diff --git a/os-sso73/added/import-realm.json b/os-sso73/added/import-realm.json
new file mode 100644
index 00000000..1c9f1df3
--- /dev/null
+++ b/os-sso73/added/import-realm.json
@@ -0,0 +1,4 @@
+[ {
+  "realm" : "##REALM##",
+  "enabled" : true
+} ]
diff --git a/os-sso73/added/index.html b/os-sso73/added/index.html
new file mode 100644
index 00000000..6feab05a
--- /dev/null
+++ b/os-sso73/added/index.html
@@ -0,0 +1,6 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+     <meta http-equiv="refresh" content="0;url=/auth">
+</head>
+</html>
diff --git a/os-sso73/added/launch/add-sso-admin-user.sh b/os-sso73/added/launch/add-sso-admin-user.sh
new file mode 100755
index 00000000..0b4293e2
--- /dev/null
+++ b/os-sso73/added/launch/add-sso-admin-user.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+function prepareEnv() {
+  unset SSO_ADMIN_USERNAME
+  unset SSO_ADMIN_PASSWORD
+}
+
+function configure() {
+  add_admin_user
+}
+
+function add_admin_user() {
+  if [ -n "$SSO_ADMIN_USERNAME" ] && [ -n "$SSO_ADMIN_PASSWORD" ]; then
+    /opt/eap/bin/add-user-keycloak.sh -r master -u $SSO_ADMIN_USERNAME -p $SSO_ADMIN_PASSWORD
+  fi
+}
+
diff --git a/os-sso73/added/launch/add-sso-realm.sh b/os-sso73/added/launch/add-sso-realm.sh
new file mode 100755
index 00000000..bbfa4d21
--- /dev/null
+++ b/os-sso73/added/launch/add-sso-realm.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+function prepareEnv() {
+  unset SSO_REALM
+  unset IMPORT_REALM_FILE
+  unset SSO_SERVICE_USERNAME
+  unset SSO_SERVICE_PASSWORD
+}
+
+function configure() {
+  realm_import
+}
+
+function realm_import() {
+  if [ -n "$SSO_REALM" ]; then
+    sed -i "s|##REALM##|${SSO_REALM}|" "${IMPORT_REALM_FILE}"
+
+    if [ -n "$SSO_SERVICE_USERNAME" ]; then
+
+      if [ -n "$SSO_SERVICE_PASSWORD" ]; then
+        $JBOSS_HOME/bin/add-user-keycloak.sh -r $SSO_REALM -u $SSO_SERVICE_USERNAME -p $SSO_SERVICE_PASSWORD --roles realm-management/realm-admin
+      fi
+    fi
+
+    SSO_IMPORT_FILE="$IMPORT_REALM_FILE"
+  fi
+}
+
diff --git a/os-sso73/added/launch/datasource.sh b/os-sso73/added/launch/datasource.sh
new file mode 100644
index 00000000..fe24c200
--- /dev/null
+++ b/os-sso73/added/launch/datasource.sh
@@ -0,0 +1,89 @@
+source $JBOSS_HOME/bin/launch/datasource-common.sh
+
+function prepareEnv() {
+  clearDatasourcesEnv
+  clearTxDatasourceEnv
+}
+
+function configure() {
+  NON_XA_DATASOURCE="true"
+  DB_JNDI="java:jboss/datasources/KeycloakDS"
+  DB_POOL="KeycloakDS"
+
+  inject_datasources
+}
+
+function configureEnv() {
+  inject_external_datasources
+}
+
+function inject_datasources() {
+  inject_datasources_common
+
+  inject_default_job_repositories
+}
+
+function generate_datasource() {
+  local pool_name="${1}"
+  local jndi_name="${2}"
