmail() != null) {
-                        emailLookup.put(realm, cachedUser.getEmail(), cachedUser.getId());
+                if (user != null) {
+                    String realm = user.getRealm();
+
+                    usernameLookup.put(realm, user.getUsername(), user.getId());
+                    if (user.getEmail() != null) {
+                        emailLookup.put(realm, user.getEmail(), user.getId());
                     }
+
+                    log.tracev("User added realm={0}, id={1}, username={2}", realm, event.getValue().getId(), event.getValue().getUsername());
                 }
             }
         }
 
         @CacheEntryRemoved
         public void userRemoved(CacheEntryRemovedEvent<String, CachedUser> event) {
-            if (event.isPre() && event.getValue() != null) {
-                CachedUser cachedUser = event.getValue();
-                String realm = cachedUser.getRealm();
-                usernameLookup.remove(realm, cachedUser.getUsername());
-                if (cachedUser.getEmail() != null) {
-                    emailLookup.remove(realm, cachedUser.getEmail());
-                }
+            CachedUser user = event.getOldValue();
+            if (event.isPre() &&  user != null) {
+                removeUser(user);
+
+                log.tracev("User invalidated realm={0}, id={1}, username={2}", user.getRealm(), user.getId(), user.getUsername());
+            }
+        }
+
+        @CacheEntryInvalidated
+        public void userInvalidated(CacheEntryInvalidatedEvent<String, CachedUser> event) {
+            CachedUser user = event.getValue();
+            if (event.isPre() && user != null) {
+                removeUser(user);
+
+                log.tracev("User invalidated realm={0}, id={1}, username={2}", user.getRealm(), user.getId(), user.getUsername());
+            }
+        }
+
+        @CacheEntriesEvicted
+        public void userEvicted(CacheEntriesEvictedEvent<String, CachedUser> event) {
+            for (CachedUser user : event.getEntries().values()) {
+                removeUser(user);
+
+                log.tracev("User evicted realm={0}, id={1}, username={2}", user.getRealm(), user.getId(), user.getUsername());
+            }
+        }
+
+        private void removeUser(CachedUser cachedUser) {
+            String realm = cachedUser.getRealm();
+            usernameLookup.remove(realm, cachedUser.getUsername());
+            if (cachedUser.getEmail() != null) {
+                emailLookup.remove(realm, cachedUser.getEmail());
             }
         }
 
@@ -119,12 +151,12 @@ public class InfinispanCacheUserProviderFactory implements CacheUserProviderFact
 
     static class RealmLookup {
 
-        protected final ConcurrentHashMap<String, ConcurrentHashMap<String, String>> lookup = new ConcurrentHashMap<String, ConcurrentHashMap<String, String>>();
+        protected final ConcurrentHashMap<String, ConcurrentHashMap<String, String>> lookup = new ConcurrentHashMap<>();
 
         public void put(String realm, String key, String value) {
             ConcurrentHashMap<String, String> map = lookup.get(realm);
             if(map == null) {
-                map = new ConcurrentHashMap<String, String>();
+                map = new ConcurrentHashMap<>();
                 ConcurrentHashMap<String, String> p = lookup.putIfAbsent(realm, map);
                 if (p != null) {
                     map = p;

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
index be9fe7c..c24f151 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmAdapter.java
@@ -301,6 +301,18 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
+    public int getAccessTokenLifespanForImplicitFlow() {
+        if (updated != null) return updated.getAccessTokenLifespanForImplicitFlow();
+        return cached.getAccessTokenLifespanForImplicitFlow();
+    }
+
+    @Override
+    public void setAccessTokenLifespanForImplicitFlow(int seconds) {
+        getDelegateForUpdate();
+        updated.setAccessTokenLifespanForImplicitFlow(seconds);
+    }
+
+    @Override
     public int getAccessCodeLifespan() {
         if (updated != null) return updated.getAccessCodeLifespan();
         return cached.getAccessCodeLifespan();
@@ -481,6 +493,30 @@ public class RealmAdapter implements RealmModel {
      }
 
     @Override
+    public List<GroupModel> getDefaultGroups() {
+        List<GroupModel> defaultGroups = new LinkedList<>();
+        for (String id : cached.getDefaultGroups()) {
+            defaultGroups.add(cacheSession.getGroupById(id, this));
+        }
+        return defaultGroups;
+
+    }
+
+    @Override
+    public void addDefaultGroup(GroupModel group) {
+        getDelegateForUpdate();
+        updated.addDefaultGroup(group);
+
+    }
+
+    @Override
+    public void removeDefaultGroup(GroupModel group) {
+        getDelegateForUpdate();
+        updated.removeDefaultGroup(group);
+
+    }
+
+    @Override
     public List<String> getDefaultRoles() {
         if (updated != null) return updated.getDefaultRoles();
         return cached.getDefaultRoles();
@@ -1308,6 +1344,12 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
+    public GroupModel createGroup(String id, String name) {
+        getDelegateForUpdate();
+        return updated.createGroup(id, name);
+    }
+
+    @Override
     public void addTopLevelGroup(GroupModel subGroup) {
         getDelegateForUpdate();
         updated.addTopLevelGroup(subGroup);

diff --git a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
index 7113fde..8240005 100755
--- a/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
+++ b/model/invalidation-cache/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserAdapter.java
@@ -321,7 +321,7 @@ public class UserAdapter implements UserModel {
     public Set<GroupModel> getGroups() {
         if (updated != null) return updated.getGroups();
         Set<GroupModel> groups = new HashSet<GroupModel>();
-        for (String id : cached.getRoleMappings()) {
+        for (String id : cached.getGroups()) {
             GroupModel groupModel = keycloakSession.realms().getGroupById(id, realm);
             if (groupModel == null) {
                 // chance that role was removed, so just delete to persistence and get user invalidated

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
index 1c04b9d..a683956 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedClient.java
@@ -31,12 +31,11 @@ public class CachedClient implements Serializable {
     private boolean enabled;
     private String clientAuthenticatorType;
     private String secret;
-    private String registrationSecret;
+    private String registrationToken;
     private String protocol;
     private Map<String, String> attributes = new HashMap<String, String>();
     private boolean publicClient;
     private boolean fullScopeAllowed;
-    private boolean directGrantsOnly;
     private boolean frontchannelLogout;
     private int notBefore;
     private Set<String> scope = new HashSet<String>();
@@ -49,6 +48,9 @@ public class CachedClient implements Serializable {
     private List<String> defaultRoles = new LinkedList<String>();
     private boolean bearerOnly;
     private boolean consentRequired;
+    private boolean standardFlowEnabled;
+    private boolean implicitFlowEnabled;
+    private boolean directAccessGrantsEnabled;
     private boolean serviceAccountsEnabled;
     private Map<String, String> roles = new HashMap<String, String>();
     private int nodeReRegistrationTimeout;
@@ -58,7 +60,7 @@ public class CachedClient implements Serializable {
         id = model.getId();
         clientAuthenticatorType = model.getClientAuthenticatorType();
         secret = model.getSecret();
-        registrationSecret = model.getRegistrationSecret();
+        registrationToken = model.getRegistrationToken();
         clientId = model.getClientId();
         name = model.getName();
         description = model.getDescription();
@@ -67,7 +69,6 @@ public class CachedClient implements Serializable {
         protocol = model.getProtocol();
         attributes.putAll(model.getAttributes());
         notBefore = model.getNotBefore();
-        directGrantsOnly = model.isDirectGrantsOnly();
         frontchannelLogout = model.isFrontchannelLogout();
         publicClient = model.isPublicClient();
         fullScopeAllowed = model.isFullScopeAllowed();
@@ -86,6 +87,9 @@ public class CachedClient implements Serializable {
         defaultRoles.addAll(model.getDefaultRoles());
         bearerOnly = model.isBearerOnly();
         consentRequired = model.isConsentRequired();
+        standardFlowEnabled = model.isStandardFlowEnabled();
+        implicitFlowEnabled = model.isImplicitFlowEnabled();
+        directAccessGrantsEnabled = model.isDirectAccessGrantsEnabled();
         serviceAccountsEnabled = model.isServiceAccountsEnabled();
         for (RoleModel role : model.getRoles()) {
             roles.put(role.getName(), role.getId());
@@ -131,18 +135,14 @@ public class CachedClient implements Serializable {
         return secret;
     }
 
-    public String getRegistrationSecret() {
-        return registrationSecret;
+    public String getRegistrationToken() {
+        return registrationToken;
     }
 
     public boolean isPublicClient() {
         return publicClient;
     }
 
-    public boolean isDirectGrantsOnly() {
-        return directGrantsOnly;
-    }
-
     public int getNotBefore() {
         return notBefore;
     }
@@ -203,6 +203,18 @@ public class CachedClient implements Serializable {
         return consentRequired;
     }
 
+    public boolean isStandardFlowEnabled() {
+        return standardFlowEnabled;
+    }
+
+    public boolean isImplicitFlowEnabled() {
+        return implicitFlowEnabled;
+    }
+
+    public boolean isDirectAccessGrantsEnabled() {
+        return directAccessGrantsEnabled;
+    }
+
     public boolean isServiceAccountsEnabled() {
         return serviceAccountsEnabled;
     }

diff --git a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
index 604d7fa..e423562 100755
--- a/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
+++ b/model/invalidation-cache/model-adapters/src/main/java/org/keycloak/models/cache/entities/CachedRealm.java
@@ -61,6 +61,7 @@ public class CachedRealm implements Serializable {
     private int ssoSessionMaxLifespan;
     private int offlineSessionIdleTimeout;
     private int accessTokenLifespan;
+    private int accessTokenLifespanForImplicitFlow;
     private int accessCodeLifespan;
     private int accessCodeLifespanUserAction;
     private int accessCodeLifespanLogin;
@@ -107,6 +108,7 @@ public class CachedRealm implements Serializable {
     protected Set<String> adminEnabledEventOperations = new HashSet<String>();
     protected boolean adminEventsDetailsEnabled;
     private List<String> defaultRoles = new LinkedList<String>();
+    private List<String> defaultGroups = new LinkedList<String>();
     private Set<String> groups = new HashSet<String>();
     private Map<String, String> realmRoles = new HashMap<String, String>();
     private Map<String, String> clients = new HashMap<String, String>();
@@ -145,6 +147,7 @@ public class CachedRealm implements Serializable {
         ssoSessionMaxLifespan = model.getSsoSessionMaxLifespan();
         offlineSessionIdleTimeout = model.getOfflineSessionIdleTimeout();
         accessTokenLifespan = model.getAccessTokenLifespan();
+        accessTokenLifespanForImplicitFlow = model.getAccessTokenLifespanForImplicitFlow();
         accessCodeLifespan = model.getAccessCodeLifespan();
         accessCodeLifespanUserAction = model.getAccessCodeLifespanUserAction();
         accessCodeLifespanLogin = model.getAccessCodeLifespanLogin();
@@ -229,6 +232,10 @@ public class CachedRealm implements Serializable {
             requiredActionProvidersByAlias.put(action.getAlias(), action);
         }
 
+        for (GroupModel group : model.getDefaultGroups()) {
+            defaultGroups.add(group.getId());
+        }
+
         browserFlow = model.getBrowserFlow();
         registrationFlow = model.getRegistrationFlow();
         directGrantFlow = model.getDirectGrantFlow();
@@ -342,6 +349,10 @@ public class CachedRealm implements Serializable {
         return accessTokenLifespan;
     }
 
+    public int getAccessTokenLifespanForImplicitFlow() {
+        return accessTokenLifespanForImplicitFlow;
+    }
+
     public int getAccessCodeLifespan() {
         return accessCodeLifespan;
     }
@@ -516,4 +527,8 @@ public class CachedRealm implements Serializable {
     public Set<String> getGroups() {
         return groups;
     }
+
+    public List<String> getDefaultGroups() {
+        return defaultGroups;
+    }
 }

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
index 5ea0b11..f677859 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/ClientAdapter.java
@@ -3,6 +3,7 @@ package org.keycloak.models.jpa;
 import org.keycloak.connections.jpa.util.JpaUtils;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelDuplicateException;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleContainerModel;
@@ -178,13 +179,13 @@ public class ClientAdapter implements ClientModel {
     }
 
     @Override
-    public String getRegistrationSecret() {
-        return entity.getRegistrationSecret();
+    public String getRegistrationToken() {
+        return entity.getRegistrationToken();
     }
 
     @Override
-    public void setRegistrationSecret(String registrationSecret) {
-        entity.setRegistrationSecret(registrationSecret);
+    public void setRegistrationToken(String registrationToken) {
+        entity.setRegistrationToken(registrationToken);
     }
 
     @Override
@@ -328,7 +329,7 @@ public class ClientAdapter implements ClientModel {
     @Override
     public ProtocolMapperModel addProtocolMapper(ProtocolMapperModel model) {
         if (getProtocolMapperByName(model.getProtocol(), model.getName()) != null) {
-            throw new RuntimeException("protocol mapper name must be unique per protocol");
+            throw new ModelDuplicateException("Protocol mapper name must be unique per protocol");
         }
         String id = model.getId() != null ? model.getId() : KeycloakModelUtils.generateId();
         ProtocolMapperEntity entity = new ProtocolMapperEntity();
@@ -498,23 +499,43 @@ public class ClientAdapter implements ClientModel {
     }
 
     @Override
-    public boolean isServiceAccountsEnabled() {
-        return entity.isServiceAccountsEnabled();
+    public boolean isStandardFlowEnabled() {
+        return entity.isStandardFlowEnabled();
     }
 
     @Override
-    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
-        entity.setServiceAccountsEnabled(serviceAccountsEnabled);
+    public void setStandardFlowEnabled(boolean standardFlowEnabled) {
+        entity.setStandardFlowEnabled(standardFlowEnabled);
+    }
+
+    @Override
+    public boolean isImplicitFlowEnabled() {
+        return entity.isImplicitFlowEnabled();
+    }
+
+    @Override
+    public void setImplicitFlowEnabled(boolean implicitFlowEnabled) {
+        entity.setImplicitFlowEnabled(implicitFlowEnabled);
     }
 
     @Override
-    public boolean isDirectGrantsOnly() {
-        return entity.isDirectGrantsOnly();
+    public boolean isDirectAccessGrantsEnabled() {
+        return entity.isDirectAccessGrantsEnabled();
     }
 
     @Override
-    public void setDirectGrantsOnly(boolean flag) {
-        entity.setDirectGrantsOnly(flag);
+    public void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled) {
+        entity.setDirectAccessGrantsEnabled(directAccessGrantsEnabled);
+    }
+
+    @Override
+    public boolean isServiceAccountsEnabled() {
+        return entity.isServiceAccountsEnabled();
+    }
+
+    @Override
+    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
+        entity.setServiceAccountsEnabled(serviceAccountsEnabled);
     }
 
     @Override

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
index 881b129..1569875 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/ClientEntity.java
@@ -42,8 +42,8 @@ public class ClientEntity {
     private boolean enabled;
     @Column(name="SECRET")
     private String secret;
-    @Column(name="REGISTRATION_SECRET")
-    private String registrationSecret;
+    @Column(name="REGISTRATION_TOKEN")
+    private String registrationToken;
     @Column(name="CLIENT_AUTHENTICATOR_TYPE")
     private String clientAuthenticatorType;
     @Column(name="NOT_BEFORE")
@@ -95,15 +95,21 @@ public class ClientEntity {
     @Column(name="MANAGEMENT_URL")
     private String managementUrl;
 
-    @Column(name="DIRECT_GRANTS_ONLY")
-    protected boolean directGrantsOnly;
-
     @Column(name="BEARER_ONLY")
     private boolean bearerOnly;
 
     @Column(name="CONSENT_REQUIRED")
     private boolean consentRequired;
 
+    @Column(name="STANDARD_FLOW_ENABLED")
+    private boolean standardFlowEnabled;
+
+    @Column(name="IMPLICIT_FLOW_ENABLED")
+    private boolean implicitFlowEnabled;
+
+    @Column(name="DIRECT_ACCESS_GRANTS_ENABLED")
+    private boolean directAccessGrantsEnabled;
+
     @Column(name="SERVICE_ACCOUNTS_ENABLED")
     private boolean serviceAccountsEnabled;
 
@@ -203,12 +209,12 @@ public class ClientEntity {
         this.secret = secret;
     }
 
-    public String getRegistrationSecret() {
-        return registrationSecret;
+    public String getRegistrationToken() {
+        return registrationToken;
     }
 
-    public void setRegistrationSecret(String registrationSecret) {
-        this.registrationSecret = registrationSecret;
+    public void setRegistrationToken(String registrationToken) {
+        this.registrationToken = registrationToken;
     }
 
     public int getNotBefore() {
@@ -339,20 +345,36 @@ public class ClientEntity {
         this.consentRequired = consentRequired;
     }
 
-    public boolean isServiceAccountsEnabled() {
-        return serviceAccountsEnabled;
+    public boolean isStandardFlowEnabled() {
+        return standardFlowEnabled;
     }
 
-    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
-        this.serviceAccountsEnabled = serviceAccountsEnabled;
+    public void setStandardFlowEnabled(boolean standardFlowEnabled) {
+        this.standardFlowEnabled = standardFlowEnabled;
+    }
+
+    public boolean isImplicitFlowEnabled() {
+        return implicitFlowEnabled;
     }
 
-    public boolean isDirectGrantsOnly() {
-        return directGrantsOnly;
+    public void setImplicitFlowEnabled(boolean implicitFlowEnabled) {
+        this.implicitFlowEnabled = implicitFlowEnabled;
     }
 
-    public void setDirectGrantsOnly(boolean directGrantsOnly) {
-        this.directGrantsOnly = directGrantsOnly;
+    public boolean isDirectAccessGrantsEnabled() {
+        return directAccessGrantsEnabled;
+    }
+
+    public void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled) {
+        this.directAccessGrantsEnabled = directAccessGrantsEnabled;
+    }
+
+    public boolean isServiceAccountsEnabled() {
+        return serviceAccountsEnabled;
+    }
+
+    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
+        this.serviceAccountsEnabled = serviceAccountsEnabled;
     }
 
     public int getNodeReRegistrationTimeout() {

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/GroupEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/GroupEntity.java
index d5851fd..2326cad 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/GroupEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/GroupEntity.java
@@ -92,7 +92,7 @@ public class GroupEntity {
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
+        if (o == null) return false;
 
         GroupEntity that = (GroupEntity) o;
 

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
index 78de054..05af313 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/entities/RealmEntity.java
@@ -86,6 +86,8 @@ public class RealmEntity {
     private int offlineSessionIdleTimeout;
     @Column(name="ACCESS_TOKEN_LIFESPAN")
     protected int accessTokenLifespan;
+    @Column(name="ACCESS_TOKEN_LIFE_IMPLICIT")
+    protected int accessTokenLifespanForImplicitFlow;
     @Column(name="ACCESS_CODE_LIFESPAN")
     protected int accessCodeLifespan;
     @Column(name="USER_ACTION_LIFESPAN")
@@ -133,9 +135,6 @@ public class RealmEntity {
     @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
     Collection<RoleEntity> roles = new ArrayList<RoleEntity>();
 
-    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true, mappedBy = "realm")
-    Collection<GroupEntity> groups = new ArrayList<GroupEntity>();
-
     @ElementCollection
     @MapKeyColumn(name="NAME")
     @Column(name="VALUE")
@@ -146,6 +145,10 @@ public class RealmEntity {
     @JoinTable(name="REALM_DEFAULT_ROLES", joinColumns = { @JoinColumn(name="REALM_ID")}, inverseJoinColumns = { @JoinColumn(name="ROLE_ID")})
     protected Collection<RoleEntity> defaultRoles = new ArrayList<RoleEntity>();
 
+    @OneToMany(fetch = FetchType.LAZY, cascade ={CascadeType.REMOVE}, orphanRemoval = true)
+    @JoinTable(name="REALM_DEFAULT_GROUPS", joinColumns = { @JoinColumn(name="REALM_ID")}, inverseJoinColumns = { @JoinColumn(name="GROUP_ID")})
+    protected Collection<GroupEntity> defaultGroups = new ArrayList<>();
+
     @Column(name="EVENTS_ENABLED")
     protected boolean eventsEnabled;
     @Column(name="EVENTS_EXPIRATION")
@@ -335,6 +338,14 @@ public class RealmEntity {
         this.accessTokenLifespan = accessTokenLifespan;
     }
 
+    public int getAccessTokenLifespanForImplicitFlow() {
+        return accessTokenLifespanForImplicitFlow;
+    }
+
+    public void setAccessTokenLifespanForImplicitFlow(int accessTokenLifespanForImplicitFlow) {
+        this.accessTokenLifespanForImplicitFlow = accessTokenLifespanForImplicitFlow;
+    }
+
     public int getAccessCodeLifespan() {
         return accessCodeLifespan;
     }
@@ -429,6 +440,14 @@ public class RealmEntity {
         this.defaultRoles = defaultRoles;
     }
 
+    public Collection<GroupEntity> getDefaultGroups() {
+        return defaultGroups;
+    }
+
+    public void setDefaultGroups(Collection<GroupEntity> defaultGroups) {
+        this.defaultGroups = defaultGroups;
+    }
+
     public String getPasswordPolicy() {
         return passwordPolicy;
     }
@@ -722,20 +741,5 @@ public class RealmEntity {
         this.clientAuthenticationFlow = clientAuthenticationFlow;
     }
 
-    public Collection<GroupEntity> getGroups() {
-        return groups;
-    }
-
-    public void setGroups(Collection<GroupEntity> groups) {
-        this.groups = groups;
-    }
-
-    public void addGroup(GroupEntity group) {
-        if (groups == null) {
-            groups = new ArrayList<GroupEntity>();
-        }
-        groups.add(group);
-    }
-
 }
 

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/GroupAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/GroupAdapter.java
index 209d2ae..8ef4dd2 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/GroupAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/GroupAdapter.java
@@ -104,6 +104,9 @@ public class GroupAdapter implements GroupModel {
     @Override
     public void setParent(GroupModel parent) {
         if (parent == null) group.setParent(null);
+        else if (parent.getId().equals(getId())) {
+            return;
+        }
         else {
             GroupEntity parentEntity = toEntity(parent, em);
             group.setParent(parentEntity);
@@ -112,11 +115,17 @@ public class GroupAdapter implements GroupModel {
 
     @Override
     public void addChild(GroupModel subGroup) {
+        if (subGroup.getId().equals(getId())) {
+            return;
+        }
         subGroup.setParent(this);
     }
 
     @Override
     public void removeChild(GroupModel subGroup) {
+        if (subGroup.getId().equals(getId())) {
+            return;
+        }
         subGroup.setParent(null);
     }
 
@@ -312,9 +321,9 @@ public class GroupAdapter implements GroupModel {
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
-        if (o == null || !(o instanceof UserModel)) return false;
+        if (o == null || !(o instanceof GroupModel)) return false;
 
-        UserModel that = (UserModel) o;
+        GroupModel that = (GroupModel) o;
         return that.getId().equals(getId());
     }
 

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
index 4ec5d66..09b4fa2 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaRealmProvider.java
@@ -99,19 +99,20 @@ public class JpaRealmProvider implements RealmProvider {
 