+  local username="${3}"
+  local password="${4}"
+  local host="${5}"
+  local port="${6}"
+  local databasename="${7}"
+  local checker="${8}"
+  local sorter="${9}"
+  local driver="${10}"
+  local service_name="${11}"
+  local jta="${12}"
+  local validate="${13}"
+  local url="${14}"
+
+  generate_datasource_common "${1}" "${2}" "${3}" "${4}" "${5}" "${6}" "${7}" "${8}" "${9}" "${10}" "${11}" "${12}" "${13}" "${14}"
+
+  if [ -z "$service_name" ]; then
+    service_name="ExampleDS"
+    pool_name="ExampleDS"
+    if [ -n "$DB_POOL" ]; then
+      pool_name="$DB_POOL"
+    fi
+  fi
+
+  if [ -n "$DEFAULT_JOB_REPOSITORY" -a "$DEFAULT_JOB_REPOSITORY" = "${service_name}" ]; then
+    inject_default_job_repository $pool_name
+    inject_job_repository $pool_name
+  fi
+
+  if [ -z "$DEFAULT_JOB_REPOSITORY" ]; then
+    inject_default_job_repository in-memory
+  fi
+
+}
+
+# $1 - refresh-interval
+function refresh_interval() {
+    echo "refresh-interval=\"$1\""
+}
+
+function inject_default_job_repositories() {
+  defaultjobrepo="     <default-job-repository name=\"in-memory\"/>"
+
+  sed -i "s|<!-- ##DEFAULT_JOB_REPOSITORY## -->|${defaultjobrepo%$'\n'}|g" $CONFIG_FILE
+}
+
+# Arguments:
+# $1 - default job repository name
+function inject_default_job_repository() {
+  defaultjobrepo="     <default-job-repository name=\"${1}\"/>"
+
+  sed -i "s|<!-- ##DEFAULT_JOB_REPOSITORY## -->|${defaultjobrepo%$'\n'}|" $CONFIG_FILE
+}
+
+function inject_job_repository() {
+  jobrepo="     <job-repository name=\"${1}\">\
+      <jdbc data-source=\"${1}\"/>\
+    </job-repository>\
+    <!-- ##JOB_REPOSITORY## -->"
+
+  sed -i "s|<!-- ##JOB_REPOSITORY## -->|${jobrepo%$'\n'}|" $CONFIG_FILE
+}
diff --git a/os-sso73/added/launch/keycloak-server-notruststore.json b/os-sso73/added/launch/keycloak-server-notruststore.json
new file mode 100644
index 00000000..b2b22d4d
--- /dev/null
+++ b/os-sso73/added/launch/keycloak-server-notruststore.json
@@ -0,0 +1,71 @@
+{
+    "admin": {
+        "realm": "master"
+    },
+
+    "eventsStore": {
+        "provider": "jpa",
+        "jpa": {
+            "exclude-events": [ "REFRESH_TOKEN" ]
+        }
+    },
+
+    "realm": {
+        "provider": "jpa"
+    },
+
+    "user": {
+        "provider": "jpa"
+    },
+
+    "userCache": {
+        "default" : {
+            "enabled": true
+        }    
+    },
+
+    "userSessionPersister": {
+        "provider": "jpa"
+    },
+
+    "timer": {
+        "provider": "basic"
+    },
+
+    "theme": {
+        "staticMaxAge": 2592000,
+        "cacheTemplates": true,
+        "cacheThemes": true,
+        "folder": {
+          "dir": "${jboss.home.dir}/themes"
+        }
+    },
+
+    "scheduled": {
+        "interval": 900
+    },
+             