         RealmAdapter adapter = new RealmAdapter(session, em, realm);
         session.users().preRemove(adapter);
-        for (ClientEntity a : new LinkedList<>(realm.getClients())) {
-            adapter.removeClient(a.getId());
-        }
-
         int num = em.createNamedQuery("deleteGroupRoleMappingsByRealm")
                 .setParameter("realm", realm).executeUpdate();
         num = em.createNamedQuery("deleteGroupAttributesByRealm")
                 .setParameter("realm", realm).executeUpdate();
         num = em.createNamedQuery("deleteGroupsByRealm")
                 .setParameter("realm", realm).executeUpdate();
-
+        for (ClientEntity a : new LinkedList<>(realm.getClients())) {
+            adapter.removeClient(a.getId());
+        }
 
         em.remove(realm);
+
+        em.flush();
+        em.clear();
         return true;
     }
 

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
index 5f8ce7f..64650c9 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
@@ -71,6 +71,10 @@ public class JpaUserProvider implements UserProvider {
                     userModel.grantRole(application.getRole(r));
                 }
             }
+
+            for (GroupModel g : realm.getDefaultGroups()) {
+                userModel.joinGroup(g);
+            }
         }
         for (RequiredActionProviderModel r : realm.getRequiredActionProviders()) {
             if (r.isEnabled() && r.isDefaultAction()) {
@@ -97,6 +101,7 @@ public class JpaUserProvider implements UserProvider {
     private void removeUser(UserEntity user) {
         String id = user.getId();
         em.createNamedQuery("deleteUserRoleMappingsByUser").setParameter("user", user).executeUpdate();
+        em.createNamedQuery("deleteUserGroupMembershipsByUser").setParameter("user", user).executeUpdate();
         em.createNamedQuery("deleteFederatedIdentityByUser").setParameter("user", user).executeUpdate();
         em.createNamedQuery("deleteUserConsentRolesByUser").setParameter("user", user).executeUpdate();
         em.createNamedQuery("deleteUserConsentProtMappersByUser").setParameter("user", user).executeUpdate();
@@ -174,10 +179,10 @@ public class JpaUserProvider implements UserProvider {
                 .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUserAttributesByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
-        num = em.createNamedQuery("deleteUsersByRealm")
-                .setParameter("realmId", realm.getId()).executeUpdate();
         num = em.createNamedQuery("deleteUserGroupMembershipByRealm")
                 .setParameter("realmId", realm.getId()).executeUpdate();
+        num = em.createNamedQuery("deleteUsersByRealm")
+                .setParameter("realmId", realm.getId()).executeUpdate();
     }
 
     @Override

diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
index 7b8e3a6..cb69f14 100755
--- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
+++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java
@@ -361,6 +361,16 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
+    public int getAccessTokenLifespanForImplicitFlow() {
+        return realm.getAccessTokenLifespanForImplicitFlow();
+    }
+
+    @Override
+    public void setAccessTokenLifespanForImplicitFlow(int seconds) {
+        realm.setAccessTokenLifespanForImplicitFlow(seconds);
+    }
+
+    @Override
     public int getSsoSessionIdleTimeout() {
         return realm.getSsoSessionIdleTimeout();
     }
@@ -648,6 +658,44 @@ public class RealmAdapter implements RealmModel {
     }
 
     @Override
+    public List<GroupModel> getDefaultGroups() {
+        Collection<GroupEntity> entities = realm.getDefaultGroups();
+        List<GroupModel> defaultGroups = new LinkedList<>();
+        for (GroupEntity entity : entities) {
+            defaultGroups.add(session.realms().getGroupById(entity.getId(), this));
+        }
+        return defaultGroups;
+    }
+
+    @Override
+    public void addDefaultGroup(GroupModel group) {
+        Collection<GroupEntity> entities = realm.getDefaultGroups();
+        for (GroupEntity entity : entities) {
+            if (entity.getId().equals(group.getId())) return;
+        }
+        GroupEntity groupEntity = GroupAdapter.toEntity(group, em);
+        realm.getDefaultGroups().add(groupEntity);
+        em.flush();
+
+    }
+
+    @Override
+    public void removeDefaultGroup(GroupModel group) {
+        GroupEntity found = null;
+        for (GroupEntity defaultGroup : realm.getDefaultGroups()) {
+            if (defaultGroup.getId().equals(group.getId())) {
+                found = defaultGroup;
+                break;
+            }
+        }
+        if (found != null) {
+            realm.getDefaultGroups().remove(found);
+            em.flush();
+        }
+
+    }
+
+    @Override
     public Map<String, ClientModel> getClientNameMap() {
         Map<String, ClientModel> map = new HashMap<String, ClientModel>();
         for (ClientModel app : getClients()) {
@@ -677,6 +725,8 @@ public class RealmAdapter implements RealmModel {
         entity.setId(id);
         entity.setClientId(clientId);
         entity.setEnabled(true);
+        entity.setStandardFlowEnabled(true);
+        entity.setDirectAccessGrantsEnabled(true);
         entity.setRealm(realm);
         realm.getClients().add(entity);
         em.persist(entity);
@@ -1000,6 +1050,7 @@ public class RealmAdapter implements RealmModel {
         String compositeRoleTable = JpaUtils.getTableNameForNativeQuery("COMPOSITE_ROLE", em);
         em.createNativeQuery("delete from " + compositeRoleTable + " where CHILD_ROLE = :role").setParameter("role", roleEntity).executeUpdate();
         em.createNamedQuery("deleteScopeMappingByRole").setParameter("role", roleEntity).executeUpdate();
+        em.createNamedQuery("deleteGroupRoleMappingsByRole").setParameter("roleId", roleEntity.getId()).executeUpdate();
 
         em.remove(roleEntity);
 
@@ -1955,6 +2006,9 @@ public class RealmAdapter implements RealmModel {
 
     @Override
     public void moveGroup(GroupModel group, GroupModel toParent) {
+        if (toParent != null && group.getId().equals(toParent.getId())) {
+            return;
+        }
         if (group.getParentId() != null) {
             group.getParent().removeChild(group);
         }
@@ -1971,7 +2025,7 @@ public class RealmAdapter implements RealmModel {
     @Override
     public List<GroupModel> getGroups() {
         List<GroupModel> list = new LinkedList<>();
-        Collection<GroupEntity> groups = realm.getGroups();
+        Collection<GroupEntity> groups =  em.createNamedQuery("getAllGroupsByRealm").setParameter("realm", realm).getResultList();
         if (groups == null) return list;
         for (GroupEntity entity : groups) {
             list.add(new GroupAdapter(this, em, entity));
@@ -2001,6 +2055,7 @@ public class RealmAdapter implements RealmModel {
         if (!groupEntity.getRealm().getId().equals(getId())) {
             return false;
         }
+        realm.getDefaultGroups().remove(groupEntity);
         for (GroupModel subGroup : group.getSubGroups()) {
             removeGroup(subGroup);
         }
@@ -2008,7 +2063,6 @@ public class RealmAdapter implements RealmModel {
 
         session.users().preRemove(this, group);
         moveGroup(group, null);
-        realm.getGroups().remove(groupEntity);
         em.createNamedQuery("deleteGroupAttributesByGroup").setParameter("group", groupEntity).executeUpdate();
         em.createNamedQuery("deleteGroupRoleMappingsByGroup").setParameter("group", groupEntity).executeUpdate();
         em.remove(groupEntity);
@@ -2019,8 +2073,15 @@ public class RealmAdapter implements RealmModel {
 
     @Override
     public GroupModel createGroup(String name) {
+        String id = KeycloakModelUtils.generateId();
+        return createGroup(id, name);
+    }
+
+    @Override
+    public GroupModel createGroup(String id, String name) {
+        if (id == null) id = KeycloakModelUtils.generateId();
         GroupEntity groupEntity = new GroupEntity();
-        groupEntity.setId(KeycloakModelUtils.generateId());
+        groupEntity.setId(id);
         groupEntity.setName(name);
         groupEntity.setRealm(realm);
         em.persist(groupEntity);

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java
index cbacd09..eb6bcd9 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/ClientAdapter.java
@@ -5,6 +5,7 @@ import com.mongodb.QueryBuilder;
 import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelDuplicateException;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
@@ -178,13 +179,13 @@ public class ClientAdapter extends AbstractMongoAdapter<MongoClientEntity> imple
     }
 
     @Override
-    public String getRegistrationSecret() {
-        return getMongoEntity().getRegistrationSecret();
+    public String getRegistrationToken() {
+        return getMongoEntity().getRegistrationToken();
     }
 
     @Override
-    public void setRegistrationSecret(String registrationSecretsecret) {
-        getMongoEntity().setRegistrationSecret(registrationSecretsecret);
+    public void setRegistrationToken(String registrationToken) {
+        getMongoEntity().setRegistrationToken(registrationToken);
         updateMongoEntity();
     }
 
@@ -342,7 +343,7 @@ public class ClientAdapter extends AbstractMongoAdapter<MongoClientEntity> imple
     @Override
     public ProtocolMapperModel addProtocolMapper(ProtocolMapperModel model) {
         if (getProtocolMapperByName(model.getProtocol(), model.getName()) != null) {
-            throw new RuntimeException("protocol mapper name must be unique per protocol");
+            throw new ModelDuplicateException("Protocol mapper name must be unique per protocol");
         }
         ProtocolMapperEntity entity = new ProtocolMapperEntity();
         String id = model.getId() != null ? model.getId() : KeycloakModelUtils.generateId();
@@ -504,24 +505,46 @@ public class ClientAdapter extends AbstractMongoAdapter<MongoClientEntity> imple
     }
 
     @Override
-    public boolean isServiceAccountsEnabled() {
-        return getMongoEntity().isServiceAccountsEnabled();
+    public boolean isStandardFlowEnabled() {
+        return getMongoEntity().isStandardFlowEnabled();
     }
 
     @Override
-    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
-        getMongoEntity().setServiceAccountsEnabled(serviceAccountsEnabled);
+    public void setStandardFlowEnabled(boolean standardFlowEnabled) {
+        getMongoEntity().setStandardFlowEnabled(standardFlowEnabled);
+        updateMongoEntity();
+    }
+
+    @Override
+    public boolean isImplicitFlowEnabled() {
+        return getMongoEntity().isImplicitFlowEnabled();
+    }
+
+    @Override
+    public void setImplicitFlowEnabled(boolean implicitFlowEnabled) {
+        getMongoEntity().setImplicitFlowEnabled(implicitFlowEnabled);
         updateMongoEntity();
     }
 
     @Override
-    public boolean isDirectGrantsOnly() {
-        return getMongoEntity().isDirectGrantsOnly();
+    public boolean isDirectAccessGrantsEnabled() {
+        return getMongoEntity().isDirectAccessGrantsEnabled();
     }
 
     @Override
-    public void setDirectGrantsOnly(boolean flag) {
-        getMongoEntity().setDirectGrantsOnly(flag);
+    public void setDirectAccessGrantsEnabled(boolean directAccessGrantsEnabled) {
+        getMongoEntity().setDirectAccessGrantsEnabled(directAccessGrantsEnabled);
+        updateMongoEntity();
+    }
+
+    @Override
+    public boolean isServiceAccountsEnabled() {
+        return getMongoEntity().isServiceAccountsEnabled();
+    }
+
+    @Override
+    public void setServiceAccountsEnabled(boolean serviceAccountsEnabled) {
+        getMongoEntity().setServiceAccountsEnabled(serviceAccountsEnabled);
         updateMongoEntity();
     }
 

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/GroupAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/GroupAdapter.java
index d261c6d..32be0be 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/GroupAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/GroupAdapter.java
@@ -6,6 +6,7 @@ import org.keycloak.connections.mongo.api.context.MongoStoreInvocationContext;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.ModelException;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleContainerModel;
 import org.keycloak.models.RoleModel;
@@ -20,6 +21,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -146,7 +148,11 @@ public class GroupAdapter extends AbstractMongoAdapter<MongoGroupEntity> impleme
         if (group.getRoleIds() == null || group.getRoleIds().isEmpty()) return Collections.EMPTY_SET;
         Set<RoleModel> roles = new HashSet<>();
         for (String id : group.getRoleIds()) {
-            roles.add(realm.getRoleById(id));
+            RoleModel roleById = realm.getRoleById(id);
+            if (roleById == null) {
+                throw new ModelException("role does not exist in group role mappings");
+            }
+            roles.add(roleById);
         }
         return roles;
      }
@@ -198,24 +204,40 @@ public class GroupAdapter extends AbstractMongoAdapter<MongoGroupEntity> impleme
 
     @Override
     public Set<GroupModel> getSubGroups() {
+        DBObject query = new QueryBuilder()
+                .and("realmId").is(realm.getId())
+                .and("parentId").is(getId())
+                .get();
+        List<MongoGroupEntity> groups = getMongoStore().loadEntities(MongoGroupEntity.class, query, invocationContext);
+
         Set<GroupModel> subGroups = new HashSet<>();
-        for (GroupModel groupModel : realm.getGroups()) {
-            if (groupModel.getParent().equals(this)) {
-                subGroups.add(groupModel);
-            }
+
+        if (groups == null) return subGroups;
+        for (MongoGroupEntity group : groups) {
+            subGroups.add(realm.getGroupById(group.getId()));
         }
+
         return subGroups;
     }
 
     @Override
-    public void setParent(GroupModel group) {
-        this.group.setParentId(group.getId());
+    public void setParent(GroupModel parent) {
+        if (parent == null) group.setParentId(null);
+        else if (parent.getId().equals(getId())) {
+            return;
+        }
+        else {
+            group.setParentId(parent.getId());
+        }
         updateGroup();
 
     }
 
     @Override
     public void addChild(GroupModel subGroup) {
+        if (subGroup.getId().equals(getId())) {
+            return;
+        }
         subGroup.setParent(this);
         updateGroup();
 
@@ -223,6 +245,9 @@ public class GroupAdapter extends AbstractMongoAdapter<MongoGroupEntity> impleme
 
     @Override
     public void removeChild(GroupModel subGroup) {
+        if (subGroup.getId().equals(getId())) {
+            return;
+        }
         subGroup.setParent(null);
         updateGroup();
 

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
index 9b4f1f8..44758b7 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/MongoUserProvider.java
@@ -300,6 +300,9 @@ public class MongoUserProvider implements UserProvider {
                     userModel.grantRole(application.getRole(r));
                 }
             }
+            for (GroupModel g : realm.getDefaultGroups()) {
+                userModel.joinGroup(g);
+            }
         }
 
         if (addDefaultRequiredActions) {

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
index 30266af..c8fc1f0 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java
@@ -369,6 +369,17 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
     }
 
     @Override
+    public int getAccessTokenLifespanForImplicitFlow() {
+        return realm.getAccessTokenLifespanForImplicitFlow();
+    }
+
+    @Override
+    public void setAccessTokenLifespanForImplicitFlow(int seconds) {
+        realm.setAccessTokenLifespanForImplicitFlow(seconds);
+        updateRealm();
+    }
+
+    @Override
     public int getAccessCodeLifespan() {
         return realm.getAccessCodeLifespan();
     }
@@ -611,8 +622,15 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
 
     @Override
     public GroupModel createGroup(String name) {
+        String id = KeycloakModelUtils.generateId();
+        return createGroup(id, name);
+    }
+
+    @Override
+    public GroupModel createGroup(String id, String name) {
+        if (id == null) id = KeycloakModelUtils.generateId();
         MongoGroupEntity group = new MongoGroupEntity();
-        group.setId(KeycloakModelUtils.generateId());
+        group.setId(id);
         group.setName(name);
         group.setRealmId(getId());
 
@@ -629,6 +647,9 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
 
     @Override
     public void moveGroup(GroupModel group, GroupModel toParent) {
+        if (toParent != null && group.getId().equals(toParent.getId())) {
+            return;
+        }
         if (group.getParentId() != null) {
             group.getParent().removeChild(group);
         }
@@ -653,7 +674,7 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
 
         if (groups == null) return result;
         for (MongoGroupEntity group : groups) {
-            result.add(new GroupAdapter(session, this, group, invocationContext));
+            result.add(model.getGroupById(group.getId(), this));
         }
 
         return result;
@@ -665,7 +686,7 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
         Iterator<GroupModel> it = all.iterator();
         while (it.hasNext()) {
             GroupModel group = it.next();
-            if (group.getParent() != null) {
+            if (group.getParentId() != null) {
                 it.remove();
             }
         }
@@ -674,6 +695,9 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
 
     @Override
     public boolean removeGroup(GroupModel group) {
+        if (realm.getDefaultGroups() != null) {
+            getMongoStore().pullItemFromList(realm, "defaultGroups", group.getId(), invocationContext);
+        }
         for (GroupModel subGroup : group.getSubGroups()) {
             removeGroup(subGroup);
         }
@@ -682,6 +706,8 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
         return getMongoStore().removeEntity(MongoGroupEntity.class, group.getId(), invocationContext);
     }
 
+
+
     @Override
     public List<String> getDefaultRoles() {
         return realm.getDefaultRoles();
@@ -714,6 +740,27 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
     }
 
     @Override
+    public List<GroupModel> getDefaultGroups() {
+        List<GroupModel> defaultGroups = new LinkedList<>();
+        for (String id : realm.getDefaultGroups()) {
+            defaultGroups.add(session.realms().getGroupById(id, this));
+        }
+        return defaultGroups;
+    }
+
+    @Override
+    public void addDefaultGroup(GroupModel group) {
+        getMongoStore().pushItemToList(realm, "defaultGroups", group.getId(), true, invocationContext);
+
+    }
+
+    @Override
+    public void removeDefaultGroup(GroupModel group) {
+        getMongoStore().pullItemFromList(realm, "defaultGroups", group.getId(), invocationContext);
+
+    }
+
+    @Override
     public ClientModel getClientById(String id) {
         return model.getClientById(id, this);
     }
@@ -763,6 +810,8 @@ public class RealmAdapter extends AbstractMongoAdapter<MongoRealmEntity> impleme
         clientEntity.setClientId(clientId);
         clientEntity.setRealmId(getId());
         clientEntity.setEnabled(true);
+        clientEntity.setStandardFlowEnabled(true);
+        clientEntity.setDirectAccessGrantsEnabled(true);
         getMongoStore().insertEntity(clientEntity, invocationContext);
 
         final ClientModel model = new ClientAdapter(session, this, clientEntity, invocationContext);

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRealmEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRealmEntity.java
index 8269360..78f1076 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRealmEntity.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRealmEntity.java
@@ -20,6 +20,10 @@ public class MongoRealmEntity extends RealmEntity implements MongoIdentifiableEn
                 .get();
 
         // Remove all roles of this realm
+        context.getMongoStore().removeEntities(MongoGroupEntity.class, query, true, context);
+
+
+        // Remove all roles of this realm
         context.getMongoStore().removeEntities(MongoRoleEntity.class, query, true, context);
 
         // Remove all clients of this realm

diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRoleEntity.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRoleEntity.java
index 29491f8..520f678 100755
--- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRoleEntity.java
+++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/entities/MongoRoleEntity.java
@@ -41,6 +41,18 @@ public class MongoRoleEntity extends RoleEntity implements MongoIdentifiableEnti
     public void afterRemove(MongoStoreInvocationContext invContext) {
         MongoStore mongoStore = invContext.getMongoStore();
 
+        {
+            DBObject query = new QueryBuilder()
+                    .and("roleIds").is(getId())
+                    .get();
+
+            List<MongoGroupEntity> groups = mongoStore.loadEntities(MongoGroupEntity.class, query, invContext);
+            for (MongoGroupEntity group : groups) {
+                mongoStore.pullItemFromList(group, "roleIds", getId(), invContext);
+            }
+
+        }
+
         // Remove this scope from all clients, which has it
         DBObject query = new QueryBuilder()
                 .and("scopeIds").is(getId())

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientInitialAccessAdapter.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientInitialAccessAdapter.java
new file mode 100644
index 0000000..7d75335
--- /dev/null
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/ClientInitialAccessAdapter.java
@@ -0,0 +1,69 @@
+package org.keycloak.models.sessions.infinispan;
+
+import org.infinispan.Cache;
+import org.keycloak.models.ClientInitialAccessModel;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.sessions.infinispan.entities.ClientInitialAccessEntity;
+import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessAdapter implements ClientInitialAccessModel {
+
+    private final KeycloakSession session;
+    private final InfinispanUserSessionProvider provider;
+    private final Cache<String, SessionEntity> cache;
+    private final RealmModel realm;
+    private final ClientInitialAccessEntity entity;
+
+    public ClientInitialAccessAdapter(KeycloakSession session, InfinispanUserSessionProvider provider, Cache<String, SessionEntity> cache, RealmModel realm, ClientInitialAccessEntity entity) {
+        this.session = session;
+        this.provider = provider;
+        this.cache = cache;
+        this.realm = realm;
+        this.entity = entity;
+    }
+
+    @Override
+    public String getId() {
+        return entity.getId();
+    }
+
+    @Override
+    public RealmModel getRealm() {
+        return realm;
+    }
+
+    @Override
+    public int getTimestamp() {
+        return entity.getTimestamp();
+    }
+
+    @Override
+    public int getExpiration() {
+        return entity.getExpiration();
+    }
+
+    @Override
+    public int getCount() {
+        return entity.getCount();
+    }
+
+    @Override
+    public int getRemainingCount() {
+        return entity.getRemainingCount();
+    }
+
+    @Override
+    public void decreaseRemainingCount() {
+        entity.setRemainingCount(entity.getRemainingCount() - 1);
+        update();
+    }
+
+    void update() {
+        provider.getTx().replace(cache, entity.getId(), entity);
+    }
+
+}

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/ClientInitialAccessAdapter.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/ClientInitialAccessAdapter.java
new file mode 100644
index 0000000..3398eff
--- /dev/null
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/ClientInitialAccessAdapter.java
@@ -0,0 +1,55 @@
+package org.keycloak.models.sessions.infinispan.compat;
+
+import org.keycloak.models.ClientInitialAccessModel;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.sessions.infinispan.compat.entities.ClientInitialAccessEntity;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessAdapter implements ClientInitialAccessModel {
+
+    private final RealmModel realm;
+    private final ClientInitialAccessEntity entity;
+
+    public ClientInitialAccessAdapter(RealmModel realm, ClientInitialAccessEntity entity) {
+        this.realm = realm;
+        this.entity = entity;
+    }
+
+    @Override
+    public String getId() {
+        return entity.getId();
+    }
+
+    @Override
+    public RealmModel getRealm() {
+        return realm;
+    }
+
+    @Override
+    public int getTimestamp() {
+        return entity.getTimestamp();
+    }
+
+    @Override
+    public int getExpiration() {
+        return entity.getExpires();
+    }
+
+    @Override
+    public int getCount() {
+        return entity.getCount();
+    }
+
+    @Override
+    public int getRemainingCount() {
+        return entity.getRemainingCount();
+    }
+
+    @Override
+    public void decreaseRemainingCount() {
+        entity.setRemainingCount(entity.getRemainingCount() - 1);
+    }
+
+}

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/entities/ClientInitialAccessEntity.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/entities/ClientInitialAccessEntity.java
new file mode 100644
index 0000000..ed0aeac
--- /dev/null
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/entities/ClientInitialAccessEntity.java
@@ -0,0 +1,68 @@
+package org.keycloak.models.sessions.infinispan.compat.entities;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessEntity {
+
+    private String id;
+
+    private String realmId;
+
+    private int timestamp;
+
+    private int expires;
+
+    private int count;
+
+    private int remainingCount;
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    public String getRealmId() {
+        return realmId;
+    }
+
+    public void setRealmId(String realmId) {
+        this.realmId = realmId;
+    }
+
+    public int getTimestamp() {
+        return timestamp;
+    }
+
+    public void setTimestamp(int timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public int getExpires() {
+        return expires;
+    }
+
+    public void setExpiration(int expires) {
+        this.expires = expires;
+    }
+
+    public int getCount() {
+        return count;
+    }
+
+    public void setCount(int count) {
+        this.count = count;
+    }
+
+    public int getRemainingCount() {
+        return remainingCount;
+    }
+
+    public void setRemainingCount(int remainingCount) {
+        this.remainingCount = remainingCount;
+    }
+
+}

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProvider.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProvider.java
index f45edf1..db20ef8 100755
--- a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProvider.java
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProvider.java
@@ -1,19 +1,8 @@
 package org.keycloak.models.sessions.infinispan.compat;
 
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.ModelDuplicateException;
-import org.keycloak.models.RealmModel;
-import org.keycloak.models.UserModel;
-import org.keycloak.models.UserSessionModel;
-import org.keycloak.models.UserSessionProvider;
-import org.keycloak.models.UsernameLoginFailureModel;
+import org.keycloak.models.*;
 import org.keycloak.models.session.UserSessionPersisterProvider;
-import org.keycloak.models.sessions.infinispan.compat.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.compat.entities.UserSessionEntity;
-import org.keycloak.models.sessions.infinispan.compat.entities.UsernameLoginFailureEntity;
-import org.keycloak.models.sessions.infinispan.compat.entities.UsernameLoginFailureKey;
+import org.keycloak.models.sessions.infinispan.compat.entities.*;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.RealmInfoUtil;
 import org.keycloak.common.util.Time;
@@ -41,11 +30,12 @@ public class MemUserSessionProvider implements UserSessionProvider {
 
     private final ConcurrentHashMap<String, UserSessionEntity> offlineUserSessions;
     private final ConcurrentHashMap<String, ClientSessionEntity> offlineClientSessions;
+    private ConcurrentHashMap<String, ClientInitialAccessEntity> clientInitialAccess;
 
     public MemUserSessionProvider(KeycloakSession session, ConcurrentHashMap<String, UserSessionEntity> userSessions, ConcurrentHashMap<String, String> userSessionsByBrokerSessionId,
                                   ConcurrentHashMap<String, Set<String>> userSessionsByBrokerUserId, ConcurrentHashMap<String, ClientSessionEntity> clientSessions,
                                   ConcurrentHashMap<UsernameLoginFailureKey, UsernameLoginFailureEntity> loginFailures,
-                                  ConcurrentHashMap<String, UserSessionEntity> offlineUserSessions, ConcurrentHashMap<String, ClientSessionEntity> offlineClientSessions) {
+                                  ConcurrentHashMap<String, UserSessionEntity> offlineUserSessions, ConcurrentHashMap<String, ClientSessionEntity> offlineClientSessions, ConcurrentHashMap<String, ClientInitialAccessEntity> clientInitialAccess) {
         this.session = session;
         this.userSessions = userSessions;
         this.clientSessions = clientSessions;
@@ -54,6 +44,7 @@ public class MemUserSessionProvider implements UserSessionProvider {
         this.userSessionsByBrokerUserId = userSessionsByBrokerUserId;
         this.offlineUserSessions = offlineUserSessions;
         this.offlineClientSessions = offlineClientSessions;
+        this.clientInitialAccess = clientInitialAccess;
     }
 
     @Override
@@ -341,6 +332,15 @@ public class MemUserSessionProvider implements UserSessionProvider {
                 persister.removeClientSession(s.getId(), true);
             }
         }
+
+        // Remove expired initial access
+        Iterator<ClientInitialAccessEntity> iaitr = clientInitialAccess.values().iterator();
+        while (iaitr.hasNext()) {
+            ClientInitialAccessEntity e = iaitr.next();
+            if (e.getRealmId().equals(realm.getId()) && (e.getExpires() < Time.currentTime())) {
+                iaitr.remove();
+            }
+        }
     }
 
     @Override
@@ -575,6 +575,43 @@ public class MemUserSessionProvider implements UserSessionProvider {
     }
 
     @Override
+    public ClientInitialAccessModel createClientInitialAccessModel(RealmModel realm, int expiration, int count) {
+        String id = KeycloakModelUtils.generateId();
+
+        ClientInitialAccessEntity entity = new ClientInitialAccessEntity();
+        entity.setId(id);
+        entity.setRealmId(realm.getId());
+        entity.setTimestamp(Time.currentTime());
+        entity.setExpiration(expiration);
+        entity.setCount(count);
+        entity.setRemainingCount(count);
+
+        clientInitialAccess.put(id, entity);
+
+        return new ClientInitialAccessAdapter(realm, entity);
+    }
+
+    @Override
+    public ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id) {
+        ClientInitialAccessEntity entity = clientInitialAccess.get(id);
+        return entity != null ? new ClientInitialAccessAdapter(realm, entity) : null;
+    }
+
+    @Override
+    public void removeClientInitialAccessModel(RealmModel realm, String id) {
+        clientInitialAccess.remove(id);
+    }
+
+    @Override
+    public List<ClientInitialAccessModel> listClientInitialAccess(RealmModel realm) {
+        List<ClientInitialAccessModel> models = new LinkedList<>();
+        for (ClientInitialAccessEntity e : clientInitialAccess.values()) {
+            models.add(new ClientInitialAccessAdapter(realm, e));
+        }
+        return models;
+    }
+
+    @Override
     public void close() {
     }
 

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProviderFactory.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProviderFactory.java
index 187a33f..451fcb0 100644
--- a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProviderFactory.java
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/compat/MemUserSessionProviderFactory.java
@@ -1,14 +1,12 @@
 package org.keycloak.models.sessions.infinispan.compat;
 
-import org.keycloak.Config;
 import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.UserSessionProvider;
-import org.keycloak.models.UserSessionProviderFactory;
 import org.keycloak.models.sessions.infinispan.compat.entities.ClientSessionEntity;
 import org.keycloak.models.sessions.infinispan.compat.entities.UserSessionEntity;
 import org.keycloak.models.sessions.infinispan.compat.entities.UsernameLoginFailureEntity;
 import org.keycloak.models.sessions.infinispan.compat.entities.UsernameLoginFailureKey;
+import org.keycloak.models.sessions.infinispan.compat.entities.ClientInitialAccessEntity;
 
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -29,9 +27,11 @@ public class MemUserSessionProviderFactory {
     private ConcurrentHashMap<String, UserSessionEntity> offlineUserSessions = new ConcurrentHashMap<String, UserSessionEntity>();
     private ConcurrentHashMap<String, ClientSessionEntity> offlineClientSessions = new ConcurrentHashMap<String, ClientSessionEntity>();
 
+    private ConcurrentHashMap<String, ClientInitialAccessEntity> clientInitialAccess = new ConcurrentHashMap<>();
+
     public UserSessionProvider create(KeycloakSession session) {
         return new MemUserSessionProvider(session, userSessions, userSessionsByBrokerSessionId, userSessionsByBrokerUserId, clientSessions, loginFailures,
-                offlineUserSessions, offlineClientSessions);
+                offlineUserSessions, offlineClientSessions, clientInitialAccess);
     }
 
     public void close() {

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientInitialAccessEntity.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientInitialAccessEntity.java
new file mode 100644
index 0000000..05daf1e
--- /dev/null
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ClientInitialAccessEntity.java
@@ -0,0 +1,48 @@
+package org.keycloak.models.sessions.infinispan.entities;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessEntity extends SessionEntity {
+
+    private int timestamp;
+
+    private int expires;
+
+    private int count;
+
+    private int remainingCount;
+
+    public int getTimestamp() {
+        return timestamp;
+    }
+
+    public void setTimestamp(int timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public int getExpiration() {
+        return expires;
+    }
+
+    public void setExpiration(int expires) {
+        this.expires = expires;
+    }
+
+    public int getCount() {
+        return count;
+    }
+
+    public void setCount(int count) {
+        this.count = count;
+    }
+
+    public int getRemainingCount() {
+        return remainingCount;
+    }
+
+    public void setRemainingCount(int remainingCount) {
+        this.remainingCount = remainingCount;
+    }
+
+}

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
index 9ba1587..d89f47b 100755
--- a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
@@ -3,28 +3,10 @@ package org.keycloak.models.sessions.infinispan;
 import org.infinispan.Cache;
 import org.infinispan.distexec.mapreduce.MapReduceTask;
 import org.jboss.logging.Logger;
-import org.keycloak.models.ClientModel;
-import org.keycloak.models.ClientSessionModel;
-import org.keycloak.models.KeycloakSession;
-import org.keycloak.models.KeycloakTransaction;
-import org.keycloak.models.RealmModel;
-import org.keycloak.models.UserModel;
-import org.keycloak.models.UserSessionModel;
-import org.keycloak.models.UserSessionProvider;
-import org.keycloak.models.UsernameLoginFailureModel;
+import org.keycloak.models.*;
 import org.keycloak.models.session.UserSessionPersisterProvider;
-import org.keycloak.models.sessions.infinispan.entities.ClientSessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.LoginFailureEntity;
-import org.keycloak.models.sessions.infinispan.entities.LoginFailureKey;
-import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
-import org.keycloak.models.sessions.infinispan.entities.UserSessionEntity;
-import org.keycloak.models.sessions.infinispan.mapreduce.ClientSessionMapper;
-import org.keycloak.models.sessions.infinispan.mapreduce.FirstResultReducer;
-import org.keycloak.models.sessions.infinispan.mapreduce.LargestResultReducer;
-import org.keycloak.models.sessions.infinispan.mapreduce.SessionMapper;
-import org.keycloak.models.sessions.infinispan.mapreduce.UserLoginFailureMapper;
-import org.keycloak.models.sessions.infinispan.mapreduce.UserSessionMapper;
-import org.keycloak.models.sessions.infinispan.mapreduce.UserSessionNoteMapper;
+import org.keycloak.models.sessions.infinispan.entities.*;
+import org.keycloak.models.sessions.infinispan.mapreduce.*;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.models.utils.RealmInfoUtil;
 import org.keycloak.common.util.Time;
@@ -355,6 +337,15 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
             persister.removeClientSession(clientSessionId, true);
         }
 
+        // Remove expired client initial access
+        map = new MapReduceTask(sessionCache)
+                .mappedWith(ClientInitialAccessMapper.create(realm.getId()).expired(Time.currentTime()).emitKey())
+                .reducedWith(new FirstResultReducer())
+                .execute();
+
+        for (String id : map.keySet()) {
+            tx.remove(sessionCache, id);
+        }
     }
 
     @Override
@@ -538,11 +529,24 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
         return models;
     }
 
+    List<ClientInitialAccessModel> wrapClientInitialAccess(RealmModel realm, Collection<ClientInitialAccessEntity> entities) {
+        List<ClientInitialAccessModel> models = new LinkedList<>();
+        for (ClientInitialAccessEntity e : entities) {
+            models.add(wrap(realm, e));
+        }
+        return models;
+    }
+
     ClientSessionAdapter wrap(RealmModel realm, ClientSessionEntity entity, boolean offline) {
         Cache<String, SessionEntity> cache = getCache(offline);
         return entity != null ? new ClientSessionAdapter(session, this, cache, realm, entity, offline) : null;
     }
 
+    ClientInitialAccessAdapter wrap(RealmModel realm, ClientInitialAccessEntity entity) {
+        Cache<String, SessionEntity> cache = getCache(false);
+        return entity != null ? new ClientInitialAccessAdapter(session, this, cache, realm, entity) : null;
+    }
+
 
     UsernameLoginFailureModel wrap(LoginFailureKey key, LoginFailureEntity entity) {
         return entity != null ? new UsernameLoginFailureAdapter(this, loginFailureCache, key, entity) : null;
@@ -680,6 +684,50 @@ public class InfinispanUserSessionProvider implements UserSessionProvider {
         return wrap(clientSession.getRealm(), entity, offline);
     }
 
+    @Override
+    public ClientInitialAccessModel createClientInitialAccessModel(RealmModel realm, int expiration, int count) {
+        String id = KeycloakModelUtils.generateId();
+
+        ClientInitialAccessEntity entity = new ClientInitialAccessEntity();
+        entity.setId(id);
+        entity.setRealm(realm.getId());
+        entity.setTimestamp(Time.currentTime());
+        entity.setExpiration(expiration);
+        entity.setCount(count);
+        entity.setRemainingCount(count);
+
+        tx.put(sessionCache, id, entity);
+
+        return wrap(realm, entity);
+    }
+
+    @Override
+    public ClientInitialAccessModel getClientInitialAccessModel(RealmModel realm, String id) {
+        Cache<String, SessionEntity> cache = getCache(false);
+        ClientInitialAccessEntity entity = (ClientInitialAccessEntity) cache.get(id);
+
+        // If created in this transaction
+        if (entity == null) {
+            entity = (ClientInitialAccessEntity) tx.get(cache, id);
+        }
+
+        return wrap(realm, entity);
+    }
+
+    @Override
+    public void removeClientInitialAccessModel(RealmModel realm, String id) {
+        tx.remove(getCache(false), id);
+    }
+
+    @Override
+    public List<ClientInitialAccessModel> listClientInitialAccess(RealmModel realm) {
+        Map<String, ClientInitialAccessEntity> entities = new MapReduceTask(sessionCache)
+                .mappedWith(ClientInitialAccessMapper.create(realm.getId()))
+                .reducedWith(new FirstResultReducer())
+                .execute();
+        return wrapClientInitialAccess(realm, entities.values());
+    }
+
     class InfinispanKeycloakTransaction implements KeycloakTransaction {
 
         private boolean active;

diff --git a/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientInitialAccessMapper.java b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientInitialAccessMapper.java
new file mode 100644
index 0000000..98dab2f
--- /dev/null
+++ b/model/sessions-infinispan/src/main/java/org/keycloak/models/sessions/infinispan/mapreduce/ClientInitialAccessMapper.java
@@ -0,0 +1,79 @@
+package org.keycloak.models.sessions.infinispan.mapreduce;
+
+import org.infinispan.distexec.mapreduce.Collector;
+import org.infinispan.distexec.mapreduce.Mapper;
+import org.keycloak.models.sessions.infinispan.entities.ClientInitialAccessEntity;
+import org.keycloak.models.sessions.infinispan.entities.SessionEntity;
+
+import java.io.Serializable;
+
+/**
+ * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
+ */
+public class ClientInitialAccessMapper implements Mapper<String, SessionEntity, String, Object>, Serializable {
+
+    public ClientInitialAccessMapper(String realm) {
+        this.realm = realm;
+    }
+
+    private enum EmitValue {
+        KEY, ENTITY
+    }
+
+    private String realm;
+
+    private EmitValue emit = EmitValue.ENTITY;
+
+    private Integer expired;
+
+    public static ClientInitialAccessMapper create(String realm) {
+        return new ClientInitialAccessMapper(realm);
+    }
+
+    public ClientInitialAccessMapper emitKey() {
+        emit = EmitValue.KEY;
+        return this;
+    }
+
+    public ClientInitialAccessMapper expired(int time) {
+        this.expired = time;
+        return this;
+    }
+
+    @Override
+    public void map(String key, SessionEntity e, Collector collector) {
+        if (!realm.equals(e.getRealm())) {
+            return;
+        }
+
+        if (!(e instanceof ClientInitialAccessEntity)) {
+            return;
+        }
+
+        ClientInitialAccessEntity entity = (ClientInitialAccessEntity) e;
+
+        boolean include = false;
+
+        if (expired != null) {
+            if (entity.getRemainingCount() <= 0) {
+                include = true;
+            } else if (entity.getExpiration() > 0 && (entity.getTimestamp() + entity.getExpiration()) < expired) {
+                include = true;
+            }
+        } else {
+            include = true;
+        }
+
+        if (include) {
+            switch (emit) {
+                case KEY:
+                    collector.emit(key, key);
+                    break;
+                case ENTITY:
+                    collector.emit(key, entity);
+                    break;
+            }
+        }
+    }
+
+}

diff --git a/pom.xml b/pom.xml
index d545efd..7e20bc3 100755
--- a/pom.xml
+++ b/pom.xml
@@ -76,6 +76,7 @@
         <log4j.version>1.2.17</log4j.version>
         <greenmail.version>1.3.1b</greenmail.version>
         <xmlsec.version>1.5.1</xmlsec.version>
+        <aesh.version>0.65.1</aesh.version>
 
         <enforcer.plugin.version>1.4</enforcer.plugin.version>
         <jboss.as.plugin.version>7.5.Final</jboss.as.plugin.version>
@@ -135,7 +136,7 @@
     <modules>
         <module>common</module>
         <module>core</module>
-        <module>client-api</module>
+        <module>client-registration</module>
         <module>connections</module>
         <module>dependencies</module>
         <module>events</module>
@@ -153,6 +154,7 @@
         <module>timer</module>
         <module>export-import</module>
         <module>util</module>
+        <module>wildfly</module>
     </modules>
 
     <dependencyManagement>
@@ -580,6 +582,11 @@
                 <artifactId>pax-web-runtime</artifactId>
                 <version>${pax.web.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.jboss.aesh</groupId>
+                <artifactId>aesh</artifactId>
+                <version>${aesh.version}</version>
+            </dependency>
 
             <!-- keycloak -->
             <dependency>
@@ -624,6 +631,11 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-client-registration-api</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
                 <artifactId>keycloak-connections-mongo-update</artifactId>
                 <version>${project.version}</version>
             </dependency>
@@ -816,7 +828,7 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-as7-server-subsystem</artifactId>
+                <artifactId>keycloak-eap6-server-subsystem</artifactId>
                 <version>${project.version}</version>
             </dependency>
             <dependency>
@@ -826,12 +838,12 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-wf9-subsystem</artifactId>
+                <artifactId>keycloak-wildfly-subsystem</artifactId>
                 <version>${project.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-wf9-server-subsystem</artifactId>
+                <artifactId>keycloak-wildfly-server-subsystem</artifactId>
                 <version>${project.version}</version>
             </dependency>
             <dependency>
@@ -936,6 +948,11 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
+                <artifactId>keycloak-wildfly-adduser</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.keycloak</groupId>
                 <artifactId>keycloak-wildfly-extensions</artifactId>
                 <version>${project.version}</version>
             </dependency>
@@ -1031,7 +1048,7 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-saml-wf9-subsystem</artifactId>
+                <artifactId>keycloak-saml-wildfly-subsystem</artifactId>
                 <version>${project.version}</version>
             </dependency>
             <dependency>
@@ -1120,25 +1137,25 @@
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-wf9-modules</artifactId>
+                <artifactId>keycloak-wildfly-modules</artifactId>
                 <version>${project.version}</version>
                 <type>zip</type>
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-saml-wf9-modules</artifactId>
+                <artifactId>keycloak-saml-wildfly-modules</artifactId>
                 <version>${project.version}</version>
                 <type>zip</type>
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-wf9-adapter-dist</artifactId>
+                <artifactId>keycloak-wildfly-adapter-dist</artifactId>
                 <version>${project.version}</version>
                 <type>zip</type>
             </dependency>
             <dependency>
                 <groupId>org.keycloak</groupId>
-                <artifactId>keycloak-saml-wf9-adapter-dist</artifactId>
+                <artifactId>keycloak-saml-wildfly-adapter-dist</artifactId>
                 <version>${project.version}</version>
                 <type>zip</type>
             </dependency>

diff --git a/saml/client-adapter/as7-eap6/adapter/pom.xml b/saml/client-adapter/as7-eap6/adapter/pom.xml
index 6d1ace8..da632c7 100755
--- a/saml/client-adapter/as7-eap6/adapter/pom.xml
+++ b/saml/client-adapter/as7-eap6/adapter/pom.xml
@@ -31,10 +31,6 @@
             <artifactId>keycloak-saml-adapter-core</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-saml-adapter-core</artifactId>
-        </dependency>
-        <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
         </dependency>

diff --git a/saml/client-adapter/as7-eap6/subsystem/pom.xml b/saml/client-adapter/as7-eap6/subsystem/pom.xml
index fa87dcf..872e5d1 100755
--- a/saml/client-adapter/as7-eap6/subsystem/pom.xml
+++ b/saml/client-adapter/as7-eap6/subsystem/pom.xml
@@ -101,9 +101,9 @@ projects that depend on this project.-->
         </dependency>
 
         <dependency>
-            <groupId>org.jboss.msc</groupId>
-            <artifactId>jboss-msc</artifactId>
-            <version>1.0.2.GA</version>
+            <groupId>org.jboss.as</groupId>
+            <artifactId>jboss-as-controller</artifactId>
+            <version>${jboss.version}</version>
         </dependency>
 