+    "connectionsHttpClient": {
+        "default": {}
+    },
+
+    "connectionsJpa": {
+        "default": {
+            "dataSource": "java:jboss/datasources/KeycloakDS",
+            "databaseSchema": "update"
+        }
+    },
+
+    "realmCache": {
+        "default" : {
+            "enabled": true
+        }
+    },
+
+    "connectionsInfinispan": {
+        "provider": "default",
+        "default": {
+            "cacheContainer" : "java:comp/env/infinispan/Keycloak"
+        }
+    }
+}
diff --git a/os-sso73/added/launch/keycloak-spi.sh b/os-sso73/added/launch/keycloak-spi.sh
new file mode 100755
index 00000000..5ef0ee23
--- /dev/null
+++ b/os-sso73/added/launch/keycloak-spi.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+function prepareEnv() {
+  unset SSO_TRUSTSTORE
+  unset SSO_TRUSTSTORE_DIR
+  unset SSO_TRUSTSTORE_PASSWORD
+}
+
+function configure() {
+  add_truststore
+}
+
+function add_truststore() {
+  
+  if [ -n "$SSO_TRUSTSTORE" ] && [ -n "$SSO_TRUSTSTORE_DIR" ] && [ -n "$SSO_TRUSTSTORE_PASSWORD" ]; then
+
+    local truststore="<spi name=\"truststore\"><provider name=\"file\" enabled=\"true\"><properties><property name=\"file\" value=\"${SSO_TRUSTSTORE_DIR}/${SSO_TRUSTSTORE}\"/><property name=\"password\" value=\"${SSO_TRUSTSTORE_PASSWORD}\"/><property name=\"hostname-verification-policy\" value=\"WILDCARD\"/><property name=\"disabled\" value=\"false\"/></properties></provider></spi>"
+
+    sed -i "s|<!-- ##SSO_TRUSTSTORE## -->|${truststore}|" "${CONFIG_FILE}"
+
+  fi
+}
+
diff --git a/os-sso73/added/launch/openshift-common.sh b/os-sso73/added/launch/openshift-common.sh
new file mode 100755
index 00000000..f0bed859
--- /dev/null
+++ b/os-sso73/added/launch/openshift-common.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+# Openshift EAP launch script
+
+if [ "${SCRIPT_DEBUG}" = "true" ] ; then
+    set -x
+    echo "Script debugging is enabled, allowing bash commands and their arguments to be printed as they are executed"
+fi
+
+CONFIG_FILE=$JBOSS_HOME/standalone/configuration/standalone-openshift.xml
+LOGGING_FILE=$JBOSS_HOME/standalone/configuration/logging.properties
+
+#For backward compatibility
+ADMIN_USERNAME=${ADMIN_USERNAME:-${EAP_ADMIN_USERNAME:-$DEFAULT_ADMIN_USERNAME}}
+ADMIN_PASSWORD=${ADMIN_PASSWORD:-$EAP_ADMIN_PASSWORD}
+NODE_NAME=${NODE_NAME:-$EAP_NODE_NAME}
+HTTPS_NAME=${HTTPS_NAME:-$EAP_HTTPS_NAME}
+HTTPS_PASSWORD=${HTTPS_PASSWORD:-$EAP_HTTPS_PASSWORD}
+HTTPS_KEYSTORE_DIR=${HTTPS_KEYSTORE_DIR:-$EAP_HTTPS_KEYSTORE_DIR}
+HTTPS_KEYSTORE=${HTTPS_KEYSTORE:-$EAP_HTTPS_KEYSTORE}
+SECDOMAIN_USERS_PROPERTIES=${SECDOMAIN_USERS_PROPERTIES:-${EAP_SECDOMAIN_USERS_PROPERTIES:-users.properties}}
+SECDOMAIN_ROLES_PROPERTIES=${SECDOMAIN_ROLES_PROPERTIES:-${EAP_SECDOMAIN_ROLES_PROPERTIES:-roles.properties}}