         <dependency>

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Configuration.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Configuration.java
new file mode 100644
index 0000000..966cd67
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Configuration.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.dmr.ModelNode;
+import org.jboss.dmr.Property;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class Configuration {
+
+    static final Configuration INSTANCE = new Configuration();
+
+    private ModelNode config = new ModelNode();
+
+    private Configuration() {
+    }
+
+    void updateModel(ModelNode operation, ModelNode model) {
+        ModelNode node = config;
+        ModelNode addr = operation.get("address");
+        for (Property item : addr.asPropertyList()) {
+            node = getNodeForAddressElement(node, item);
+        }
+        node.set(model);
+    }
+
+    private ModelNode getNodeForAddressElement(ModelNode node, Property item) {
+        String key = item.getValue().asString();
+        ModelNode keymodel = node.get(item.getName());
+        return keymodel.get(key);
+    }
+
+    public ModelNode getSecureDeployment(String name) {
+        ModelNode secureDeployment = config.get("subsystem").get("keycloak-saml").get(Constants.Model.SECURE_DEPLOYMENT);
+        if (secureDeployment.hasDefined(name)) {
+            return secureDeployment.get(name);
+        }
+        return null;
+    }
+
+    public boolean isSecureDeployment(String name) {
+        return getSecureDeployment(name) != null;
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java
new file mode 100644
index 0000000..07af4f7
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/Constants.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class Constants {
+
+    static class Model {
+        static final String SECURE_DEPLOYMENT = "secure-deployment";
+        static final String SERVICE_PROVIDER = "service-provider";
+
+        static final String SSL_POLICY = "ssl-policy";
+        static final String NAME_ID_POLICY_FORMAT = "name-id-policy-format";
+        static final String LOGOUT_PAGE = "logout-page";
+        static final String FORCE_AUTHENTICATION = "force-authentication";
+        static final String ROLE_ATTRIBUTES = "role-attributes";
+        static final String SIGNING = "signing";
+        static final String ENCRYPTION = "encryption";
+        static final String KEY = "key";
+        static final String RESOURCE = "resource";
+        static final String PASSWORD = "password";
+
+        static final String PRIVATE_KEY_ALIAS = "private-key-alias";
+        static final String PRIVATE_KEY_PASSWORD = "private-key-password";
+        static final String CERTIFICATE_ALIAS = "certificate-alias";
+        static final String KEY_STORE = "key-store";
+        static final String SIGN_REQUEST = "sign-request";
+        static final String VALIDATE_RESPONSE_SIGNATURE = "validate-response-signature";
+        static final String REQUEST_BINDING = "request-binding";
+        static final String BINDING_URL = "binding-url";
+        static final String VALIDATE_REQUEST_SIGNATURE = "validate-request-signature";
+        static final String SIGN_RESPONSE = "sign-response";
+        static final String RESPONSE_BINDING = "response-binding";
+        static final String POST_BINDING_URL = "post-binding-url";
+        static final String REDIRECT_BINDING_URL = "redirect-binding-url";
+        static final String SINGLE_SIGN_ON = "single-sign-on";
+        static final String SINGLE_LOGOUT = "single-logout";
+        static final String IDENTITY_PROVIDER = "identity-provider";
+        static final String PRINCIPAL_NAME_MAPPING_POLICY = "principal-name-mapping-policy";
+        static final String PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME = "principal-name-mapping-attribute-name";
+        static final String SIGNATURE_ALGORITHM = "signature-algorithm";
+        static final String SIGNATURE_CANONICALIZATION_METHOD = "signature-canonicalization-method";
+        static final String PRIVATE_KEY_PEM = "private-key-pem";
+        static final String PUBLIC_KEY_PEM = "public-key-pem";
+        static final String CERTIFICATE_PEM = "certificate-pem";
+        static final String TYPE = "type";
+        static final String ALIAS = "alias";
+        static final String FILE = "file";
+        static final String SIGNATURES_REQUIRED = "signatures-required";
+    }
+
+
+    static class XML {
+        static final String SECURE_DEPLOYMENT = "secure-deployment";
+        static final String SERVICE_PROVIDER = "SP";
+
+        static final String NAME = "name";
+        static final String ENTITY_ID = "entityID";
+        static final String SSL_POLICY = "sslPolicy";
+        static final String NAME_ID_POLICY_FORMAT = "nameIDPolicyFormat";
+        static final String LOGOUT_PAGE = "logoutPage";
+        static final String FORCE_AUTHENTICATION = "forceAuthentication";
+        static final String ROLE_IDENTIFIERS = "RoleIdentifiers";
+        static final String SIGNING = "signing";
+        static final String ENCRYPTION = "encryption";
+        static final String KEYS = "Keys";
+        static final String KEY = "Key";
+        static final String RESOURCE = "resource";
+        static final String PASSWORD = "password";
+        static final String KEY_STORE = "KeyStore";
+        static final String PRIVATE_KEY = "PrivateKey";
+        static final String CERTIFICATE = "Certificate";
+
+        static final String PRIVATE_KEY_ALIAS = "alias";
+        static final String PRIVATE_KEY_PASSWORD = "password";
+        static final String CERTIFICATE_ALIAS = "alias";
+        static final String SIGN_REQUEST = "signRequest";
+        static final String VALIDATE_RESPONSE_SIGNATURE = "validateResponseSignature";
+        static final String REQUEST_BINDING = "requestBinding";
+        static final String BINDING_URL = "bindingUrl";
+        static final String VALIDATE_REQUEST_SIGNATURE = "validateRequestSignature";
+        static final String SIGN_RESPONSE = "signResponse";
+        static final String RESPONSE_BINDING = "responseBinding";
+        static final String POST_BINDING_URL = "postBindingUrl";
+        static final String REDIRECT_BINDING_URL = "redirectBindingUrl";
+        static final String SINGLE_SIGN_ON = "SingleSignOnService";
+        static final String SINGLE_LOGOUT = "SingleLogoutService";
+        static final String IDENTITY_PROVIDER = "IDP";
+        static final String PRINCIPAL_NAME_MAPPING = "PrincipalNameMapping";
+        static final String PRINCIPAL_NAME_MAPPING_POLICY = "policy";
+        static final String PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME = "attribute";
+        static final String ATTRIBUTE = "Attribute";
+        static final String SIGNATURE_ALGORITHM = "signatureAlgorithm";
+        static final String SIGNATURE_CANONICALIZATION_METHOD = "signatureCanonicalizationMethod";
+        static final String PRIVATE_KEY_PEM = "PrivateKeyPem";
+        static final String PUBLIC_KEY_PEM = "PublicKeyPem";
+        static final String CERTIFICATE_PEM = "CertificatePem";
+        static final String TYPE = "type";
+        static final String ALIAS = "alias";
+        static final String FILE = "file";
+        static final String SIGNATURES_REQUIRED = "signaturesRequired";
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderAddHandler.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderAddHandler.java
new file mode 100644
index 0000000..679658b
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderAddHandler.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AbstractAddStepHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.controller.ServiceVerificationHandler;
+import org.jboss.dmr.ModelNode;
+import org.jboss.msc.service.ServiceController;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+class IdentityProviderAddHandler extends AbstractAddStepHandler {
+
+    IdentityProviderAddHandler() {
+        super(IdentityProviderDefinition.ALL_ATTRIBUTES);
+    }
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
+        Configuration.INSTANCE.updateModel(operation, model);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderDefinition.java
new file mode 100644
index 0000000..09262f9
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/IdentityProviderDefinition.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.ObjectTypeAttributeDefinition;
+import org.jboss.as.controller.OperationStepHandler;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
+import org.jboss.as.controller.ReloadRequiredWriteAttributeHandler;
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
+import org.jboss.as.controller.registry.ManagementResourceRegistration;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class IdentityProviderDefinition extends SimpleResourceDefinition {
+
+    static final SimpleAttributeDefinition SIGNATURES_REQUIRED =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGNATURES_REQUIRED, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.SIGNATURES_REQUIRED)
+                    .build();
+
+    static final SimpleAttributeDefinition SIGNATURE_ALGORITHM =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGNATURE_ALGORITHM, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.SIGNATURE_ALGORITHM)
+                    .build();
+
+    static final SimpleAttributeDefinition SIGNATURE_CANONICALIZATION_METHOD =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGNATURE_CANONICALIZATION_METHOD, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.SIGNATURE_CANONICALIZATION_METHOD)
+                    .build();
+
+    static final ObjectTypeAttributeDefinition SINGLE_SIGN_ON =
+            ObjectTypeAttributeDefinition.Builder.of(Constants.Model.SINGLE_SIGN_ON,
+                    SingleSignOnDefinition.ATTRIBUTES)
+                    .setAllowNull(false)
+                    .build();
+
+    static final ObjectTypeAttributeDefinition SINGLE_LOGOUT =
+            ObjectTypeAttributeDefinition.Builder.of(Constants.Model.SINGLE_LOGOUT,
+                    SingleLogoutDefinition.ATTRIBUTES)
+                    .setAllowNull(false)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGNATURES_REQUIRED, SIGNATURE_ALGORITHM, SIGNATURE_CANONICALIZATION_METHOD};
+
+    static final SimpleAttributeDefinition[] ALL_ATTRIBUTES = {SIGNATURES_REQUIRED, SIGNATURE_ALGORITHM, SIGNATURE_CANONICALIZATION_METHOD, SINGLE_SIGN_ON, SINGLE_LOGOUT};
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ALL_ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static final IdentityProviderDefinition INSTANCE = new IdentityProviderDefinition();
+
+    private IdentityProviderDefinition() {
+        super(PathElement.pathElement(Constants.Model.IDENTITY_PROVIDER),
+                KeycloakSamlExtension.getResourceDescriptionResolver(Constants.Model.IDENTITY_PROVIDER),
+                new IdentityProviderAddHandler(),
+                ReloadRequiredRemoveStepHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerAttributes(ManagementResourceRegistration resourceRegistration) {
+        super.registerAttributes(resourceRegistration);
+
+        final OperationStepHandler writeHandler = new ReloadRequiredWriteAttributeHandler(ALL_ATTRIBUTES);
+        for (AttributeDefinition attribute : ALL_ATTRIBUTES) {
+            resourceRegistration.registerReadWriteAttribute(attribute, null, writeHandler);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}
\ No newline at end of file

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyAddHandler.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyAddHandler.java
new file mode 100644
index 0000000..b362d4f
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyAddHandler.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AbstractAddStepHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.controller.ServiceVerificationHandler;
+import org.jboss.dmr.ModelNode;
+import org.jboss.msc.service.ServiceController;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+class KeyAddHandler extends AbstractAddStepHandler {
+
+    KeyAddHandler() {
+        super(KeyDefinition.ALL_ATTRIBUTES);
+    }
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
+        Configuration.INSTANCE.updateModel(operation, model);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakAdapterConfigDeploymentProcessor.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakAdapterConfigDeploymentProcessor.java
index 31008d4..68e4679 100755
--- a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakAdapterConfigDeploymentProcessor.java
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakAdapterConfigDeploymentProcessor.java
@@ -21,13 +21,22 @@ import org.jboss.as.server.deployment.DeploymentUnit;
 import org.jboss.as.server.deployment.DeploymentUnitProcessingException;
 import org.jboss.as.server.deployment.DeploymentUnitProcessor;
 import org.jboss.as.web.deployment.WarMetaData;
+import org.jboss.dmr.ModelNode;
 import org.jboss.logging.Logger;
 import org.jboss.metadata.javaee.spec.ParamValueMetaData;
 import org.jboss.metadata.web.jboss.JBossWebMetaData;
 import org.jboss.metadata.web.jboss.ValveMetaData;
 import org.jboss.metadata.web.spec.LoginConfigMetaData;
+import org.jboss.staxmapper.XMLExtendedStreamWriter;
+import org.keycloak.adapters.saml.AdapterConstants;
 import org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve;
+import org.keycloak.subsystem.saml.as7.logging.KeycloakLogger;
+import org.keycloak.subsystem.saml.as7.xml.FormattingXMLStreamWriter;
 
+import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamException;
+import java.io.ByteArrayOutputStream;
+import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -39,22 +48,16 @@ import java.util.List;
 public class KeycloakAdapterConfigDeploymentProcessor implements DeploymentUnitProcessor {
     protected Logger log = Logger.getLogger(KeycloakAdapterConfigDeploymentProcessor.class);
 
-    // This param name is defined again in Keycloak Undertow Integration class
-    // org.keycloak.adapters.undertow.KeycloakServletExtension.  We have this value in
-    // two places to avoid dependency between Keycloak Subsystem and Keyclaok Undertow Integration.
-    public static final String AUTH_DATA_PARAM_NAME = "org.keycloak.saml.adapterConfig";
-
-
     @Override
     public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
         DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
         String deploymentName = deploymentUnit.getName();
 
-        // if it's not a web-app there's nothing to secure
         WarMetaData warMetaData = deploymentUnit.getAttachment(WarMetaData.ATTACHMENT_KEY);
         if (warMetaData == null) {
             return;
         }
+
         JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
         if (webMetaData == null) {
             webMetaData = new JBossWebMetaData();
@@ -64,12 +67,66 @@ public class KeycloakAdapterConfigDeploymentProcessor implements DeploymentUnitP
         // otherwise
         LoginConfigMetaData loginConfig = webMetaData.getLoginConfig();
 
-        boolean webRequiresKC = loginConfig != null && "KEYCLOAK-SAML".equalsIgnoreCase(loginConfig.getAuthMethod());
+        try {
+            boolean webRequiresKC = loginConfig != null && "KEYCLOAK-SAML".equalsIgnoreCase(loginConfig.getAuthMethod());
+            boolean hasSubsystemConfig = Configuration.INSTANCE.isSecureDeployment(deploymentName);
+            if (hasSubsystemConfig || webRequiresKC) {
+                log.debug("Setting up KEYCLOAK-SAML auth method for WAR: " + deploymentName);
+
+                // if secure-deployment configuration exists for web app, we force KEYCLOAK-SAML auth method on it
+                if (hasSubsystemConfig) {
+                    addXMLData(getXML(deploymentName), warMetaData);
+                    if (loginConfig != null) {
+                        loginConfig.setAuthMethod("KEYCLOAK-SAML");
+                        //loginConfig.setRealmName(service.getRealmName(deploymentName));
+                    } else {
+                        log.warn("Failed to set up KEYCLOAK-SAML auth method for WAR: " + deploymentName + " (loginConfig == null)");
+                    }
+                }
+                addValve(webMetaData);
+                KeycloakLogger.ROOT_LOGGER.deploymentSecured(deploymentName);
+            }
+        } catch (Exception e) {
+            throw new DeploymentUnitProcessingException("Failed to configure KeycloakSamlExtension from subsystem model", e);
+        }
+    }
+
+    private String getXML(String deploymentName) throws XMLStreamException {
+        ModelNode node = Configuration.INSTANCE.getSecureDeployment(deploymentName);
+        if (node != null) {
+            KeycloakSubsystemParser writer = new KeycloakSubsystemParser();
+            ByteArrayOutputStream output = new ByteArrayOutputStream();
+            XMLExtendedStreamWriter streamWriter = new FormattingXMLStreamWriter(XMLOutputFactory.newInstance().createXMLStreamWriter(output));
+            try {
+                streamWriter.writeStartElement("keycloak-saml-adapter");
+                writer.writeSps(streamWriter, node);
+                streamWriter.writeEndElement();
+            } finally {
+                streamWriter.close();
+            }
+            return new String(output.toByteArray(), Charset.forName("utf-8"));
+        }
+        return null;
+    }
+
+    private void addXMLData(String xml, WarMetaData warMetaData) {
+        JBossWebMetaData webMetaData = warMetaData.getMergedJBossWebMetaData();
+        if (webMetaData == null) {
+            webMetaData = new JBossWebMetaData();
+            warMetaData.setMergedJBossWebMetaData(webMetaData);
+        }
 
-        if (webRequiresKC) {
-            log.debug("Setting up KEYCLOAK-SAML auth method for WAR: " + deploymentName);
-            addValve(webMetaData);
+        List<ParamValueMetaData> contextParams = webMetaData.getContextParams();
+        if (contextParams == null) {
+            contextParams = new ArrayList<>();
         }
+
+        ParamValueMetaData param = new ParamValueMetaData();
+        param.setParamName(AdapterConstants.AUTH_DATA_PARAM_NAME);
+        param.setParamValue(xml);
+        contextParams.add(param);
+
+        webMetaData.setContextParams(contextParams);
     }
 
     private void addValve(JBossWebMetaData webMetaData) {
@@ -89,5 +146,4 @@ public class KeycloakAdapterConfigDeploymentProcessor implements DeploymentUnitP
     public void undeploy(DeploymentUnit du) {
 
     }
-
 }

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSamlExtension.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSamlExtension.java
index c52f2b5..d936982 100755
--- a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSamlExtension.java
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSamlExtension.java
@@ -18,6 +18,7 @@ package org.keycloak.subsystem.saml.as7;
 
 import org.jboss.as.controller.Extension;
 import org.jboss.as.controller.ExtensionContext;
+import org.jboss.as.controller.ModelVersion;
 import org.jboss.as.controller.PathElement;
 import org.jboss.as.controller.ResourceDefinition;
 import org.jboss.as.controller.SubsystemRegistration;
@@ -36,15 +37,12 @@ import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUB
 public class KeycloakSamlExtension implements Extension {
 
     public static final String SUBSYSTEM_NAME = "keycloak-saml";
-    public static final String NAMESPACE = "urn:jboss:domain:keycloak-saml:1.6";
+    public static final String NAMESPACE = "urn:jboss:domain:keycloak-saml:1.1";
     private static final KeycloakSubsystemParser PARSER = new KeycloakSubsystemParser();
     static final PathElement PATH_SUBSYSTEM = PathElement.pathElement(SUBSYSTEM, SUBSYSTEM_NAME);
     private static final String RESOURCE_NAME = KeycloakSamlExtension.class.getPackage().getName() + ".LocalDescriptions";
-    private static final int MGMT_API_VERSION_MAJOR = 1;
-    private static final int MGMT_API_VERSION_MINOR = 1;
-
+    private static final ModelVersion MGMT_API_VERSION = ModelVersion.create(1, 1, 0);
     static final PathElement SUBSYSTEM_PATH = PathElement.pathElement(SUBSYSTEM, SUBSYSTEM_NAME);
-    private static final ResourceDefinition KEYCLOAK_SUBSYSTEM_RESOURCE = new KeycloakSubsystemDefinition();
 
     public static StandardResourceDescriptionResolver getResourceDescriptionResolver(final String... keyPrefix) {
         StringBuilder prefix = new StringBuilder(SUBSYSTEM_NAME);
@@ -67,10 +65,15 @@ public class KeycloakSamlExtension implements Extension {
      */
     @Override
     public void initialize(final ExtensionContext context) {
-        final SubsystemRegistration subsystem = context.registerSubsystem(SUBSYSTEM_NAME, MGMT_API_VERSION_MAJOR, MGMT_API_VERSION_MINOR);
-
-        ManagementResourceRegistration registration = subsystem.registerSubsystemModel(KEYCLOAK_SUBSYSTEM_RESOURCE);
+        final SubsystemRegistration subsystem = context.registerSubsystem(SUBSYSTEM_NAME,
+                MGMT_API_VERSION.getMajor(), MGMT_API_VERSION.getMinor(), MGMT_API_VERSION.getMicro());
 
+        ManagementResourceRegistration registration = subsystem.registerSubsystemModel(KeycloakSubsystemDefinition.INSTANCE);
+        ManagementResourceRegistration secureDeploymentRegistration = registration.registerSubModel(SecureDeploymentDefinition.INSTANCE);
+        ManagementResourceRegistration serviceProviderRegistration = secureDeploymentRegistration.registerSubModel(ServiceProviderDefinition.INSTANCE);
+        serviceProviderRegistration.registerSubModel(KeyDefinition.INSTANCE);
+        ManagementResourceRegistration idpRegistration = serviceProviderRegistration.registerSubModel(IdentityProviderDefinition.INSTANCE);
+        idpRegistration.registerSubModel(KeyDefinition.INSTANCE);
         subsystem.registerXMLElementWriter(PARSER);
     }
 }

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemAdd.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemAdd.java
index 2a7fd55..eda678f 100755
--- a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemAdd.java
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemAdd.java
@@ -16,13 +16,12 @@
  */
 package org.keycloak.subsystem.saml.as7;
 
-
 import org.jboss.as.controller.AbstractBoottimeAddStepHandler;
 import org.jboss.as.controller.OperationContext;
-import org.jboss.as.controller.OperationFailedException;
 import org.jboss.as.controller.ServiceVerificationHandler;
 import org.jboss.as.server.AbstractDeploymentChainStep;
 import org.jboss.as.server.DeploymentProcessorTarget;
+import org.jboss.as.server.deployment.DeploymentUnitProcessor;
 import org.jboss.as.server.deployment.Phase;
 import org.jboss.dmr.ModelNode;
 import org.jboss.msc.service.ServiceController;
@@ -43,17 +42,20 @@ class KeycloakSubsystemAdd extends AbstractBoottimeAddStepHandler {
         context.addStep(new AbstractDeploymentChainStep() {
             @Override
             protected void execute(DeploymentProcessorTarget processorTarget) {
-                processorTarget.addDeploymentProcessor(Phase.DEPENDENCIES, 0, new KeycloakDependencyProcessorAS7());
-                processorTarget.addDeploymentProcessor(
+                processorTarget.addDeploymentProcessor(KeycloakSamlExtension.SUBSYSTEM_NAME, Phase.DEPENDENCIES, 0, chooseDependencyProcessor());
+                processorTarget.addDeploymentProcessor(KeycloakSamlExtension.SUBSYSTEM_NAME,
                         Phase.POST_MODULE, // PHASE
                         Phase.POST_MODULE_VALIDATOR_FACTORY - 1, // PRIORITY
-                        new KeycloakAdapterConfigDeploymentProcessor());
+                        chooseConfigDeploymentProcessor());
             }
         }, OperationContext.Stage.RUNTIME);
     }
 
-    @Override
-    protected void populateModel(ModelNode operation, ModelNode model) throws OperationFailedException {
-        model.setEmptyObject();
+    private DeploymentUnitProcessor chooseDependencyProcessor() {
+        return new KeycloakDependencyProcessorAS7();
+    }
+
+    private DeploymentUnitProcessor chooseConfigDeploymentProcessor() {
+        return new KeycloakAdapterConfigDeploymentProcessor();
     }
 }

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemDefinition.java
index 400822e..4b7ef3f 100755
--- a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemDefinition.java
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemDefinition.java
@@ -14,23 +14,23 @@
  * License for the specific language governing permissions and limitations under
  * the License.
  */
-
 package org.keycloak.subsystem.saml.as7;
 
 import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
 import org.jboss.as.controller.SimpleResourceDefinition;
-import org.jboss.as.controller.descriptions.ModelDescriptionConstants;
 import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
 import org.jboss.as.controller.registry.ManagementResourceRegistration;
-import org.jboss.as.controller.registry.OperationEntry;
 
 /**
- * Definition of subsystem=keycloak.
+ * Definition of subsystem=keycloak-saml.
  *
  * @author Stan Silvert ssilvert@redhat.com (C) 2013 Red Hat Inc.
  */
 public class KeycloakSubsystemDefinition extends SimpleResourceDefinition {
-    protected KeycloakSubsystemDefinition() {
+
+    static final KeycloakSubsystemDefinition INSTANCE = new KeycloakSubsystemDefinition();
+
+    private KeycloakSubsystemDefinition() {
         super(KeycloakSamlExtension.SUBSYSTEM_PATH,
                 KeycloakSamlExtension.getResourceDescriptionResolver("subsystem"),
                 KeycloakSubsystemAdd.INSTANCE,
@@ -41,7 +41,6 @@ public class KeycloakSubsystemDefinition extends SimpleResourceDefinition {
     @Override
     public void registerOperations(ManagementResourceRegistration resourceRegistration) {
         super.registerOperations(resourceRegistration);
-        resourceRegistration.registerOperationHandler(ModelDescriptionConstants.DESCRIBE, GenericSubsystemDescribeHandler.INSTANCE, GenericSubsystemDescribeHandler.INSTANCE, false, OperationEntry.EntryType.PRIVATE);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
     }
-
 }

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java
index 14899e1..0b2cef9 100755
--- a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeycloakSubsystemParser.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2014 Red Hat Inc. and/or its affiliates and other contributors
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
  * as indicated by the @author tags. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
@@ -17,9 +17,14 @@
 package org.keycloak.subsystem.saml.as7;
 
 import org.jboss.as.controller.PathAddress;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.descriptions.ModelDescriptionConstants;
+import org.jboss.as.controller.operations.common.Util;
 import org.jboss.as.controller.parsing.ParseUtils;
 import org.jboss.as.controller.persistence.SubsystemMarshallingContext;
 import org.jboss.dmr.ModelNode;
+import org.jboss.dmr.Property;
 import org.jboss.staxmapper.XMLElementReader;
 import org.jboss.staxmapper.XMLElementWriter;
 import org.jboss.staxmapper.XMLExtendedStreamReader;
@@ -27,6 +32,10 @@ import org.jboss.staxmapper.XMLExtendedStreamWriter;
 
 import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.List;
 
 /**
@@ -41,10 +50,15 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
     public void readElement(final XMLExtendedStreamReader reader, final List<ModelNode> list) throws XMLStreamException {
         // Require no attributes
         ParseUtils.requireNoAttributes(reader);
-        ModelNode addKeycloakSub = org.jboss.as.controller.operations.common.Util.createAddOperation(PathAddress.pathAddress(KeycloakSamlExtension.PATH_SUBSYSTEM));
+        ModelNode addKeycloakSub = Util.createAddOperation(PathAddress.pathAddress(KeycloakSamlExtension.PATH_SUBSYSTEM));
         list.add(addKeycloakSub);
 
         while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            if (reader.getLocalName().equals(Constants.XML.SECURE_DEPLOYMENT)) {
+                readSecureDeployment(reader, list);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
         }
     }
 
@@ -53,6 +67,319 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
         return reader.nextTag();
     }
 