+SECDOMAIN_NAME=${SECDOMAIN_NAME:-$EAP_SECDOMAIN_NAME}
+SECDOMAIN_PASSWORD_STACKING=${SECDOMAIN_PASSWORD_STACKING:-$EAP_SECDOMAIN_PASSWORD_STACKING}
+
+IMPORT_REALM_FILE=$JBOSS_HOME/standalone/configuration/import-realm.json
+
+CONFIGURE_SCRIPTS=(
+  $JBOSS_HOME/bin/launch/configure_extensions.sh
+  $JBOSS_HOME/bin/launch/passwd.sh
+  $JBOSS_HOME/bin/launch/datasource.sh
+  $JBOSS_HOME/bin/launch/resource-adapter.sh
+  $JBOSS_HOME/bin/launch/admin.sh
+  $JBOSS_HOME/bin/launch/ha.sh
+  $JBOSS_HOME/bin/launch/openshift-x509.sh
+  $JBOSS_HOME/bin/launch/jgroups.sh
+  $JBOSS_HOME/bin/launch/https.sh
+  $JBOSS_HOME/bin/launch/json_logging.sh
+  $JBOSS_HOME/bin/launch/security-domains.sh
+  $JBOSS_HOME/bin/launch/jboss_modules_system_pkgs.sh
+  $JBOSS_HOME/bin/launch/deploymentScanner.sh
+  $JBOSS_HOME/bin/launch/ports.sh
+  $JBOSS_HOME/bin/launch/access_log_valve.sh
+  $JBOSS_HOME/bin/launch/add-sso-admin-user.sh
+  $JBOSS_HOME/bin/launch/add-sso-realm.sh
+  $JBOSS_HOME/bin/launch/keycloak-spi.sh
+  $JBOSS_HOME/bin/launch/access_log_valve.sh
+  /opt/run-java/proxy-options
+)
diff --git a/os-sso73/added/launch/openshift-x509.sh b/os-sso73/added/launch/openshift-x509.sh
new file mode 100755
index 00000000..d56b7abb
--- /dev/null
+++ b/os-sso73/added/launch/openshift-x509.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+# Import logging module
+source $JBOSS_HOME/bin/launch/logging.sh
+
+function prepareEnv() {
+  unset X509_CA_BUNDLE
+}
+
+function configure() {
+  autogenerate_keystores
+}
+
+function autogenerate_keystores() {
+  # Keystore infix notation as used in templates to keystore name mapping
+  declare -A KEYSTORES=( ["https"]="HTTPS" ["jgroups"]="JGroups" )
+
+  # CLOUD-2436 Don't generate the JGroups keystore if custom
+  # JGROUPS_ENCRYPT_SECRET was provided
+  if [ -n "${JGROUPS_ENCRYPT_SECRET}" ]; then
+    unset KEYSTORES["jgroups"]
+  fi
+
+  local KEYSTORES_STORAGE="${JBOSS_HOME}/keystores"
+  if [ ! -d "${KEYSTORES_STORAGE}" ]; then
+    mkdir -p "${KEYSTORES_STORAGE}"
+  fi
+
+  # Auto-generate the HTTPS and JGroups keystores if volumes for OpenShift's
+  # serving x509 certificate secrets service were properly mounted
+  for KEYSTORE_TYPE in "${!KEYSTORES[@]}"; do
+
+    local X509_KEYSTORE_DIR="/etc/x509/${KEYSTORE_TYPE}"
+    local X509_CRT="tls.crt"
+    local X509_KEY="tls.key"
+    local NAME="rh-sso-${KEYSTORE_TYPE}-key"
+    local PASSWORD=$(openssl rand -base64 32)
+    local JKS_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.jks"
+    local PKCS12_KEYSTORE_FILE="${KEYSTORE_TYPE}-keystore.pk12"
+
+    if [ -d "${X509_KEYSTORE_DIR}" ]; then
+
+      log_info "Creating ${KEYSTORES[$KEYSTORE_TYPE]} keystore via OpenShift's service serving x509 certificate secrets.."
+
+      openssl pkcs12 -export \
+      -name "${NAME}" \
+      -inkey "${X509_KEYSTORE_DIR}/${X509_KEY}" \
+      -in "${X509_KEYSTORE_DIR}/${X509_CRT}" \
+      -out "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+      -password pass:"${PASSWORD}" >& /dev/null
+
+      keytool -importkeystore -noprompt \
+      -srcalias "${NAME}" -destalias "${NAME}" \
+      -srckeystore "${KEYSTORES_STORAGE}/${PKCS12_KEYSTORE_FILE}" \
+      -srcstoretype pkcs12 \
+      -destkeystore "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" \
+      -storepass "${PASSWORD}" -srcstorepass "${PASSWORD}" >& /dev/null
+
+      if [ -f "${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}" ]; then
+        log_info "${KEYSTORES[$KEYSTORE_TYPE]} keystore successfully created at: ${KEYSTORES_STORAGE}/${JKS_KEYSTORE_FILE}"
+      fi
+
+      # Propagate values of NAME, PASSWORD, KEYSTORES_STORAGE, and JKS_KEYSTORE_FILE variables
+      # to appropriate variables used by subsequent modules depending on KEYSTORE_TYPE
+      # (IOW either set HTTPS_ or JGROUPS_ENCRYPT_ variables)
+      [ "${KEYSTORE_TYPE}" == "https" ] && HTTPS_NAME="${NAME}" || JGROUPS_ENCRYPT_NAME="${NAME}"
+      [ "${KEYSTORE_TYPE}" == "https" ] && HTTPS_PASSWORD="${PASSWORD}" || JGROUPS_ENCRYPT_PASSWORD="${PASSWORD}"
+      [ "${KEYSTORE_TYPE}" == "https" ] && HTTPS_KEYSTORE_DIR="${KEYSTORES_STORAGE}" || JGROUPS_ENCRYPT_KEYSTORE_DIR="${KEYSTORES_STORAGE}"
+      [ "${KEYSTORE_TYPE}" == "https" ] && HTTPS_KEYSTORE="${JKS_KEYSTORE_FILE}" || JGROUPS_ENCRYPT_KEYSTORE="${JKS_KEYSTORE_FILE}"
+
+    fi
+
+  done
+
+  # Auto-generate the RH-SSO truststore if X509_CA_BUNDLE was provided
+  local -r X509_CRT_DELIMITER="/-----BEGIN CERTIFICATE-----/"
+  local JKS_TRUSTSTORE_FILE="truststore.jks"
+  local JKS_TRUSTSTORE_PATH="${KEYSTORES_STORAGE}/${JKS_TRUSTSTORE_FILE}"
+  local PASSWORD=$(openssl rand -base64 32)
+  if [ -n "${X509_CA_BUNDLE}" ]; then
+    log_info "Creating RH-SSO truststore.."
+    csplit -s -z -f crt- "${X509_CA_BUNDLE}" "${X509_CRT_DELIMITER}" '{*}'
+    for CERT_FILE in crt-*; do
+      keytool -import -noprompt -keystore "${JKS_TRUSTSTORE_PATH}" -file "${CERT_FILE}" \
+      -storepass "${PASSWORD}" -alias "service-${CERT_FILE}" >& /dev/null
+    done
+
+    if [ -f "${JKS_TRUSTSTORE_PATH}" ]; then
+      log_info "RH-SSO truststore successfully created at: ${JKS_TRUSTSTORE_PATH}"
+    fi
+
+    # Import existing system CA certificates into the newly generated truststore
+    local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts")
+    if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then
+      log_info "Importing certificates from system's Java CA certificate bundle into RH-SSO truststore.."
+      keytool -importkeystore -noprompt \
+      -srckeystore "${SYSTEM_CACERTS}" \
+      -destkeystore "${JKS_TRUSTSTORE_PATH}" \
+      -srcstoretype jks -deststoretype jks \
+      -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null
+      if [ "$?" -eq "0" ]; then
+        log_info "Successfully imported certificates from system's Java CA certificate bundle into RH-SSO truststore at: ${JKS_TRUSTSTORE_PATH}"
+      else
+        log_error "Failed to import certificates from system's Java CA certificate bundle into RH-SSO truststore!"