+    void readSecureDeployment(XMLExtendedStreamReader reader, List<ModelNode> list) throws XMLStreamException {
+        String name = readRequiredAttribute(reader, Constants.XML.NAME);
+
+        PathAddress addr = PathAddress.pathAddress(
+                PathElement.pathElement(ModelDescriptionConstants.SUBSYSTEM, KeycloakSamlExtension.SUBSYSTEM_NAME),
+                PathElement.pathElement(Constants.Model.SECURE_DEPLOYMENT, name));
+        ModelNode addSecureDeployment = Util.createAddOperation(addr);
+        list.add(addSecureDeployment);
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+            if (tagName.equals(Constants.XML.SERVICE_PROVIDER)) {
+                readServiceProvider(reader, list, addr);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+        }
+    }
+
+    void readServiceProvider(XMLExtendedStreamReader reader, List<ModelNode> list, PathAddress parentAddr) throws XMLStreamException {
+        String entityId = readRequiredAttribute(reader, Constants.XML.ENTITY_ID);
+
+        PathAddress addr = PathAddress.pathAddress(parentAddr,
+                PathElement.pathElement(Constants.Model.SERVICE_PROVIDER, entityId));
+        ModelNode addServiceProvider = Util.createAddOperation(addr);
+        list.add(addServiceProvider);
+
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            if (Constants.XML.ENTITY_ID.equals(name)) {
+                continue;
+            }
+
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = ServiceProviderDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addServiceProvider, reader);
+        }
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+
+            if (Constants.XML.KEYS.equals(tagName)) {
+                readKeys(list, reader, addr);
+            } else if (Constants.XML.PRINCIPAL_NAME_MAPPING.equals(tagName)) {
+                readPrincipalNameMapping(addServiceProvider, reader);
+            } else if (Constants.XML.ROLE_IDENTIFIERS.equals(tagName)) {
+                readRoleIdentifiers(addServiceProvider, reader);
+            } else if (Constants.XML.IDENTITY_PROVIDER.equals(tagName)) {
+                readIdentityProvider(list, reader, addr);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+        }
+    }
+
+    void readIdentityProvider(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress parentAddr) throws XMLStreamException {
+        String entityId = readRequiredAttribute(reader, Constants.XML.ENTITY_ID);
+
+        PathAddress addr = PathAddress.pathAddress(parentAddr,
+                PathElement.pathElement(Constants.Model.IDENTITY_PROVIDER, entityId));
+        ModelNode addIdentityProvider = Util.createAddOperation(addr);
+        list.add(addIdentityProvider);
+
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            if (Constants.XML.ENTITY_ID.equals(name)
+                    // don't break if encountering this noop attr from client-adapter/core keycloak_saml_adapter_1_6.xsd
+                    || "encryption".equals(name)) {
+                continue;
+            }
+            SimpleAttributeDefinition attr = IdentityProviderDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addIdentityProvider, reader);
+        }
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+
+            if (Constants.XML.SINGLE_SIGN_ON.equals(tagName)) {
+                readSingleSignOn(addIdentityProvider, reader);
+            } else if (Constants.XML.SINGLE_LOGOUT.equals(tagName)) {
+                readSingleLogout(addIdentityProvider, reader);
+            } else if (Constants.XML.KEYS.equals(tagName)) {
+                readKeys(list, reader, addr);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+        }
+    }
+
+    void readSingleSignOn(ModelNode addIdentityProvider, XMLExtendedStreamReader reader) throws XMLStreamException {
+        ModelNode sso = addIdentityProvider.get(Constants.Model.SINGLE_SIGN_ON);
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = SingleSignOnDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, sso, reader);
+        }
+        ParseUtils.requireNoContent(reader);
+    }
+
+    void readSingleLogout(ModelNode addIdentityProvider, XMLExtendedStreamReader reader) throws XMLStreamException {
+        ModelNode slo = addIdentityProvider.get(Constants.Model.SINGLE_LOGOUT);
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = SingleLogoutDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, slo, reader);
+        }
+        ParseUtils.requireNoContent(reader);
+    }
+
+    void readKeys(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress parentAddr) throws XMLStreamException {
+        ParseUtils.requireNoAttributes(reader);
+        List<ModelNode> keyList = new LinkedList<>();
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+            if (!Constants.XML.KEY.equals(tagName)) {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+            readKey(keyList, reader, parentAddr);
+        }
+        list.addAll(keyList);
+    }
+
+    void readKey(List<ModelNode> list, XMLExtendedStreamReader reader, PathAddress parentAddr) throws XMLStreamException {
+        PathAddress addr = PathAddress.pathAddress(parentAddr,
+                PathElement.pathElement(Constants.Model.KEY, "key-" + list.size()));
+        ModelNode addKey = Util.createAddOperation(addr);
+        list.add(addKey);
+
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = KeyDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addKey, reader);
+        }
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+
+            if (Constants.XML.KEY_STORE.equals(tagName)) {
+                readKeyStore(addKey, reader);
+            } else if (Constants.XML.PRIVATE_KEY_PEM.equals(tagName)
+                    || Constants.XML.PUBLIC_KEY_PEM.equals(tagName)
+                    || Constants.XML.CERTIFICATE_PEM.equals(tagName)) {
+
+                readNoAttrElementContent(KeyDefinition.lookupElement(tagName), addKey, reader);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+        }
+    }
+
+    void readNoAttrElementContent(SimpleAttributeDefinition attr, ModelNode model, XMLExtendedStreamReader reader) throws XMLStreamException {
+        ParseUtils.requireNoAttributes(reader);
+        String value = reader.getElementText();
+        attr.parseAndSetParameter(value, model, reader);
+    }
+
+    void readKeyStore(ModelNode addKey, XMLExtendedStreamReader reader) throws XMLStreamException {
+        ModelNode addKeyStore = addKey.get(Constants.Model.KEY_STORE);
+
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = KeyStoreDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addKeyStore, reader);
+        }
+
+        if (!addKeyStore.hasDefined(Constants.Model.FILE) && !addKeyStore.hasDefined(Constants.Model.RESOURCE)) {
+            throw new XMLStreamException("KeyStore element must have 'file' or 'resource' attribute set", reader.getLocation());
+        }
+        if (!addKeyStore.hasDefined(Constants.Model.PASSWORD)) {
+            throw ParseUtils.missingRequired(reader, Constants.XML.PASSWORD);
+        }
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+            if (Constants.XML.PRIVATE_KEY.equals(tagName)) {
+                readPrivateKey(reader, addKeyStore);
+            } else if (Constants.XML.CERTIFICATE.equals(tagName)) {
+                readCertificate(reader, addKeyStore);
+            } else {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+        }
+    }
+
+
+    void readPrivateKey(XMLExtendedStreamReader reader, ModelNode addKeyStore) throws XMLStreamException {
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = KeyStorePrivateKeyDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addKeyStore, reader);
+        }
+
+        if (!addKeyStore.hasDefined(Constants.Model.PRIVATE_KEY_ALIAS)) {
+            throw ParseUtils.missingRequired(reader, Constants.XML.PRIVATE_KEY_ALIAS);
+        }
+        if (!addKeyStore.hasDefined(Constants.Model.PRIVATE_KEY_PASSWORD)) {
+            throw ParseUtils.missingRequired(reader, Constants.XML.PRIVATE_KEY_PASSWORD);
+        }
+
+        ParseUtils.requireNoContent(reader);
+    }
+
+    void readCertificate(XMLExtendedStreamReader reader, ModelNode addKeyStore) throws XMLStreamException {
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            SimpleAttributeDefinition attr = KeyStoreCertificateDefinition.lookup(name);
+            if (attr == null) {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+            attr.parseAndSetParameter(value, addKeyStore, reader);
+        }
+
+        if (!addKeyStore.hasDefined(Constants.Model.CERTIFICATE_ALIAS)) {
+            throw ParseUtils.missingRequired(reader, Constants.XML.CERTIFICATE_ALIAS);
+        }
+
+        ParseUtils.requireNoContent(reader);
+    }
+
+    void readRoleIdentifiers(ModelNode addServiceProvider, XMLExtendedStreamReader reader) throws XMLStreamException {
+        ParseUtils.requireNoAttributes(reader);
+
+        while (reader.hasNext() && nextTag(reader) != END_ELEMENT) {
+            String tagName = reader.getLocalName();
+
+            if (!Constants.XML.ATTRIBUTE.equals(tagName)) {
+                throw ParseUtils.unexpectedElement(reader);
+            }
+
+            ParseUtils.requireSingleAttribute(reader, Constants.XML.NAME);
+            String name = ParseUtils.readStringAttributeElement(reader, Constants.XML.NAME);
+
+            ServiceProviderDefinition.ROLE_ATTRIBUTES.parseAndAddParameterElement(name, addServiceProvider, reader);
+        }
+    }
+
+    void readPrincipalNameMapping(ModelNode addServiceProvider, XMLExtendedStreamReader reader) throws XMLStreamException {
+
+        boolean policySet = false;
+
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String name = reader.getAttributeLocalName(i);
+            String value = reader.getAttributeValue(i);
+
+            if (Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY.equals(name)) {
+                policySet = true;
+                ServiceProviderDefinition.PRINCIPAL_NAME_MAPPING_POLICY.parseAndSetParameter(value, addServiceProvider, reader);
+            } else if (Constants.XML.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME.equals(name)) {
+                ServiceProviderDefinition.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME.parseAndSetParameter(value, addServiceProvider, reader);
+            } else {
+                throw ParseUtils.unexpectedAttribute(reader, i);
+            }
+        }
+
+        if (!policySet) {
+            throw ParseUtils.missingRequired(reader, Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY);
+        }
+        ParseUtils.requireNoContent(reader);
+    }
+
+    /**
+     * Read an attribute, and throw exception if attribute is not present
+     */
+    String readRequiredAttribute(XMLExtendedStreamReader reader, String attrName) throws XMLStreamException {
+        String value = null;
+        for (int i = 0; i < reader.getAttributeCount(); i++) {
+            String attr = reader.getAttributeLocalName(i);
+            if (attr.equals(attrName)) {
+                value = reader.getAttributeValue(i);
+                break;
+            }
+        }
+        if (value == null) {
+            throw ParseUtils.missingRequired(reader, Collections.singleton(attrName));
+        }
+        return value;
+    }
 
     /**
      * {@inheritDoc}
@@ -60,8 +387,183 @@ class KeycloakSubsystemParser implements XMLStreamConstants, XMLElementReader<Li
     @Override
     public void writeContent(final XMLExtendedStreamWriter writer, final SubsystemMarshallingContext context) throws XMLStreamException {
         context.startSubsystemElement(KeycloakSamlExtension.NAMESPACE, false);
+        writeSecureDeployment(writer, context.getModelNode());
+        writer.writeEndElement();
+    }
+
+    public void writeSecureDeployment(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.get(Constants.Model.SECURE_DEPLOYMENT).isDefined()) {
+            return;
+        }
+
+        for (Property sp : model.get(Constants.Model.SECURE_DEPLOYMENT).asPropertyList()) {
+            writer.writeStartElement(Constants.XML.SECURE_DEPLOYMENT);
+            writer.writeAttribute(Constants.XML.NAME, sp.getName());
+
+            writeSps(writer, sp.getValue());
+            writer.writeEndElement();
+        }
+    }
+
+    void writeSps(final XMLExtendedStreamWriter writer, final ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+        for (Property sp : model.get(Constants.Model.SERVICE_PROVIDER).asPropertyList()) {
+            writer.writeStartElement(Constants.XML.SERVICE_PROVIDER);
+            writer.writeAttribute(Constants.XML.ENTITY_ID, sp.getName());
+            ModelNode spAttributes = sp.getValue();
+            for (SimpleAttributeDefinition attr : ServiceProviderDefinition.ATTRIBUTES) {
+                attr.getAttributeMarshaller().marshallAsAttribute(attr, spAttributes, false, writer);
+            }
+            writeKeys(writer, spAttributes.get(Constants.Model.KEY));
+            writePrincipalNameMapping(writer, spAttributes);
+            writeRoleIdentifiers(writer, spAttributes);
+            writeIdentityProvider(writer, spAttributes.get(Constants.Model.IDENTITY_PROVIDER));
+
+            writer.writeEndElement();
+        }
+    }
+
+    void writeIdentityProvider(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+
+        for (Property idp : model.asPropertyList()) {
+            writer.writeStartElement(Constants.XML.IDENTITY_PROVIDER);
+            writer.writeAttribute(Constants.XML.ENTITY_ID, idp.getName());
+
+            ModelNode idpAttributes = idp.getValue();
+            for (SimpleAttributeDefinition attr : IdentityProviderDefinition.ATTRIBUTES) {
+                attr.getAttributeMarshaller().marshallAsAttribute(attr, idpAttributes, false, writer);
+            }
+
+            writeSingleSignOn(writer, idpAttributes.get(Constants.Model.SINGLE_SIGN_ON));
+            writeSingleLogout(writer, idpAttributes.get(Constants.Model.SINGLE_LOGOUT));
+            writeKeys(writer, idpAttributes.get(Constants.Model.KEY));
+        }
+        writer.writeEndElement();
+    }
+
+    void writeSingleSignOn(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+        writer.writeStartElement(Constants.XML.SINGLE_SIGN_ON);
+        for (SimpleAttributeDefinition attr : SingleSignOnDefinition.ATTRIBUTES) {
+            attr.getAttributeMarshaller().marshallAsAttribute(attr, model, false, writer);
+        }
         writer.writeEndElement();
     }
 
+    void writeSingleLogout(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+        writer.writeStartElement(Constants.XML.SINGLE_LOGOUT);
+        for (SimpleAttributeDefinition attr : SingleLogoutDefinition.ATTRIBUTES) {
+            attr.getAttributeMarshaller().marshallAsAttribute(attr, model, false, writer);
+        }
+        writer.writeEndElement();
+    }
+
+    void writeKeys(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+        boolean contains = false;
+        for (Property key : model.asPropertyList()) {
+            if (!contains) {
+                writer.writeStartElement(Constants.XML.KEYS);
+                contains = true;
+            }
+            writer.writeStartElement(Constants.XML.KEY);
 
+            ModelNode keyAttributes = key.getValue();
+            for (SimpleAttributeDefinition attr : KeyDefinition.ATTRIBUTES) {
+                attr.getAttributeMarshaller().marshallAsAttribute(attr, keyAttributes, false, writer);
+            }
+            for (SimpleAttributeDefinition attr : KeyDefinition.ELEMENTS) {
+                attr.getAttributeMarshaller().marshallAsElement(attr, keyAttributes, false, writer);
+            }
+            writeKeyStore(writer, keyAttributes.get(Constants.Model.KEY_STORE));
+
+            writer.writeEndElement();
+        }
+        if (contains) {
+            writer.writeEndElement();
+        }
+    }
+
+    void writeKeyStore(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        if (!model.isDefined()) {
+            return;
+        }
+        writer.writeStartElement(Constants.XML.KEY_STORE);
+        for (SimpleAttributeDefinition attr : KeyStoreDefinition.ATTRIBUTES) {
+            attr.getAttributeMarshaller().marshallAsAttribute(attr, model, false, writer);
+        }
+        writePrivateKey(writer, model);
+        writeCertificate(writer, model);
+        writer.writeEndElement();
+    }
+
+    void writeCertificate(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        ModelNode value = model.get(Constants.Model.CERTIFICATE_ALIAS);
+        if (!value.isDefined()) {
+            return;
+        }
+        writer.writeStartElement(Constants.XML.CERTIFICATE);
+        SimpleAttributeDefinition attr = KeyStoreCertificateDefinition.CERTIFICATE_ALIAS;
+        attr.getAttributeMarshaller().marshallAsAttribute(attr, model, false, writer);
+        writer.writeEndElement();
+    }
+
+    void writePrivateKey(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        ModelNode pk_alias = model.get(Constants.Model.PRIVATE_KEY_ALIAS);
+        ModelNode pk_password = model.get(Constants.Model.PRIVATE_KEY_PASSWORD);
+
+        if (!pk_alias.isDefined() && !pk_password.isDefined()) {
+            return;
+        }
+        writer.writeStartElement(Constants.XML.PRIVATE_KEY);
+        for (SimpleAttributeDefinition attr : KeyStorePrivateKeyDefinition.ATTRIBUTES) {
+            attr.getAttributeMarshaller().marshallAsAttribute(attr, model, false, writer);
+        }
+        writer.writeEndElement();
+    }
+
+    void writeRoleIdentifiers(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        ModelNode value = model.get(Constants.Model.ROLE_ATTRIBUTES);
+        if (!value.isDefined()) {
+            return;
+        }
+
+        List<ModelNode> items = value.asList();
+        if (items.size() == 0) {
+            return;
+        }
+
+        writer.writeStartElement(Constants.XML.ROLE_IDENTIFIERS);
+        for (ModelNode item : items) {
+            writer.writeStartElement(Constants.XML.ATTRIBUTE);
+            writer.writeAttribute("name", item.asString());
+            writer.writeEndElement();
+        }
+        writer.writeEndElement();
+    }
+
+    void writePrincipalNameMapping(XMLExtendedStreamWriter writer, ModelNode model) throws XMLStreamException {
+        writer.writeStartElement(Constants.XML.PRINCIPAL_NAME_MAPPING);
+        ModelNode value = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY);
+        if (value.isDefined()) {
+            writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY, value.asString());
+        }
+        value = model.get(Constants.Model.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME);
+        if (value.isDefined()) {
+            writer.writeAttribute(Constants.XML.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, value.asString());
+        }
+        writer.writeEndElement();
+    }
 }