+      fi
+    fi
+
+    # Propagate the trustore related variables to subsequent modules
+    SSO_TRUSTSTORE_PASSWORD="${PASSWORD}"
+    SSO_TRUSTSTORE_DIR="${KEYSTORES_STORAGE}"
+    SSO_TRUSTSTORE="${JKS_TRUSTSTORE_FILE}"
+  fi
+}
diff --git a/os-sso73/added/openshift-launch.sh b/os-sso73/added/openshift-launch.sh
new file mode 100755
index 00000000..cc8db872
--- /dev/null
+++ b/os-sso73/added/openshift-launch.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# Openshift EAP launch script
+
+source ${JBOSS_HOME}/bin/launch/openshift-common.sh
+source $JBOSS_HOME/bin/launch/logging.sh
+
+# TERM signal handler
+function clean_shutdown() {
+  log_error "*** JBossAS wrapper process ($$) received TERM signal ***"
+  $JBOSS_HOME/bin/jboss-cli.sh -c ":shutdown(timeout=60)"
+  wait $!
+}
+
+function runServer() {
+  local instanceDir=$1
+  local count=$2
+  export NODE_NAME="${NODE_NAME:-node}-${count}"
+
+  source $JBOSS_HOME/bin/launch/configure.sh
+
+  log_info "Running $JBOSS_IMAGE_NAME image, version $JBOSS_IMAGE_VERSION"
+
+  trap "clean_shutdown" TERM
+
+  if [ -n "$SSO_IMPORT_FILE" ] && [ -f $SSO_IMPORT_FILE ]; then
+    $JBOSS_HOME/bin/standalone.sh -c standalone-openshift.xml -bmanagement 127.0.0.1 $JBOSS_HA_ARGS -Djboss.server.data.dir="$instanceDir" ${JBOSS_MESSAGING_ARGS} -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=${SSO_IMPORT_FILE} -Dkeycloak.migration.strategy=IGNORE_EXISTING ${JAVA_PROXY_OPTIONS} &
+  else
+    $JBOSS_HOME/bin/standalone.sh -c standalone-openshift.xml -bmanagement 127.0.0.1 $JBOSS_HA_ARGS -Djboss.server.data.dir="$instanceDir" ${JBOSS_MESSAGING_ARGS} ${JAVA_PROXY_OPTIONS} &
+  fi
+
+  PID=$!
+  wait $PID 2>/dev/null
+  wait $PID 2>/dev/null
+}
+
+function init_data_dir() {
+  local DATA_DIR="$1"
+  if [ -d "${JBOSS_HOME}/standalone/data" ]; then
+    cp -rf ${JBOSS_HOME}/standalone/data/* $DATA_DIR
+  fi
+}
+
+if [ "${SPLIT_DATA^^}" = "TRUE" ]; then
+  source /opt/partition/partitionPV.sh
+
+  DATA_DIR="${JBOSS_HOME}/standalone/partitioned_data"
+
+  partitionPV "${DATA_DIR}" "${SPLIT_LOCK_TIMEOUT:-30}"
+else
+  source $JBOSS_HOME/bin/launch/configure.sh
+
+  log_info "Running $JBOSS_IMAGE_NAME image, version $JBOSS_IMAGE_VERSION"
+
+  trap "clean_shutdown" TERM
+
+  if [ -n "$CLI_GRACEFUL_SHUTDOWN" ] ; then
+    trap "" TERM
+    log_info "Using CLI Graceful Shutdown instead of TERM signal"
+  fi
+
+  if [ -n "$SSO_IMPORT_FILE" ] && [ -f $SSO_IMPORT_FILE ]; then
+    $JBOSS_HOME/bin/standalone.sh -c standalone-openshift.xml -bmanagement 127.0.0.1 $JBOSS_HA_ARGS ${JBOSS_MESSAGING_ARGS} -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=${SSO_IMPORT_FILE} -Dkeycloak.migration.strategy=IGNORE_EXISTING ${JAVA_PROXY_OPTIONS} &
+  else
+    $JBOSS_HOME/bin/standalone.sh -c standalone-openshift.xml -bmanagement 127.0.0.1 $JBOSS_HA_ARGS ${JBOSS_MESSAGING_ARGS} ${JAVA_PROXY_OPTIONS} &
+  fi
+
+  PID=$!
+  wait $PID 2>/dev/null
+  wait $PID 2>/dev/null
+fi
diff --git a/os-sso73/added/openshift-migrate.sh b/os-sso73/added/openshift-migrate.sh
new file mode 100755
index 00000000..2e23348e
--- /dev/null
+++ b/os-sso73/added/openshift-migrate.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Openshift SSO migration script
+
+RECOVERY_TIMEOUT=${RECOVERY_TIMEOUT:-360}
+RECOVERY_PAUSE=${RECOVERY_PAUSE:-10}
+
+source ${JBOSS_HOME}/bin/launch/openshift-migrate-common.sh
diff --git a/os-sso73/added/standalone-openshift.xml b/os-sso73/added/standalone-openshift.xml
new file mode 100644
index 00000000..2d18c473
--- /dev/null
+++ b/os-sso73/added/standalone-openshift.xml
@@ -0,0 +1,651 @@
+<?xml version='1.0' encoding='UTF-8'?>
+
+<server xmlns="urn:jboss:domain:5.0">
+    <extensions>
+        <extension module="org.jboss.as.clustering.infinispan"/>
+        <extension module="org.jboss.as.clustering.jgroups"/>
+        <extension module="org.jboss.as.connector"/>
+        <extension module="org.jboss.as.deployment-scanner"/>
+        <extension module="org.jboss.as.ee"/>
+        <extension module="org.jboss.as.ejb3"/>
+        <extension module="org.jboss.as.jaxrs"/>
+        <extension module="org.jboss.as.jmx"/>
+        <extension module="org.jboss.as.jpa"/>
+        <extension module="org.jboss.as.logging"/>
+        <extension module="org.jboss.as.mail"/>
+        <extension module="org.jboss.as.modcluster"/>
+        <extension module="org.jboss.as.naming"/>
+        <extension module="org.jboss.as.remoting"/>
+        <extension module="org.jboss.as.security"/>
+        <extension module="org.jboss.as.transactions"/>
+        <extension module="org.keycloak.keycloak-server-subsystem"/>
+        <extension module="org.wildfly.extension.bean-validation"/>
+        <extension module="org.wildfly.extension.elytron"/>
+        <extension module="org.wildfly.extension.io"/>
+        <extension module="org.wildfly.extension.request-controller"/>
+        <extension module="org.wildfly.extension.security.manager"/>
+        <extension module="org.wildfly.extension.undertow"/>
+    </extensions>
+    <management>
+        <security-realms>
+            <security-realm name="ManagementRealm">
+                <authentication>
+                    <local default-user="$local" skip-group-loading="true"/>
+                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization map-groups-to-roles="false">
+                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+            </security-realm>
+            <security-realm name="ApplicationRealm">
+                <authentication>
+                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
+                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
+                </authentication>
+                <authorization>
+                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </authorization>
+                <!-- ##SSL## -->
+            </security-realm>
+        </security-realms>
+        <audit-log>
+            <formatters>
+                <json-formatter name="json-formatter"/>
+            </formatters>
+            <handlers>
+                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
+            </handlers>
+            <logger log-boot="true" log-read-only="false" enabled="false">
+                <handlers>
+                    <handler name="file"/>
+                </handlers>
+            </logger>
+        </audit-log>
+        <management-interfaces>
+            <http-interface console-enabled="false"><!-- ##MGMT_IFACE_REALM## -->
+                <http-upgrade enabled="true"/>
+                <socket-binding http="management-http"/>
+            </http-interface>
+        </management-interfaces>
+        <access-control provider="simple">
+            <role-mapping>
+                <role name="SuperUser">
+                    <include>
+                        <user name="$local"/>
+                    </include>
+                </role>
+            </role-mapping>
+        </access-control>
+    </management>
+    <profile>
+        <subsystem xmlns="urn:jboss:domain:logging:3.0">
+            <console-handler name="CONSOLE">
+                <formatter>
+                    <named-formatter name="##CONSOLE-FORMATTER##"/>
+                </formatter>
+            </console-handler>
+            <logger category="com.arjuna">
+                <level name="WARN"/>
+            </logger>
+            <logger category="org.jboss.as.config">
+                <level name="DEBUG"/>
+            </logger>
+            <logger category="sun.rmi">
+                <level name="WARN"/>
+            </logger>
+            <root-logger>
+                <level name="INFO"/>
+                <handlers>
+                    <handler name="CONSOLE"/>
+                </handlers>
+            </root-logger>
+            <formatter name="OPENSHIFT">
+                <custom-formatter module="org.jboss.logmanager.ext" class="org.jboss.logmanager.ext.formatters.LogstashFormatter">
+                    <properties>
+                        <property name="metaData" value="log-handler=CONSOLE"/>
+                    </properties>
+                </custom-formatter>
+            </formatter>
+            <formatter name="COLOR-PATTERN">
+                <pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