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyDefinition.java
new file mode 100644
index 0000000..0f76399
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyDefinition.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.ObjectTypeAttributeDefinition;
+import org.jboss.as.controller.OperationStepHandler;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
+import org.jboss.as.controller.ReloadRequiredWriteAttributeHandler;
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
+import org.jboss.as.controller.registry.ManagementResourceRegistration;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class KeyDefinition extends SimpleResourceDefinition {
+
+    static final SimpleAttributeDefinition SIGNING =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGNING, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.SIGNING)
+                    .build();
+
+    static final SimpleAttributeDefinition ENCRYPTION =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.ENCRYPTION, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.ENCRYPTION)
+                    .build();
+
+    static final SimpleAttributeDefinition PRIVATE_KEY_PEM =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PRIVATE_KEY_PEM, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PRIVATE_KEY_PEM)
+                    .build();
+
+    static final SimpleAttributeDefinition PUBLIC_KEY_PEM =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PUBLIC_KEY_PEM, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PUBLIC_KEY_PEM)
+                    .build();
+
+    static final SimpleAttributeDefinition CERTIFICATE_PEM =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.CERTIFICATE_PEM, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.CERTIFICATE_PEM)
+                    .build();
+
+    static final ObjectTypeAttributeDefinition KEY_STORE =
+            ObjectTypeAttributeDefinition.Builder.of(Constants.Model.KEY_STORE,
+                    KeyStoreDefinition.ALL_ATTRIBUTES)
+                    .setAllowNull(false)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGNING, ENCRYPTION};
+    static final SimpleAttributeDefinition[] ELEMENTS = {PRIVATE_KEY_PEM, PUBLIC_KEY_PEM, CERTIFICATE_PEM};
+    static final AttributeDefinition[] ALL_ATTRIBUTES = {SIGNING, ENCRYPTION, PRIVATE_KEY_PEM, PUBLIC_KEY_PEM, CERTIFICATE_PEM, KEY_STORE};
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static final HashMap<String, SimpleAttributeDefinition> ELEMENT_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ELEMENTS) {
+            ELEMENT_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static final KeyDefinition INSTANCE = new KeyDefinition();
+
+    private KeyDefinition() {
+        super(PathElement.pathElement(Constants.Model.KEY),
+                KeycloakSamlExtension.getResourceDescriptionResolver(Constants.Model.KEY),
+                new KeyAddHandler(),
+                ReloadRequiredRemoveStepHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerAttributes(ManagementResourceRegistration resourceRegistration) {
+        super.registerAttributes(resourceRegistration);
+
+        final OperationStepHandler writeHandler = new ReloadRequiredWriteAttributeHandler(ALL_ATTRIBUTES);
+        for (AttributeDefinition attribute : ALL_ATTRIBUTES) {
+            resourceRegistration.registerReadWriteAttribute(attribute, null, writeHandler);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+
+    static SimpleAttributeDefinition lookupElement(String xmlName) {
+        return ELEMENT_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStoreDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStoreDefinition.java
new file mode 100644
index 0000000..2fb14f5
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStoreDefinition.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+abstract class KeyStoreDefinition {
+
+    static final SimpleAttributeDefinition RESOURCE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.RESOURCE, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.RESOURCE)
+                    .build();
+
+    static final SimpleAttributeDefinition PASSWORD =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PASSWORD, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PASSWORD)
+                    .build();
+
+    static final SimpleAttributeDefinition FILE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.FILE, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.FILE)
+                    .build();
+
+    static final SimpleAttributeDefinition TYPE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.TYPE, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.TYPE)
+                    .build();
+
+    static final SimpleAttributeDefinition ALIAS =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.ALIAS, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.ALIAS)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {RESOURCE, PASSWORD, FILE, TYPE, ALIAS};
+    static final SimpleAttributeDefinition[] ALL_ATTRIBUTES = {RESOURCE, PASSWORD, FILE, TYPE, ALIAS,
+            KeyStorePrivateKeyDefinition.PRIVATE_KEY_ALIAS,
+            KeyStorePrivateKeyDefinition.PRIVATE_KEY_PASSWORD,
+            KeyStoreCertificateDefinition.CERTIFICATE_ALIAS
+    };
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStorePrivateKeyDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStorePrivateKeyDefinition.java
new file mode 100644
index 0000000..1947ca9
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/KeyStorePrivateKeyDefinition.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class KeyStorePrivateKeyDefinition {
+    static final SimpleAttributeDefinition PRIVATE_KEY_ALIAS =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PRIVATE_KEY_ALIAS, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PRIVATE_KEY_ALIAS)
+                    .build();
+
+    static final SimpleAttributeDefinition PRIVATE_KEY_PASSWORD =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PRIVATE_KEY_PASSWORD, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PRIVATE_KEY_PASSWORD)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {PRIVATE_KEY_ALIAS, PRIVATE_KEY_PASSWORD};
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakLogger.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakLogger.java
new file mode 100755
index 0000000..8bd7ac1
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakLogger.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2013 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7.logging;
+
+import org.jboss.logging.BasicLogger;
+import org.jboss.logging.LogMessage;
+import org.jboss.logging.Logger;
+import org.jboss.logging.Message;
+import org.jboss.logging.MessageLogger;
+
+import static org.jboss.logging.Logger.Level.DEBUG;
+import static org.jboss.logging.Logger.Level.INFO;
+
+/**
+ * This interface to be fleshed out later when error messages are fully externalized.
+ *
+ * @author Stan Silvert ssilvert@redhat.com (C) 2013 Red Hat Inc.
+ */
+@MessageLogger(projectCode = "KEYCLOAK")
+public interface KeycloakLogger extends BasicLogger {
+
+    /**
+     * A logger with a category of the package name.
+     */
+    KeycloakLogger ROOT_LOGGER = Logger.getMessageLogger(KeycloakLogger.class, "org.jboss.keycloak");
+
+    @LogMessage(level = INFO)
+    @Message(value = "Keycloak SAML subsystem override for deployment %s")
+    void deploymentSecured(String deployment);
+
+    @LogMessage(level = DEBUG)
+    @Message(value = "Keycloak SAML has overriden and secured deployment %s")
+    void warSecured(String deployment);
+
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakMessages.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakMessages.java
new file mode 100755
index 0000000..f4917b1
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/logging/KeycloakMessages.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2013 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7.logging;
+
+import org.jboss.logging.MessageBundle;
+import org.jboss.logging.Messages;
+
+/**
+ * This interface to be fleshed out later when error messages are fully externalized.
+ *
+ * @author Stan Silvert ssilvert@redhat.com (C) 2012 Red Hat Inc.
+ */
+@MessageBundle(projectCode = "TLIP")
+public interface KeycloakMessages {
+
+    /**
+     * The messages
+     */
+    KeycloakMessages MESSAGES = Messages.getBundle(KeycloakMessages.class);
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentAddHandler.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentAddHandler.java
new file mode 100644
index 0000000..c5325f6
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentAddHandler.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AbstractAddStepHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.controller.ServiceVerificationHandler;
+import org.jboss.dmr.ModelNode;
+import org.jboss.msc.service.ServiceController;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+class SecureDeploymentAddHandler extends AbstractAddStepHandler {
+
+    static SecureDeploymentAddHandler INSTANCE = new SecureDeploymentAddHandler();
+
+    private SecureDeploymentAddHandler() {
+    }
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
+        Configuration.INSTANCE.updateModel(operation, model);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentDefinition.java
new file mode 100644
index 0000000..75f4dca
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SecureDeploymentDefinition.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
+import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
+import org.jboss.as.controller.registry.ManagementResourceRegistration;
+
+/**
+ * Defines attributes and operations for a secure-deployment.
+ */
+public class SecureDeploymentDefinition extends SimpleResourceDefinition {
+
+    static final SecureDeploymentDefinition INSTANCE = new SecureDeploymentDefinition();
+
+    private SecureDeploymentDefinition() {
+        super(PathElement.pathElement(Constants.Model.SECURE_DEPLOYMENT),
+                KeycloakSamlExtension.getResourceDescriptionResolver(Constants.Model.SECURE_DEPLOYMENT),
+                SecureDeploymentAddHandler.INSTANCE,
+                ReloadRequiredRemoveStepHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderAddHandler.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderAddHandler.java
new file mode 100644
index 0000000..33d6015
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderAddHandler.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AbstractAddStepHandler;
+import org.jboss.as.controller.OperationContext;
+import org.jboss.as.controller.OperationFailedException;
+import org.jboss.as.controller.ServiceVerificationHandler;
+import org.jboss.dmr.ModelNode;
+import org.jboss.msc.service.ServiceController;
+
+import java.util.List;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+class ServiceProviderAddHandler extends AbstractAddStepHandler {
+
+    static final ServiceProviderAddHandler INSTANCE = new ServiceProviderAddHandler();
+
+    ServiceProviderAddHandler() {
+        super(ServiceProviderDefinition.ALL_ATTRIBUTES);
+    }
+
+    @Override
+    protected void performRuntime(OperationContext context, ModelNode operation, ModelNode model, ServiceVerificationHandler verificationHandler, List<ServiceController<?>> newControllers) throws OperationFailedException {
+        Configuration.INSTANCE.updateModel(operation, model);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderDefinition.java
new file mode 100644
index 0000000..02ecc8f
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/ServiceProviderDefinition.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.AttributeDefinition;
+import org.jboss.as.controller.ListAttributeDefinition;
+import org.jboss.as.controller.OperationStepHandler;
+import org.jboss.as.controller.PathElement;
+import org.jboss.as.controller.ReloadRequiredRemoveStepHandler;
+import org.jboss.as.controller.ReloadRequiredWriteAttributeHandler;
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.as.controller.SimpleResourceDefinition;
+import org.jboss.as.controller.StringListAttributeDefinition;
+import org.jboss.as.controller.operations.common.GenericSubsystemDescribeHandler;
+import org.jboss.as.controller.registry.ManagementResourceRegistration;
+import org.jboss.dmr.ModelType;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+public class ServiceProviderDefinition extends SimpleResourceDefinition {
+
+    static final SimpleAttributeDefinition SSL_POLICY =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SSL_POLICY, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.SSL_POLICY)
+                    .build();
+
+    static final SimpleAttributeDefinition NAME_ID_POLICY_FORMAT =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.NAME_ID_POLICY_FORMAT, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.NAME_ID_POLICY_FORMAT)
+                    .build();
+
+    static final SimpleAttributeDefinition LOGOUT_PAGE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.LOGOUT_PAGE, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.LOGOUT_PAGE)
+                    .build();
+
+    static final SimpleAttributeDefinition FORCE_AUTHENTICATION =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.FORCE_AUTHENTICATION, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.FORCE_AUTHENTICATION)
+                    .build();
+
+    static final SimpleAttributeDefinition PRINCIPAL_NAME_MAPPING_POLICY =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PRINCIPAL_NAME_MAPPING_POLICY, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PRINCIPAL_NAME_MAPPING_POLICY)
+                    .build();
+
+    static final SimpleAttributeDefinition PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME)
+                    .build();
+
+    static final ListAttributeDefinition ROLE_ATTRIBUTES =
+            new StringListAttributeDefinition.Builder(Constants.Model.ROLE_ATTRIBUTES)
+                    .setAllowNull(false)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SSL_POLICY, NAME_ID_POLICY_FORMAT, LOGOUT_PAGE, FORCE_AUTHENTICATION};
+    static final AttributeDefinition[] ELEMENTS = {PRINCIPAL_NAME_MAPPING_POLICY, PRINCIPAL_NAME_MAPPING_ATTRIBUTE_NAME, ROLE_ATTRIBUTES};
+
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+    static final HashMap<String, AttributeDefinition> ALL_MAP = new HashMap<>();
+    static final Collection<AttributeDefinition> ALL_ATTRIBUTES;
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+
+        ALL_MAP.putAll(ATTRIBUTE_MAP);
+        for (AttributeDefinition def : ELEMENTS) {
+            ALL_MAP.put(def.getXmlName(), def);
+        }
+        ALL_ATTRIBUTES = Collections.unmodifiableCollection(ALL_MAP.values());
+    }
+
+    static final ServiceProviderDefinition INSTANCE = new ServiceProviderDefinition();
+
+    private ServiceProviderDefinition() {
+        super(PathElement.pathElement(Constants.Model.SERVICE_PROVIDER),
+                KeycloakSamlExtension.getResourceDescriptionResolver(Constants.Model.SERVICE_PROVIDER),
+                ServiceProviderAddHandler.INSTANCE,
+                ReloadRequiredRemoveStepHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerOperations(ManagementResourceRegistration resourceRegistration) {
+        super.registerOperations(resourceRegistration);
+        resourceRegistration.registerOperationHandler(GenericSubsystemDescribeHandler.DEFINITION, GenericSubsystemDescribeHandler.INSTANCE);
+    }
+
+    @Override
+    public void registerAttributes(ManagementResourceRegistration resourceRegistration) {
+        super.registerAttributes(resourceRegistration);
+
+        final OperationStepHandler writeHandler = new ReloadRequiredWriteAttributeHandler(ALL_ATTRIBUTES);
+        for (AttributeDefinition attribute : ALL_ATTRIBUTES) {
+            resourceRegistration.registerReadWriteAttribute(attribute, null, writeHandler);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleLogoutDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleLogoutDefinition.java
new file mode 100644
index 0000000..beb884c
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleLogoutDefinition.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+abstract class SingleLogoutDefinition {
+
+    static final SimpleAttributeDefinition VALIDATE_REQUEST_SIGNATURE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.VALIDATE_REQUEST_SIGNATURE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.VALIDATE_REQUEST_SIGNATURE)
+                    .build();
+
+    static final SimpleAttributeDefinition VALIDATE_RESPONSE_SIGNATURE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.VALIDATE_RESPONSE_SIGNATURE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.VALIDATE_RESPONSE_SIGNATURE)
+                    .build();
+
+    static final SimpleAttributeDefinition SIGN_REQUEST =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGN_REQUEST, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.SIGN_REQUEST)
+                    .build();
+
+    static final SimpleAttributeDefinition SIGN_RESPONSE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGN_RESPONSE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.SIGN_RESPONSE)
+                    .build();
+
+    static final SimpleAttributeDefinition REQUEST_BINDING =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.REQUEST_BINDING, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.REQUEST_BINDING)
+                    .build();
+
+    static final SimpleAttributeDefinition RESPONSE_BINDING =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.RESPONSE_BINDING, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.RESPONSE_BINDING)
+                    .build();
+
+    static final SimpleAttributeDefinition POST_BINDING_URL =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.POST_BINDING_URL, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.POST_BINDING_URL)
+                    .build();
+
+    static final SimpleAttributeDefinition REDIRECT_BINDING_URL =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.REDIRECT_BINDING_URL, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.REDIRECT_BINDING_URL)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {VALIDATE_REQUEST_SIGNATURE, VALIDATE_RESPONSE_SIGNATURE,
+            SIGN_REQUEST, SIGN_RESPONSE, REQUEST_BINDING, RESPONSE_BINDING, POST_BINDING_URL, REDIRECT_BINDING_URL};
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java
new file mode 100644
index 0000000..827be9b
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/SingleSignOnDefinition.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2015 Red Hat Inc. and/or its affiliates and other contributors
+ * as indicated by the @author tags. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.keycloak.subsystem.saml.as7;
+
+import org.jboss.as.controller.SimpleAttributeDefinition;
+import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
+import org.jboss.dmr.ModelType;
+
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
+ */
+abstract class SingleSignOnDefinition {
+
+    static final SimpleAttributeDefinition SIGN_REQUEST =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.SIGN_REQUEST, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.SIGN_REQUEST)
+                    .build();
+
+    static final SimpleAttributeDefinition VALIDATE_RESPONSE_SIGNATURE =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.VALIDATE_RESPONSE_SIGNATURE, ModelType.BOOLEAN, true)
+                    .setXmlName(Constants.XML.VALIDATE_RESPONSE_SIGNATURE)
+                    .build();
+
+    static final SimpleAttributeDefinition REQUEST_BINDING =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.REQUEST_BINDING, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.REQUEST_BINDING)
+                    .build();
+
+    static final SimpleAttributeDefinition RESPONSE_BINDING =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.RESPONSE_BINDING, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.RESPONSE_BINDING)
+                    .build();
+
+    static final SimpleAttributeDefinition BINDING_URL =
+            new SimpleAttributeDefinitionBuilder(Constants.Model.BINDING_URL, ModelType.STRING, true)
+                    .setXmlName(Constants.XML.BINDING_URL)
+                    .build();
+
+    static final SimpleAttributeDefinition[] ATTRIBUTES = {SIGN_REQUEST, VALIDATE_RESPONSE_SIGNATURE, REQUEST_BINDING, RESPONSE_BINDING, BINDING_URL};
+
+    static final HashMap<String, SimpleAttributeDefinition> ATTRIBUTE_MAP = new HashMap<>();
+
+    static {
+        for (SimpleAttributeDefinition def : ATTRIBUTES) {
+            ATTRIBUTE_MAP.put(def.getXmlName(), def);
+        }
+    }
+
+    static SimpleAttributeDefinition lookup(String xmlName) {
+        return ATTRIBUTE_MAP.get(xmlName);
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/FormattingXMLStreamWriter.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/FormattingXMLStreamWriter.java
new file mode 100644
index 0000000..dda3ed3
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/FormattingXMLStreamWriter.java
@@ -0,0 +1,534 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2010, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.keycloak.subsystem.saml.as7.xml;
+
+import org.jboss.staxmapper.XMLExtendedStreamWriter;
+
+import java.lang.reflect.UndeclaredThrowableException;
+import java.util.ArrayDeque;
+import java.util.Iterator;
+
+import javax.xml.namespace.NamespaceContext;
+import javax.xml.stream.XMLStreamConstants;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+/**
+ * An XML stream writer which nicely formats the XML for configuration files.
+ *
+ * @author <a href="mailto:david.lloyd@redhat.com">David M. Lloyd</a>
+ */
+public final class FormattingXMLStreamWriter implements XMLExtendedStreamWriter, XMLStreamConstants {
+    private static final String NO_NAMESPACE = new String();
+    private final XMLStreamWriter delegate;
+    private final ArrayDeque<ArgRunnable> attrQueue = new ArrayDeque<ArgRunnable>();
+    private int level;
+    private int state = START_DOCUMENT;
+    private boolean indentEndElement = false;
+    private ArrayDeque<String> unspecifiedNamespaces = new ArrayDeque<String>();
+
+
+    public FormattingXMLStreamWriter(final XMLStreamWriter delegate) {
+        this.delegate = delegate;
+        unspecifiedNamespaces.push(NO_NAMESPACE);
+    }
+
+    private void nl() throws XMLStreamException {
+        delegate.writeCharacters("\n");
+    }
+
+    private void indent() throws XMLStreamException {
+        int level = this.level;
+        final XMLStreamWriter delegate = this.delegate;
+        for (int i = 0; i < level; i ++) {
+            delegate.writeCharacters("    ");
+        }
+    }
+
+    private interface ArgRunnable {
+        public void run(int arg) throws XMLStreamException;
+    }
+
+    @Override
+    public void setUnspecifiedElementNamespace(final String namespace) {
+        ArrayDeque<String> namespaces = this.unspecifiedNamespaces;
+        namespaces.pop();
+        namespaces.push(namespace == null ? NO_NAMESPACE : namespace);
+    }
+
+    private String nestUnspecifiedNamespace() {
+        ArrayDeque<String> namespaces = unspecifiedNamespaces;
+        String clone = namespaces.getFirst();
+        namespaces.push(clone);
+        return clone;
+    }
+
+    @Override
+    public void writeStartElement(final String localName) throws XMLStreamException {
+        ArrayDeque<String> namespaces = unspecifiedNamespaces;
+        String namespace = namespaces.getFirst();
+        if (namespace != NO_NAMESPACE) {
+            writeStartElement(namespace, localName);
+            return;
+        }
+
+        unspecifiedNamespaces.push(namespace);
+
+        // If this is a nested element flush the outer
+        runAttrQueue();
+        nl();
+        indent();
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                if (arg == 0) {
+                    delegate.writeStartElement(localName);
+                } else {
+                    delegate.writeEmptyElement(localName);
+                }
+            }
+        });
+
+        level++;
+        state = START_ELEMENT;
+        indentEndElement = false;
+    }
+
+    @Override
+    public void writeStartElement(final String namespaceURI, final String localName) throws XMLStreamException {
+        nestUnspecifiedNamespace();
+
+        // If this is a nested element flush the outer
+        runAttrQueue();
+        nl();
+        indent();
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                if (arg == 0) {
+                    delegate.writeStartElement(namespaceURI, localName);
+                } else {
+                    delegate.writeEmptyElement(namespaceURI, localName);
+                }
+            }
+        });
+        level++;
+        state = START_ELEMENT;
+        indentEndElement = false;
+    }
+
+    @Override
+    public void writeStartElement(final String prefix, final String localName, final String namespaceURI) throws XMLStreamException {
+        nestUnspecifiedNamespace();
+
+        // If this is a nested element flush the outer
+        runAttrQueue();
+        nl();
+        indent();
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                if (arg == 0) {
+                    delegate.writeStartElement(prefix, namespaceURI, localName);
+                } else {
+                    delegate.writeEmptyElement(prefix, namespaceURI, localName);
+                }
+            }
+        });
+        level++;
+        state = START_ELEMENT;
+        indentEndElement = false;
+    }
+
+    @Override
+    public void writeEmptyElement(final String namespaceURI, final String localName) throws XMLStreamException {
+        runAttrQueue();
+        nl();
+        indent();
+        delegate.writeEmptyElement(namespaceURI, localName);
+        state = END_ELEMENT;
+    }
+
+    @Override
+    public void writeEmptyElement(final String prefix, final String localName, final String namespaceURI) throws XMLStreamException {
+        runAttrQueue();
+        nl();
+        indent();
+        delegate.writeEmptyElement(prefix, namespaceURI, localName);
+        state = END_ELEMENT;
+    }
+
+    @Override
+    public void writeEmptyElement(final String localName) throws XMLStreamException {
+        String namespace = unspecifiedNamespaces.getFirst();
+        if (namespace != NO_NAMESPACE) {
+            writeEmptyElement(namespace, localName);
+            return;
+        }
+
+        runAttrQueue();
+        nl();
+        indent();
+        delegate.writeEmptyElement(localName);
+        state = END_ELEMENT;
+    }
+
+    @Override
+    public void writeEndElement() throws XMLStreamException {
+        level--;
+        if (state != START_ELEMENT) {
+            runAttrQueue();
+            if (state != CHARACTERS || indentEndElement) {
+                nl();
+                indent();
+                indentEndElement = false;
+            }
+            delegate.writeEndElement();
+        } else {
+            // Change the start element to an empty element
+            ArgRunnable start = attrQueue.poll();
+            if (start == null) {
+                delegate.writeEndElement();
+            } else {
+                start.run(1);
+                // Write everything else
+                runAttrQueue();
+            }
+        }
+
+        unspecifiedNamespaces.pop();
+        state = END_ELEMENT;
+    }
+
+    private void runAttrQueue() throws XMLStreamException {
+        ArgRunnable attr;
+        while ((attr = attrQueue.poll()) != null) {
+            attr.run(0);
+        }
+    }
+
+    @Override
+    public void writeEndDocument() throws XMLStreamException {
+        delegate.writeEndDocument();
+        state = END_DOCUMENT;
+    }
+
+    @Override
+    public void close() throws XMLStreamException {
+        delegate.close();
+        state = END_DOCUMENT;
+    }
+
+    @Override
+    public void flush() throws XMLStreamException {
+        delegate.flush();
+    }
+
+    @Override
+    public void writeAttribute(final String localName, final String value) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                try {
+                    delegate.writeAttribute(localName, value);
+                } catch (XMLStreamException e) {
+                    throw new UndeclaredThrowableException(e);
+                }
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String prefix, final String namespaceURI, final String localName, final String value) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(prefix, namespaceURI, localName, value);
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String namespaceURI, final String localName, final String value) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(namespaceURI, localName, value);
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String localName, final String[] values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String prefix, final String namespaceURI, final String localName, final String[] values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(prefix, namespaceURI, localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String namespaceURI, final String localName, final String[] values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(namespaceURI, localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String localName, final Iterable<String> values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String prefix, final String namespaceURI, final String localName, final Iterable<String> values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(prefix, namespaceURI, localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeAttribute(final String namespaceURI, final String localName, final Iterable<String> values) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeAttribute(namespaceURI, localName, join(values));
+            }
+        });
+    }
+
+    @Override
+    public void writeNamespace(final String prefix, final String namespaceURI) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeNamespace(prefix, namespaceURI);
+            }
+        });
+    }
+
+    @Override
+    public void writeDefaultNamespace(final String namespaceURI) throws XMLStreamException {
+        attrQueue.add(new ArgRunnable() {
+            public void run(int arg) throws XMLStreamException {
+                delegate.writeDefaultNamespace(namespaceURI);
+            }
+        });
+    }
+
+    @Override
+    public void writeComment(final String data) throws XMLStreamException {
+        runAttrQueue();
+        nl();
+        nl();
+        indent();
+        final StringBuilder b = new StringBuilder(data.length());
+        final Iterator<String> i = Spliterator.over(data, '\n');
+        if (! i.hasNext()) {
+            return;
+        } else {
+            final String first = i.next();
+            if (! i.hasNext()) {
+                delegate.writeComment(" " + first + " ");
+                state = COMMENT;
+                return;
+            } else {
+                b.append('\n');
+                for (int q = 0; q < level; q++) {
+                    b.append("    ");
+                }
+                b.append("  ~ ");
+                b.append(first);
+                do {
+                    b.append('\n');
+                    for (int q = 0; q < level; q++) {
+                        b.append("    ");
+                    }
+                    b.append("  ~ ");
+                    b.append(i.next());
+                } while (i.hasNext());
+            }
+            b.append('\n');
+            for (int q = 0; q < level; q ++) {
+                b.append("    ");
+            }
+            b.append("  ");
+            delegate.writeComment(b.toString());
+            state = COMMENT;
+        }
+    }
+
+    @Override
+    public void writeProcessingInstruction(final String target) throws XMLStreamException {
+        runAttrQueue();
+        nl();
+        indent();
+        delegate.writeProcessingInstruction(target);
+        state = PROCESSING_INSTRUCTION;
+    }
+
+    @Override
+    public void writeProcessingInstruction(final String target, final String data) throws XMLStreamException {
+        runAttrQueue();
+        nl();
+        indent();
+        delegate.writeProcessingInstruction(target, data);
+        state = PROCESSING_INSTRUCTION;
+    }
+
+    @Override
+    public void writeCData(final String data) throws XMLStreamException {
+        runAttrQueue();
+        delegate.writeCData(data);
+        state = CDATA;
+    }
+
+    @Override
+    public void writeDTD(final String dtd) throws XMLStreamException {
+        nl();
+        indent();
+        delegate.writeDTD(dtd);
+        state = DTD;
+    }
+
+    @Override
+    public void writeEntityRef(final String name) throws XMLStreamException {
+        runAttrQueue();
+        delegate.writeEntityRef(name);
+        state = ENTITY_REFERENCE;
+    }
+
+    @Override
+    public void writeStartDocument() throws XMLStreamException {
+        delegate.writeStartDocument();
+        nl();
+        state = START_DOCUMENT;
+    }
+
+    @Override
+    public void writeStartDocument(final String version) throws XMLStreamException {
+        delegate.writeStartDocument(version);
+        nl();
+        state = START_DOCUMENT;
+    }
+
+    @Override
+    public void writeStartDocument(final String encoding, final String version) throws XMLStreamException {
+        delegate.writeStartDocument(encoding, version);
+        nl();
+        state = START_DOCUMENT;
+    }
+
+    @Override
+    public void writeCharacters(final String text) throws XMLStreamException {
+        runAttrQueue();
+        if (state != CHARACTERS) {
+            nl();
+            indent();
+        }
+        final Iterator<String> iterator = Spliterator.over(text, '\n');
+        while (iterator.hasNext()) {
+            final String t = iterator.next();
+            delegate.writeCharacters(t);
+            if (iterator.hasNext()) {
+                nl();
+                indent();
+            }
+        }
+        state = CHARACTERS;
+        indentEndElement = true;
+    }
+
+    @Override
+    public void writeCharacters(final char[] text, final int start, final int len) throws XMLStreamException {
+        runAttrQueue();
+        delegate.writeCharacters(text, start, len);
+        state = CHARACTERS;
+    }
+
+    @Override
+    public String getPrefix(final String uri) throws XMLStreamException {
+        return delegate.getPrefix(uri);
+    }
+
+    @Override
+    public void setPrefix(final String prefix, final String uri) throws XMLStreamException {
+        delegate.setPrefix(prefix, uri);
+    }
+
+    @Override
+    public void setDefaultNamespace(final String uri) throws XMLStreamException {
+        runAttrQueue();
+        delegate.setDefaultNamespace(uri);
+    }
+
+    @Override
+    public void setNamespaceContext(final NamespaceContext context) throws XMLStreamException {
+        delegate.setNamespaceContext(context);
+    }
+
+    @Override
+    public NamespaceContext getNamespaceContext() {
+        return delegate.getNamespaceContext();
+    }
+
+    @Override
+    public Object getProperty(final String name) throws IllegalArgumentException {
+        return delegate.getProperty(name);
+    }
+
+    private static String join(final String[] values) {
+        final StringBuilder b = new StringBuilder();
+        for (int i = 0, valuesLength = values.length; i < valuesLength; i++) {
+            final String s = values[i];
+            if (s != null) {
+                if (i > 0) {
+                    b.append(' ');
+                }
+                b.append(s);
+            }
+        }
+        return b.toString();
+    }
+
+    private static String join(final Iterable<String> values) {
+        final StringBuilder b = new StringBuilder();
+        Iterator<String> iterator = values.iterator();
+        while (iterator.hasNext()) {
+            final String s = iterator.next();
+            if (s != null) {
+                b.append(s);
+                if (iterator.hasNext()) b.append(' ');
+            }
+        }
+        return b.toString();
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/Spliterator.java b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/Spliterator.java
new file mode 100644
index 0000000..e9cb5c6
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/java/org/keycloak/subsystem/saml/as7/xml/Spliterator.java
@@ -0,0 +1,66 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2010, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.keycloak.subsystem.saml.as7.xml;
+
+import java.util.Iterator;
+import java.util.NoSuchElementException;
+
+/**
+ * @author <a href="mailto:david.lloyd@redhat.com">David M. Lloyd</a>
+ */
+final class Spliterator implements Iterator<String> {
+    private final String subject;
+    private final char delimiter;
+    private int i;
+
+    Spliterator(final String subject, final char delimiter) {
+        this.subject = subject;
+        this.delimiter = delimiter;
+        i = 0;
+    }
+
+    static Spliterator over(String subject, char delimiter) {
+        return new Spliterator(subject, delimiter);
+    }
+
+    public boolean hasNext() {
+        return i != -1;
+    }
+
+    public String next() {
+        final int i = this.i;
+        if (i == -1) {
+            throw new NoSuchElementException();
+        }
+        int n = subject.indexOf(delimiter, i);
+        try {
+            return n == -1 ? subject.substring(i) : subject.substring(i, n);
+        } finally {
+            this.i = n == -1 ? -1 : n + 1;
+        }
+    }
+
+    public void remove() {
+        throw new UnsupportedOperationException();
+    }
+}

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties b/saml/client-adapter/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties
new file mode 100755
index 0000000..f8a4a11
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/resources/org/keycloak/subsystem/saml/as7/LocalDescriptions.properties
@@ -0,0 +1,63 @@
+keycloak-saml.subsystem=Keycloak adapter subsystem
+keycloak-saml.subsystem.add=Operation Adds Keycloak adapter subsystem
+keycloak-saml.subsystem.remove=Operation removes Keycloak adapter subsystem
+keycloak-saml.subsystem.secure-deployment=A deployment secured by Keycloak.
+
+keycloak-saml.secure-deployment=A deployment secured by Keycloak
+keycloak-saml.secure-deployment.add=Add a deployment to be secured by Keycloak
+keycloak-saml.secure-deployment.remove=Remove a deployment to be secured by Keycloak
+keycloak-saml.secure-deployment.service-provider=A security provider configuration for secure deployment
+
+keycloak-saml.service-provider=A security provider configuration for secure deployment
+keycloak-saml.service-provider.add=Add a security provider configuration to deployment secured by Keycloak SAML
+keycloak-saml.service-provider.remove=Remove a security provider definition from deployment secured by Keycloak SAML
+keycloak-saml.service-provider.ssl-policy=SSL Policy to use
+keycloak-saml.service-provider.name-id-policy-format=Name ID policy format URN
+keycloak-saml.service-provider.logout-page=URI to a logout page
+keycloak-saml.service-provider.force-authentication=Redirected unauthenticated request to a login page
+keycloak-saml.service-provider.role-attributes=Role identifiers
+keycloak-saml.service-provider.principal-name-mapping-policy=Principal name mapping policy
+keycloak-saml.service-provider.principal-name-mapping-attribute-name=Principal name mapping attribute name
+keycloak-saml.service-provider.key=A key definition
+keycloak-saml.service-provider.identity-provider=Identity provider definition
+
+keycloak-saml.key=A key configuration for service provider or identity provider
+keycloak-saml.key.add=Add a key definition
+keycloak-saml.key.remove=Remove a key definition
+keycloak-saml.key.signing=Key can be used for signing
+keycloak-saml.key.encryption=Key can be used for encryption
+keycloak-saml.key.private-key-pem=Private key string in pem format
+keycloak-saml.key.public-key-pem=Public key string in pem format
+keycloak-saml.key.certificate-pem=Certificate key string in pem format
+keycloak-saml.key.key-store=Key store definition
+keycloak-saml.key.key-store.file=Key store filesystem path
+keycloak-saml.key.key-store.resource=Key store resource URI
+keycloak-saml.key.key-store.password=Key store password
+keycloak-saml.key.key-store.type=Key store format
+keycloak-saml.key.key-store.alias=Key alias
+keycloak-saml.key.key-store.private-key-alias=Private key alias
+keycloak-saml.key.key-store.private-key-password=Private key password
+keycloak-saml.key.key-store.certificate-alias=Certificate alias
+
+keycloak-saml.identity-provider=An identity provider configuration
+keycloak-saml.identity-provider.add=Add an identity provider
+keycloak-saml.identity-provider.remove=Remove an identity provider
+keycloak-saml.identity-provider.signatures-required=Require signatures for single-sign-on and single-logout
+keycloak-saml.identity-provider.signature-algorithm=Signature algorithm
+keycloak-saml.identity-provider.signature-canonicalization-method=Signature canonicalization method
+keycloak-saml.identity-provider.single-sign-on=Single sign-on configuration
+keycloak-saml.identity-provider.single-sign-on.sign-request=Sign SSO requests
+keycloak-saml.identity-provider.single-sign-on.validate-response-signature=Validate an SSO response signature
+keycloak-saml.identity-provider.single-sign-on.request-binding=HTTP method to use for requests
+keycloak-saml.identity-provider.single-sign-on.response-binding=HTTP method to use for responses
+keycloak-saml.identity-provider.single-sign-on.binding-url=SSO endpoint URL
+keycloak-saml.identity-provider.single-logout=Single logout configuration
+keycloak-saml.identity-provider.single-logout.validate-request-signature=Validate a single-logout request signature
+keycloak-saml.identity-provider.single-logout.validate-response-signature=Validate a single-logout response signature
+keycloak-saml.identity-provider.single-logout.sign-request=Sign single-logout requests
+keycloak-saml.identity-provider.single-logout.sign-response=Sign single-logout responses
+keycloak-saml.identity-provider.single-logout.request-binding=HTTP method to use for request
+keycloak-saml.identity-provider.single-logout.response-binding=HTTP method to use for response
+keycloak-saml.identity-provider.single-logout.post-binding-url=Endpoint URL for posting
+keycloak-saml.identity-provider.single-logout.redirect-binding-url=Endpoint URL for redirects
+keycloak-saml.identity-provider.key=Key definition for identity provider
\ No newline at end of file

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd b/saml/client-adapter/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
new file mode 100644
index 0000000..725104b
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/main/resources/schema/wildfly-keycloak-saml_1_1.xsd
@@ -0,0 +1,268 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           targetNamespace="urn:jboss:domain:keycloak-saml:1.1"
+           xmlns="urn:jboss:domain:keycloak-saml:1.1"
+           elementFormDefault="qualified"
+           attributeFormDefault="unqualified"
+           version="1.0">
+
+    <!-- The subsystem root element -->
+    <xs:element name="subsystem" type="subsystem-type"/>
+
+    <xs:complexType name="subsystem-type">
+        <xs:annotation>
+            <xs:documentation>
+                <![CDATA[
+                    The Keycloak SAML adapter subsystem, used to register deployments managed by Keycloak SAML adapter
+                ]]>
+            </xs:documentation>
+        </xs:annotation>
+        <xs:all>
+            <xs:element name="secure-deployment" minOccurs="0" type="secure-deployment-type"/>
+        </xs:all>
+    </xs:complexType>
+
+    <xs:complexType name="secure-deployment-type">
+        <xs:all>
+            <xs:element name="SP" minOccurs="1" maxOccurs="1" type="sp-type"/>
+        </xs:all>
+        <xs:attribute name="name" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>The name of the realm.</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
+    <xs:complexType name="sp-type">
+        <xs:all>
+            <xs:element name="Keys" minOccurs="0" maxOccurs="1" type="keys-type"/>
+            <xs:element name="PrincipalNameMapping" minOccurs="0" maxOccurs="1" type="principal-name-mapping-type"/>
+            <xs:element name="RoleIdentifiers" minOccurs="0" maxOccurs="1" type="role-identifiers-type"/>
+            <xs:element name="IDP" minOccurs="1" maxOccurs="1" type="identity-provider-type"/>
+        </xs:all>
+        <xs:attribute name="entityID" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>The entity ID for SAML service provider</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="sslPolicy" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>The ssl policy</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="nameIDPolicyFormat" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Name ID policy format URN</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="logoutPage" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>URI to a logout page</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="forceAuthentication" type="xs:boolean" use="required">
+            <xs:annotation>
+                <xs:documentation>Redirected unauthenticated request to a login page</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+    <xs:complexType name="identity-provider-type">
+        <xs:all minOccurs="1" maxOccurs="1">
+            <xs:element name="SingleSignOnService" minOccurs="1" maxOccurs="1" type="single-signon-type"/>
+            <xs:element name="SingleLogoutService" minOccurs="0" maxOccurs="1" type="single-logout-type"/>
+            <xs:element name="Keys" minOccurs="0" maxOccurs="1" type="keys-type"/>
+        </xs:all>
+        <xs:attribute name="entityID" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>The entity ID for SAML service provider</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="signaturesRequired" type="xs:boolean" use="required">
+            <xs:annotation>
+                <xs:documentation>Require signatures for single-sign-on and single-logout</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="signatureAlgorithm" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Algorithm used for signatures</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="signatureCanonicalizationMethod" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Canonicalization method used for signatures</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+    <xs:complexType name="single-signon-type">
+        <xs:attribute name="signRequest" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Sign the SSO requests</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="validateResponseSignature" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Validate the SSO response signature</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="requestBinding" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>HTTP method to use for requests</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responseBinding" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>HTTP method to use for response</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="bindingUrl" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>SSO endpoint URL</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+    <xs:complexType name="single-logout-type">
+        <xs:attribute name="validateRequestSignature" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Validate a single-logout request signature</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="validateResponseSignature" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Validate a single-logout response signature</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="signRequest" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Sign single-logout requests</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="signResponse" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Sign single-logout responses</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="requestBinding" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>HTTP method to use for request</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="responseBinding" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>HTTP method to use for response</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="postBindingUrl" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Endpoint URL for posting</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="redirectBindingUrl" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Endpoint URL for redirects</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+    <xs:complexType name="keys-type">
+        <xs:sequence>
+            <xs:element name="Key" minOccurs="1" maxOccurs="2" type="key-type"/>
+        </xs:sequence>
+    </xs:complexType>
+    <xs:complexType name="key-type">
+        <xs:all>
+            <xs:element name="KeyStore" minOccurs="0" maxOccurs="1" type="keystore-type"/>
+            <xs:element name="PrivateKeyPem" minOccurs="0" maxOccurs="1" type="xs:string"/>
+            <xs:element name="PublicKeyPem" minOccurs="0" maxOccurs="1" type="xs:string"/>
+            <xs:element name="CertificatePem" minOccurs="0" maxOccurs="1" type="xs:string"/>
+        </xs:all>
+        <xs:attribute name="signing" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key can be used for signing</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="encryption" type="xs:boolean" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key can be used for encryption</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+    <xs:complexType name="keystore-type">
+        <xs:sequence minOccurs="0" maxOccurs="1">
+            <xs:element name="PrivateKey" minOccurs="0" maxOccurs="1" type="privatekey-type"/>
+            <xs:element name="Certificate" minOccurs="0" maxOccurs="1" type="certificate-type"/>
+        </xs:sequence>
+        <xs:attribute name="file" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key store filesystem path</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="resource" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key store resource URI</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="password" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Key store password</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="type" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key store format</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="alias" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Key alias</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
+    <xs:complexType name="privatekey-type">
+        <xs:attribute name="alias" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Private key alias</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="password" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Private key password</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
+    <xs:complexType name="certificate-type">
+        <xs:attribute name="alias" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Certificate alias</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
+    <xs:complexType name="principal-name-mapping-type">
+        <xs:attribute name="policy" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Principal name mapping policy. Possible values: FROM_NAME_ID</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+        <xs:attribute name="attribute" type="xs:string" use="optional">
+            <xs:annotation>
+                <xs:documentation>Name of the attribute to use for principal name mapping</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
+    <xs:complexType name="role-identifiers-type">
+        <xs:sequence minOccurs="0" maxOccurs="unbounded">
+            <xs:element name="Attribute" minOccurs="0" maxOccurs="unbounded" type="attribute-type"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="attribute-type">
+        <xs:attribute name="name" type="xs:string" use="required">
+            <xs:annotation>
+                <xs:documentation>Role attribute</xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+</xs:schema>

diff --git a/saml/client-adapter/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml b/saml/client-adapter/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml
new file mode 100644
index 0000000..19d7528
--- /dev/null
+++ b/saml/client-adapter/as7-eap6/subsystem/src/test/resources/org/keycloak/subsystem/saml/as7/keycloak-saml-1.1.xml
@@ -0,0 +1,49 @@
+<subsystem xmlns="urn:jboss:domain:keycloak-saml:1.1">
+    <secure-deployment name="my-app.war">
+        <SP entityID="http://localhost:8080/sales-post-enc/"
+            sslPolicy="EXTERNAL"
+            nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+            logoutPage="/logout.jsp"
+            forceAuthentication="false">
+
+            <Keys>
+                <Key encryption="true" signing="true">
+                    <PrivateKeyPem>my_key.pem</PrivateKeyPem>
+                    <PublicKeyPem>my_key.pub</PublicKeyPem>
+                    <CertificatePem>cert.cer</CertificatePem>
+                    <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                        <PrivateKey alias="http://localhost:8080/sales-post-enc/" password="test123"/>
+                        <Certificate alias="http://localhost:8080/sales-post-enc/"/>
+                    </KeyStore>
+                </Key>
+            </Keys>
+            <PrincipalNameMapping policy="FROM_NAME_ID"/>
+            <RoleIdentifiers>
+                <Attribute name="Role"/>
+                <Attribute name="Role2"/>
+            </RoleIdentifiers>
+            <IDP entityID="idp">
+                <SingleSignOnService signRequest="true"
+                                     validateResponseSignature="true"
+                                     requestBinding="POST"
+                                     bindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
+                <SingleLogoutService
+                        validateRequestSignature="true"
+                        validateResponseSignature="true"
+                        signRequest="true"
+                        signResponse="true"
+                        requestBinding="POST"
+                        responseBinding="POST"
+                        postBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"
+                        redirectBindingUrl="http://localhost:8080/auth/realms/saml-demo/protocol/saml"/>
+                <Keys>
+                    <Key signing="true">
+                        <KeyStore resource="/WEB-INF/keystore.jks" password="store123">
+                            <Certificate alias="saml-demo"/>
+                        </KeyStore>
+                    </Key>
+                </Keys>
+            </IDP>
+        </SP>
+    </secure-deployment>
+</subsystem>
\ No newline at end of file

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/AdapterConstants.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/AdapterConstants.java
index 280b5f8..e921d15 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/AdapterConstants.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/AdapterConstants.java
@@ -5,5 +5,5 @@ package org.keycloak.adapters.saml;
  * @version $Revision: 1 $
  */
 public class AdapterConstants {
-    public static final String AUTH_DATA_PARAM_NAME="org.keycloak.auth.deployment.data";
+    public static final String AUTH_DATA_PARAM_NAME="org.keycloak.saml.xml.adapterConfig";
 }

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
index 404fc58..91a016c 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/ConfigXmlConstants.java
@@ -5,17 +5,17 @@ package org.keycloak.adapters.saml.config.parsers;
  * @version $Revision: 1 $
  */
 public class ConfigXmlConstants {
-    public static final String KEYCLOAK_SAML_ADAPTER ="keycloak-saml-adapter";
-    public static final String SP_ELEMENT="SP";
+    public static final String KEYCLOAK_SAML_ADAPTER = "keycloak-saml-adapter";
+    public static final String SP_ELEMENT = "SP";
     public static final String ENTITY_ID_ATTR = "entityID";
     public static final String SSL_POLICY_ATTR = "sslPolicy";
     public static final String NAME_ID_POLICY_FORMAT_ATTR = "nameIDPolicyFormat";
     public static final String FORCE_AUTHENTICATION_ATTR = "forceAuthentication";
+    public static final String IS_PASSIVE_ATTR = "isPassive";
     public static final String SIGNATURE_ALGORITHM_ATTR = "signatureAlgorithm";
     public static final String SIGNATURE_CANONICALIZATION_METHOD_ATTR = "signatureCanonicalizationMethod";
     public static final String LOGOUT_PAGE_ATTR = "logoutPage";
 
-
     public static final String KEYS_ELEMENT = "Keys";
     public static final String KEY_ELEMENT = "Key";
     public static final String SIGNING_ATTR = "signing";
@@ -36,7 +36,6 @@ public class ConfigXmlConstants {
     public static final String POLICY_ATTR = "policy";
     public static final String ATTRIBUTE_ATTR = "attribute";
 
-
     public static final String ROLE_IDENTIFIERS_ELEMENT = "RoleIdentifiers";
     public static final String ATTRIBUTE_ELEMENT = "Attribute";
     public static final String NAME_ATTR = "name";

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
index b200b61..5de2072 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/DeploymentBuilder.java
@@ -41,6 +41,7 @@ public class DeploymentBuilder {
         deployment.setConfigured(true);
         deployment.setEntityID(sp.getEntityID());
         deployment.setForceAuthentication(sp.isForceAuthentication());
+        deployment.setIsPassive(sp.isIsPassive());
         deployment.setNameIDPolicyFormat(sp.getNameIDPolicyFormat());
         deployment.setLogoutPage(sp.getLogoutPage());
         deployment.setSignatureCanonicalizationMethod(sp.getIdp().getSignatureCanonicalizationMethod());

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
index 3446f20..14b04e1 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/parsers/SPXmlParser.java
@@ -1,21 +1,22 @@
 package org.keycloak.adapters.saml.config.parsers;
 
-import org.keycloak.adapters.saml.config.IDP;
-import org.keycloak.adapters.saml.config.Key;
-import org.keycloak.adapters.saml.config.SP;
-import org.keycloak.saml.common.exceptions.ParsingException;
-import org.keycloak.saml.common.parsers.AbstractParser;
-import org.keycloak.saml.common.util.StaxParserUtil;
-import org.keycloak.common.util.StringPropertyReplacer;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 import javax.xml.namespace.QName;
 import javax.xml.stream.XMLEventReader;
 import javax.xml.stream.events.EndElement;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
+
+import org.keycloak.adapters.saml.config.IDP;
+import org.keycloak.adapters.saml.config.Key;
+import org.keycloak.adapters.saml.config.SP;
+import org.keycloak.common.util.StringPropertyReplacer;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.AbstractParser;
+import org.keycloak.saml.common.util.StaxParserUtil;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -25,13 +26,16 @@ public class SPXmlParser extends AbstractParser {
 
     public static String getAttributeValue(StartElement startElement, String tag) {
         String str = StaxParserUtil.getAttributeValue(startElement, tag);
-        if (str != null) return StringPropertyReplacer.replaceProperties(str);
-        else return str;
+        if (str != null)
+            return StringPropertyReplacer.replaceProperties(str);
+        else
+            return str;
     }
 
     public static boolean getBooleanAttributeValue(StartElement startElement, String tag, boolean defaultValue) {
         String result = getAttributeValue(startElement, tag);
-        if (result == null) return defaultValue;
+        if (result == null)
+            return defaultValue;
         return Boolean.valueOf(result);
     }
 
@@ -41,11 +45,11 @@ public class SPXmlParser extends AbstractParser {
 
     public static String getElementText(XMLEventReader xmlEventReader) throws ParsingException {
         String result = StaxParserUtil.getElementText(xmlEventReader);
-        if (result != null) result = StringPropertyReplacer.replaceProperties(result);
+        if (result != null)
+            result = StringPropertyReplacer.replaceProperties(result);
         return result;
     }
 
-
     @Override
     public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
@@ -61,6 +65,7 @@ public class SPXmlParser extends AbstractParser {
         sp.setLogoutPage(getAttributeValue(startElement, ConfigXmlConstants.LOGOUT_PAGE_ATTR));
         sp.setNameIDPolicyFormat(getAttributeValue(startElement, ConfigXmlConstants.NAME_ID_POLICY_FORMAT_ATTR));
         sp.setForceAuthentication(getBooleanAttributeValue(startElement, ConfigXmlConstants.FORCE_AUTHENTICATION_ATTR));
+        sp.setIsPassive(getBooleanAttributeValue(startElement, ConfigXmlConstants.IS_PASSIVE_ATTR));
         while (xmlEventReader.hasNext()) {
             XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
             if (xmlEvent == null)
@@ -79,7 +84,7 @@ public class SPXmlParser extends AbstractParser {
             String tag = StaxParserUtil.getStartElementName(startElement);
             if (tag.equals(ConfigXmlConstants.KEYS_ELEMENT)) {
                 KeysXmlParser parser = new KeysXmlParser();
-                List<Key> keys = (List<Key>)parser.parse(xmlEventReader);
+                List<Key> keys = (List<Key>) parser.parse(xmlEventReader);
                 sp.setKeys(keys);
             } else if (tag.equals(ConfigXmlConstants.PRINCIPAL_NAME_MAPPING_ELEMENT)) {
                 StartElement element = StaxParserUtil.getNextStartElement(xmlEventReader);
@@ -98,7 +103,7 @@ public class SPXmlParser extends AbstractParser {
                 parseRoleMapping(xmlEventReader, sp);
             } else if (tag.equals(ConfigXmlConstants.IDP_ELEMENT)) {
                 IDPXmlParser parser = new IDPXmlParser();
-                IDP idp = (IDP)parser.parse(xmlEventReader);
+                IDP idp = (IDP) parser.parse(xmlEventReader);
                 sp.setIdp(idp);
             } else {
                 StaxParserUtil.bypassElementBlock(xmlEventReader, tag);
@@ -108,7 +113,7 @@ public class SPXmlParser extends AbstractParser {
         return sp;
     }
 
-    protected void parseRoleMapping(XMLEventReader xmlEventReader, SP sp)  throws ParsingException {
+    protected void parseRoleMapping(XMLEventReader xmlEventReader, SP sp) throws ParsingException {
         StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
         StaxParserUtil.validate(startElement, ConfigXmlConstants.ROLE_IDENTIFIERS_ELEMENT);
         Set<String> roleAttributes = new HashSet<>();
@@ -144,7 +149,6 @@ public class SPXmlParser extends AbstractParser {
         sp.setRoleAttributes(roleAttributes);
     }
 
-
     @Override
     public boolean supports(QName qname) {
         return false;

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/SP.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/SP.java
index f37f930..5203b13 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/SP.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/config/SP.java
@@ -33,6 +33,7 @@ public class SP implements Serializable {
     private String entityID;
     private String sslPolicy;
     private boolean forceAuthentication;
+    private boolean isPassive;
     private String logoutPage;
     private List<Key> keys;
     private String nameIDPolicyFormat;
@@ -64,6 +65,14 @@ public class SP implements Serializable {
         this.forceAuthentication = forceAuthentication;
     }
 
+    public boolean isIsPassive() {
+        return isPassive;
+    }
+
+    public void setIsPassive(boolean isPassive) {
+        this.isPassive = isPassive;
+    }
+
     public List<Key> getKeys() {
         return keys;
     }

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
index 26fad92..7aab095 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/DefaultSamlDeployment.java
@@ -1,13 +1,13 @@
 package org.keycloak.adapters.saml;
 
-import org.keycloak.common.enums.SslRequired;
-import org.keycloak.saml.SignatureAlgorithm;
-
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.util.Set;
 
+import org.keycloak.common.enums.SslRequired;
+import org.keycloak.saml.SignatureAlgorithm;
+
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
  * @version $Revision: 1 $
@@ -31,7 +31,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
             return validateResponseSignature;
         }
 
-         @Override
+        @Override
         public Binding getRequestBinding() {
             return requestBinding;
         }
@@ -97,7 +97,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
             return signResponse;
         }
 
-         @Override
+        @Override
         public Binding getRequestBinding() {
             return requestBinding;
         }
@@ -150,12 +150,8 @@ public class DefaultSamlDeployment implements SamlDeployment {
         }
     }
 
-
-
     public static class DefaultIDP implements IDP {
 
-
-
         private String entityID;
         private PublicKey signatureValidationKey;
         private SingleSignOnService singleSignOnService;
@@ -204,6 +200,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
     private String entityID;
     private String nameIDPolicyFormat;
     private boolean forceAuthentication;
+    private boolean isPassive;
     private PrivateKey decryptionKey;
     private KeyPair signingKeyPair;
     private String assertionConsumerServiceUrl;
@@ -214,7 +211,6 @@ public class DefaultSamlDeployment implements SamlDeployment {
     private SignatureAlgorithm signatureAlgorithm;
     private String signatureCanonicalizationMethod;
 
-
     @Override
     public IDP getIDP() {
         return idp;
@@ -244,6 +240,11 @@ public class DefaultSamlDeployment implements SamlDeployment {
     public boolean isForceAuthentication() {
         return forceAuthentication;
     }
+    
+   @Override
+    public boolean isIsPassive() {
+        return isPassive;
+    }
 
     @Override
     public PrivateKey getDecryptionKey() {
@@ -265,7 +266,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
         return roleAttributeNames;
     }
 
-   @Override
+    @Override
     public PrincipalNamePolicy getPrincipalNamePolicy() {
         return principalNamePolicy;
     }
@@ -298,6 +299,10 @@ public class DefaultSamlDeployment implements SamlDeployment {
     public void setForceAuthentication(boolean forceAuthentication) {
         this.forceAuthentication = forceAuthentication;
     }
+    
+    public void setIsPassive(boolean isPassive){
+        this.isPassive = isPassive;
+    }
 
     public void setDecryptionKey(PrivateKey decryptionKey) {
         this.decryptionKey = decryptionKey;
@@ -332,7 +337,7 @@ public class DefaultSamlDeployment implements SamlDeployment {
         this.logoutPage = logoutPage;
     }
 
-     @Override
+    @Override
     public String getSignatureCanonicalizationMethod() {
         return signatureCanonicalizationMethod;
     }

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/InitiateLogin.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/InitiateLogin.java
index a34fb1b..4c7cbab 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/InitiateLogin.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/InitiateLogin.java
@@ -27,11 +27,6 @@ public class InitiateLogin implements AuthChallenge {
     }
 
     @Override
-    public boolean errorPage() {
-        return false;
-    }
-
-    @Override
     public int getResponseCode() {
         return 0;
     }
@@ -53,7 +48,7 @@ public class InitiateLogin implements AuthChallenge {
             SAML2AuthnRequestBuilder authnRequestBuilder = new SAML2AuthnRequestBuilder()
                     .destination(destinationUrl)
                     .issuer(issuerURL)
-                    .forceAuthn(deployment.isForceAuthentication())
+                    .forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive())
                     .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
             if (deployment.getIDP().getSingleSignOnService().getResponseBinding() != null) {
                 String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
@@ -87,6 +82,7 @@ public class InitiateLogin implements AuthChallenge {
             Document document = authnRequestBuilder.toDocument();
             SamlDeployment.Binding samlBinding = deployment.getIDP().getSingleSignOnService().getRequestBinding();
             SamlUtil.sendSaml(true, httpFacade, actionUrl, binding, document, samlBinding);
+            sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_IN);
         } catch (Exception e) {
             throw new RuntimeException("Could not create authentication request.", e);
         }

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticationError.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticationError.java
new file mode 100755
index 0000000..c85fd63
--- /dev/null
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticationError.java
@@ -0,0 +1,49 @@
+package org.keycloak.adapters.saml;
+
+import org.keycloak.adapters.spi.AuthenticationError;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
+
+/**
+ * Object that describes the SAML error that happened.
+ *
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class SamlAuthenticationError implements AuthenticationError {
+    public static enum Reason {
+        EXTRACTION_FAILURE,
+        INVALID_SIGNATURE,
+        ERROR_STATUS
+    }
+
+    private Reason reason;
+
+    private StatusResponseType status;
+
+    public SamlAuthenticationError(Reason reason) {
+        this.reason = reason;
+    }
+
+    public SamlAuthenticationError(Reason reason, StatusResponseType status) {
+        this.reason = reason;
+        this.status = status;
+    }
+
+    public SamlAuthenticationError(StatusResponseType statusType) {
+        this.status = statusType;
+    }
+
+    public Reason getReason() {
+        return reason;
+    }
+    public StatusResponseType getStatus() {
+        return status;
+    }
+
+    @Override
+    public String toString() {
+        return "SamlAuthenticationError [reason=" + reason + ", status=" + status + "]";
+    }
+    
+}

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
index fb66a70..02097db 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlAuthenticator.java
@@ -1,10 +1,12 @@
 package org.keycloak.adapters.saml;
 
 import org.jboss.logging.Logger;
-import org.keycloak.common.VerificationException;
 import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
 import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.common.VerificationException;
+import org.keycloak.common.util.KeycloakUriBuilder;
+import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.dom.saml.v2.assertion.AssertionType;
 import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 import org.keycloak.dom.saml.v2.assertion.AttributeType;
@@ -15,24 +17,27 @@ import org.keycloak.dom.saml.v2.assertion.SubjectType;
 import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
 import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
 import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
 import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
 import org.keycloak.saml.BaseSAML2BindingBuilder;
 import org.keycloak.saml.SAML2LogoutRequestBuilder;
 import org.keycloak.saml.SAML2LogoutResponseBuilder;
 import org.keycloak.saml.SAMLRequestParser;
 import org.keycloak.saml.SignatureAlgorithm;
 import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.common.exceptions.ProcessingException;
 import org.keycloak.saml.common.util.Base64;
+import org.keycloak.saml.common.util.StringUtil;
 import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
 import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
 import org.keycloak.saml.processing.web.util.PostBindingUtil;
-import org.keycloak.common.util.KeycloakUriBuilder;
-import org.keycloak.common.util.MultivaluedHashMap;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 
+import java.net.URI;
 import java.security.PublicKey;
 import java.security.Signature;
 import java.util.HashSet;
@@ -72,7 +77,7 @@ public abstract class SamlAuthenticator {
             return handleSamlRequest(samlRequest, relayState);
         } else if (samlResponse != null) {
             return handleSamlResponse(samlResponse, relayState);
-        }  else if (sessionStore.isLoggedIn()) {
+        } else if (sessionStore.isLoggedIn()) {
             if (globalLogout) {
                 return globalLogout();
             }
@@ -104,6 +109,7 @@ public abstract class SamlAuthenticator {
 
         try {
             SamlUtil.sendSaml(true, facade, deployment.getIDP().getSingleLogoutService().getRequestBindingUrl(), binding, logoutBuilder.buildDocument(), deployment.getIDP().getSingleLogoutService().getRequestBinding());
+            sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.LOGGING_OUT);
         } catch (Exception e) {
             log.error("Could not send global logout SAML request", e);
             return AuthOutcome.FAILED;
@@ -153,7 +159,7 @@ public abstract class SamlAuthenticator {
     protected AuthOutcome logoutRequest(LogoutRequestType request, String relayState) {
         if (request.getSessionIndex() == null || request.getSessionIndex().isEmpty()) {
             sessionStore.logoutByPrincipal(request.getNameID().getValue());
-        }  else {
+        } else {
             sessionStore.logoutBySsoId(request.getSessionIndex());
         }
 
@@ -167,7 +173,8 @@ public abstract class SamlAuthenticator {
             binding.signatureAlgorithm(deployment.getSignatureAlgorithm())
                     .signWith(deployment.getSigningKeyPair())
                     .signDocument();
-            if (deployment.getSignatureCanonicalizationMethod() != null) binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
+            if (deployment.getSignatureCanonicalizationMethod() != null)
+                binding.canonicalizationMethod(deployment.getSignatureCanonicalizationMethod());
         }
 
 
@@ -197,34 +204,89 @@ public abstract class SamlAuthenticator {
             postBinding = true;
             holder = extractPostBindingResponse(samlResponse);
         }
-        StatusResponseType statusResponse = (StatusResponseType)holder.getSamlObject();
+        final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
         // validate destination
         if (!requestUri.equals(statusResponse.getDestination())) {
             log.error("Request URI does not match SAML request destination");
             return AuthOutcome.FAILED;
         }
-        if (statusResponse instanceof ResponseType) {
-            if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
-                try {
-                    validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
-                } catch (VerificationException e) {
-                    log.error("Failed to verify saml response signature", e);
-                    return AuthOutcome.FAILED;
+        
+        if (statusResponse instanceof ResponseType) {            
+            try {
+                if (deployment.getIDP().getSingleSignOnService().validateResponseSignature()) {
+                    try {
+                        validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
+                    } catch (VerificationException e) {
+                        log.error("Failed to verify saml response signature", e);
+
+                        challenge = new AuthChallenge() {
+                            @Override
+                            public boolean challenge(HttpFacade exchange) {
+                                SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.INVALID_SIGNATURE);
+                                exchange.getRequest().setError(error);
+                                exchange.getResponse().sendError(403);
+                                return true;
+                            }
+
+                            @Override
+                            public int getResponseCode() {
+                                return 403;
+                            }
+                        };
+                        return AuthOutcome.FAILED;
+                    }
                 }
+                return handleLoginResponse((ResponseType) statusResponse);
+            } finally {
+                sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
             }
-            return handleLoginResponse((ResponseType)statusResponse);
 
         } else {
-            if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) {
+            if (sessionStore.isLoggingOut()) {
                 try {
-                    validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
-                } catch (VerificationException e) {
-                    log.error("Failed to verify saml response signature", e);
+                    if (deployment.getIDP().getSingleLogoutService().validateResponseSignature()) {
+                        try {
+                            validateSamlSignature(holder, postBinding, GeneralConstants.SAML_RESPONSE_KEY);
+                        } catch (VerificationException e) {
+                            log.error("Failed to verify saml response signature", e);
+                            return AuthOutcome.FAILED;
+                        }
+                    }
+                    return handleLogoutResponse(holder, statusResponse, relayState);
+                } finally {
+                    sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
+                }
+
+            } else if (sessionStore.isLoggingIn()) {
+
+                try {
+                    // KEYCLOAK-2107 - handle user not authenticated due passive mode. Return special outcome so different authentication mechanisms can behave accordingly.
+                    StatusType status = statusResponse.getStatus();
+                    if(checkStatusCodeValue(status.getStatusCode(), JBossSAMLURIConstants.STATUS_RESPONDER.get()) && checkStatusCodeValue(status.getStatusCode().getStatusCode(), JBossSAMLURIConstants.STATUS_NO_PASSIVE.get())){
+                        log.debug("Not authenticated due passive mode Status found in SAML response: " + status.toString());
+                        return AuthOutcome.NOT_AUTHENTICATED;
+                    }
+
+                    challenge = new AuthChallenge() {
+                        @Override
+                        public boolean challenge(HttpFacade exchange) {
+                            SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.ERROR_STATUS, statusResponse);
+                            exchange.getRequest().setError(error);
+                            exchange.getResponse().sendError(403);
+                            return true;
+                        }
+
+                        @Override
+                        public int getResponseCode() {
+                            return 403;
+                        }
+                    };
                     return AuthOutcome.FAILED;
+                } finally {
+                    sessionStore.setCurrentAction(SamlSessionStore.CurrentAction.NONE);
                 }
             }
-            // todo need to check that it is actually a LogoutResponse
-            return handleLogoutResponse(holder, statusResponse, relayState);
+            return AuthOutcome.NOT_ATTEMPTED;
         }
 
     }
@@ -237,7 +299,16 @@ public abstract class SamlAuthenticator {
         }
     }
 
-    protected AuthOutcome handleLoginResponse(ResponseType responseType)  {
+    private boolean checkStatusCodeValue(StatusCodeType statusCode, String expectedValue){
+        if(statusCode != null && statusCode.getValue()!=null){
+            String v = statusCode.getValue().toString();
+            return expectedValue.equals(v);
+        }
+        return false;
+    }
+    
+    protected AuthOutcome handleLoginResponse(ResponseType responseType) {
+        
         AssertionType assertion = null;
         try {
             assertion = AssertionUtil.getAssertion(responseType, deployment.getDecryptionKey());
@@ -245,8 +316,21 @@ public abstract class SamlAuthenticator {
                 return initiateLogin();
             }
         } catch (Exception e) {
-            log.error("Error extracting SAML assertion, e");
-            return AuthOutcome.FAILED;
+            log.error("Error extracting SAML assertion: " + e.getMessage());
+            challenge = new AuthChallenge() {
+                @Override
+                public boolean challenge(HttpFacade exchange) {
+                    SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE);
+                    exchange.getRequest().setError(error);
+                    exchange.getResponse().sendError(403);
+                    return true;
+                }
+
+                @Override
+                public int getResponseCode() {
+                    return 403;
+                }
+            };
         }
 
         SubjectType subject = assertion.getSubject();
@@ -306,13 +390,15 @@ public abstract class SamlAuthenticator {
         AuthnStatementType authn = null;
         for (Object statement : assertion.getStatements()) {
             if (statement instanceof AuthnStatementType) {
-                authn = (AuthnStatementType)statement;
+                authn = (AuthnStatementType) statement;
                 break;
             }
         }
 
 
-        final SamlPrincipal principal = new SamlPrincipal(principalName, principalName, subjectNameID.getFormat().toString(), attributes, friendlyAttributes);
+        URI nameFormat = subjectNameID.getFormat();
+        String nameFormatString = nameFormat == null ? JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get() : nameFormat.toString();
+        final SamlPrincipal principal = new SamlPrincipal(assertion, principalName, principalName, nameFormatString, attributes, friendlyAttributes);
         String index = authn == null ? null : authn.getSessionIndex();
         final String sessionIndex = index;
         SamlSession account = new SamlSession(principal, roles, sessionIndex);
@@ -337,9 +423,9 @@ public abstract class SamlAuthenticator {
     protected abstract void completeAuthentication(SamlSession account);
 
     private String getAttributeValue(Object attrValue) {
-        String value =  null;
+        String value = null;
         if (attrValue instanceof String) {
-            value = (String)attrValue;
+            value = (String) attrValue;
         } else if (attrValue instanceof Node) {
             Node roleNode = (Node) attrValue;
             value = roleNode.getFirstChild().getNodeValue();
@@ -368,14 +454,14 @@ public abstract class SamlAuthenticator {
     protected SAMLDocumentHolder extractRedirectBindingResponse(String response) {
         return SAMLRequestParser.parseRequestRedirectBinding(response);
     }
+
+    
     protected SAMLDocumentHolder extractPostBindingResponse(String response) {
         byte[] samlBytes = PostBindingUtil.base64Decode(response);
-        String xml = new String(samlBytes);
         return SAMLRequestParser.parseResponseDocument(samlBytes);
     }
 
 
-
     protected AuthOutcome initiateLogin() {
         challenge = new InitiateLogin(deployment, sessionStore);
         return AuthOutcome.NOT_ATTEMPTED;
@@ -441,5 +527,4 @@ public abstract class SamlAuthenticator {
     }
 
 
-
 }

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
index 0728447..8c53236 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlDeployment.java
@@ -56,6 +56,7 @@ public interface SamlDeployment {
     String getEntityID();
     String getNameIDPolicyFormat();
     boolean isForceAuthentication();
+    boolean isIsPassive();
     PrivateKey getDecryptionKey();
     KeyPair getSigningKeyPair();
     String getSignatureCanonicalizationMethod();

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlPrincipal.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlPrincipal.java
index ef1599f..04c1c2f 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlPrincipal.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlPrincipal.java
@@ -1,6 +1,7 @@
 package org.keycloak.adapters.saml;
 
 import org.keycloak.common.util.MultivaluedHashMap;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
 
 import java.io.Serializable;
 import java.security.Principal;
@@ -18,22 +19,43 @@ public class SamlPrincipal implements Serializable, Principal {
     private String name;
     private String samlSubject;
     private String nameIDFormat;
+    private AssertionType assertion;
 
-    public SamlPrincipal(String name, String samlSubject, String nameIDFormat, MultivaluedHashMap<String, String> attributes, MultivaluedHashMap<String, String> friendlyAttributes) {
+    public SamlPrincipal(AssertionType assertion, String name, String samlSubject, String nameIDFormat, MultivaluedHashMap<String, String> attributes, MultivaluedHashMap<String, String> friendlyAttributes) {
         this.name = name;
         this.attributes = attributes;
         this.friendlyAttributes = friendlyAttributes;
         this.samlSubject = samlSubject;
         this.nameIDFormat = nameIDFormat;
+        this.assertion = assertion;
     }
 
     public SamlPrincipal() {
     }
 
+    /**
+     * Get full saml assertion
+     *
+     * @return
+     */
+    public AssertionType getAssertion() {
+        return assertion;
+    }
+
+    /**
+     * Get SAML subject sent in assertion
+     *
+     * @return
+     */
     public String getSamlSubject() {
         return samlSubject;
     }
 
+    /**
+     * Subject nameID format
+     *
+     * @return
+     */
     public String getNameIDFormat() {
         return nameIDFormat;
     }
@@ -43,7 +65,12 @@ public class SamlPrincipal implements Serializable, Principal {
         return name;
     }
 
-
+    /**
+     * Convenience function that gets Attribute value by attribute name
+     *
+     * @param name
+     * @return
+     */
     public List<String> getAttributes(String name) {
         List<String> list = attributes.get(name);
         if (list != null) {
@@ -53,6 +80,13 @@ public class SamlPrincipal implements Serializable, Principal {
         }
 
     }
+
+    /**
+     * Convenience function that gets Attribute value by attribute friendly name
+     *
+     * @param friendlyName
+     * @return
+     */
     public List<String> getFriendlyAttributes(String friendlyName) {
         List<String> list = friendlyAttributes.get(name);
         if (list != null) {
@@ -63,19 +97,42 @@ public class SamlPrincipal implements Serializable, Principal {
 
     }
 
+    /**
+     * Convenience function that gets first  value of an attribute by attribute name
+     *
+     * @param name
+     * @return
+     */
     public String getAttribute(String name) {
         return attributes.getFirst(name);
     }
 
+    /**
+     * Convenience function that gets first  value of an attribute by attribute name
+     *
+     *
+     * @param friendlyName
+     * @return
+     */
     public String getFriendlyAttribute(String friendlyName) {
         return friendlyAttributes.getFirst(friendlyName);
     }
 
+    /**
+     * Get set of all assertion attribute names
+     *
+     * @return
+     */
     public Set<String> getAttributeNames() {
         return Collections.unmodifiableSet(attributes.keySet());
 
     }
 
+    /**
+     * Get set of all assertion friendly attribute names
+     *
+     * @return
+     */
     public Set<String> getFriendlyNames() {
         return Collections.unmodifiableSet(friendlyAttributes.keySet());
 

diff --git a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlSessionStore.java b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlSessionStore.java
index da20026..1a19464 100755
--- a/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlSessionStore.java
+++ b/saml/client-adapter/core/src/main/java/org/keycloak/adapters/saml/SamlSessionStore.java
@@ -1,6 +1,8 @@
 package org.keycloak.adapters.saml;
 
 import org.keycloak.adapters.spi.AdapterSessionStore;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
 
 import java.util.List;
 
@@ -9,6 +11,19 @@ import java.util.List;
  * @version $Revision: 1 $
  */
 public interface SamlSessionStore extends AdapterSessionStore {
+    public static final String CURRENT_ACTION = "SAML_CURRENT_ACTION";
+    public static final String SAML_LOGIN_ERROR_STATUS = "SAML_LOGIN_ERROR_STATUS";
+    public static final String SAML_LOGOUT_ERROR_STATUS = "SAML_LOGOUT_ERROR_STATUS";
+
+    enum CurrentAction {
+        NONE,
+        LOGGING_IN,
+        LOGGING_OUT
+    }
+    void setCurrentAction(CurrentAction action);
+    boolean isLoggingIn();
+    boolean isLoggingOut();
+
     boolean isLoggedIn();
     SamlSession getAccount();
     void saveAccount(SamlSession account);

diff --git a/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd b/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
index 534c9ae..d3e55f9 100755
--- a/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
+++ b/saml/client-adapter/core/src/main/resources/schema/keycloak_saml_adapter_1_6.xsd
@@ -33,6 +33,7 @@
         <xs:attribute name="nameIDPolicyFormat" type="xs:string" use="optional"/>
         <xs:attribute name="logoutPage" type="xs:string" use="optional"/>
         <xs:attribute name="forceAuthentication" type="xs:boolean" use="optional"/>
+        <xs:attribute name="isPassive" type="xs:boolean" use="optional"/>
     </xs:complexType>
 
     <xs:complexType name="keys-type">

diff --git a/saml/client-adapter/core/src/test/java/org/keycloak/test/adapters/saml/XmlParserTest.java b/saml/client-adapter/core/src/test/java/org/keycloak/test/adapters/saml/XmlParserTest.java
index c92fec6..5a6e037 100755
--- a/saml/client-adapter/core/src/test/java/org/keycloak/test/adapters/saml/XmlParserTest.java
+++ b/saml/client-adapter/core/src/test/java/org/keycloak/test/adapters/saml/XmlParserTest.java
@@ -68,6 +68,7 @@ public class XmlParserTest {
         Assert.assertEquals("ssl", sp.getSslPolicy());
         Assert.assertEquals("format", sp.getNameIDPolicyFormat());
         Assert.assertTrue(sp.isForceAuthentication());
+        Assert.assertTrue(sp.isIsPassive());
         Assert.assertEquals(2, sp.getKeys().size());
         Key signing = sp.getKeys().get(0);
         Assert.assertTrue(signing.isSigning());

diff --git a/saml/client-adapter/core/src/test/resources/keycloak-saml.xml b/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
index ef910dc..ae8c96d 100755
--- a/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
+++ b/saml/client-adapter/core/src/test/resources/keycloak-saml.xml
@@ -2,7 +2,8 @@
     <SP entityID="sp"
         sslPolicy="ssl"
         nameIDPolicyFormat="format"
-        forceAuthentication="true">
+        forceAuthentication="true"
+        isPassive="true">
         <Keys>
             <Key signing="true" >
                 <KeyStore file="file" resource="cp" password="pw">

diff --git a/saml/client-adapter/core/src/test/resources/keycloak-saml2.xml b/saml/client-adapter/core/src/test/resources/keycloak-saml2.xml
index ee6388d..7662e61 100755
--- a/saml/client-adapter/core/src/test/resources/keycloak-saml2.xml
+++ b/saml/client-adapter/core/src/test/resources/keycloak-saml2.xml
@@ -4,7 +4,8 @@
         nameIDPolicyFormat="format"
         signatureAlgorithm=""
         signatureCanonicalizationMethod=""
-        forceAuthentication="true">
+        forceAuthentication="true"
+        isPassive="true">
         <Keys>
             <Key signing="true" >
                 <KeyStore file="file" resource="cp" password="pw">