+            </formatter>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:datasources:5.0">
+            <datasources>
+                <!-- ##DATASOURCES## -->
+                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
+                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
+                    <driver>h2</driver>
+                    <security>
+                        <user-name>sa</user-name>
+                        <password>sa</password>
+                    </security>
+                </datasource>
+                <drivers>
+                    <driver name="h2" module="com.h2database.h2">
+                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
+                    </driver>
+                    <driver name="mysql" module="com.mysql">
+                        <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
+                    </driver>
+                    <driver name="postgresql" module="org.postgresql">
+                        <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
+                    </driver>
+                    <!-- ##DRIVERS## -->
+                </drivers>
+            </datasources>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
+            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}" auto-deploy-exploded="##AUTO_DEPLOY_EXPLODED##"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ee:4.0">
+            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
+            <concurrent>
+                <context-services>
+                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
+                </context-services>
+                <managed-thread-factories>
+                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
+                </managed-thread-factories>
+                <managed-executor-services>
+                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-threshold="60000" keepalive-time="5000"/>
+                </managed-executor-services>
+                <managed-scheduled-executor-services>
+                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-threshold="60000" keepalive-time="3000"/>
+                </managed-scheduled-executor-services>
+            </concurrent>
+            <default-bindings context-service="java:jboss/ee/concurrency/context/default"
+                              datasource="##DEFAULT_DATASOURCE##"
+                              jms-connection-factory="java:jboss/DefaultJMSConnectionFactory"
+                              managed-executor-service="java:jboss/ee/concurrency/executor/default"
+                              managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default"
+                              managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:ejb3:5.0">
+            <session-bean>
+                <stateless>
+                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
+                </stateless>
+                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
+                <singleton default-access-timeout="5000"/>
+            </session-bean>
+            <pools>
+                <bean-instance-pools>
+                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
+                </bean-instance-pools>
+            </pools>
+            <caches>
+                <cache name="simple"/>
+                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
+            </caches>
+            <passivation-stores>
+                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
+            </passivation-stores>
+            <async thread-pool-name="default"/>
+            <timer-service thread-pool-name="default" default-data-store="default-file-store">
+                <data-stores>
+                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
+                </data-stores>
+            </timer-service>
+            <remote connector-ref="http-remoting-connector" thread-pool-name="default">
+                <channel-creation-options>
+                    <option name="READ_TIMEOUT" value="${prop.remoting-connector.read.timeout:20}" type="xnio"/>
+                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
+                </channel-creation-options>
+            </remote>
+            <thread-pools>
+                <thread-pool name="default">
+                    <max-threads count="10"/>
+                    <keepalive-time time="100" unit="milliseconds"/>
+                </thread-pool>
+            </thread-pools>
+            <default-security-domain value="other"/>
+            <default-missing-method-permissions-deny-access value="true"/>
+            <log-system-exceptions value="true"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:io:2.0">
+            <worker name="default"/>
+            <buffer-pool name="default"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:infinispan:4.0">
+            <cache-container name="keycloak" jndi-name="infinispan/Keycloak">
+                <transport lock-timeout="60000"/>
+                <local-cache name="realms">
+                    <eviction max-entries="10000" strategy="LRU"/>
+                </local-cache>
+                <local-cache name="users">
+                    <eviction max-entries="10000" strategy="LRU"/>
+                </local-cache>
+                <distributed-cache name="sessions" mode="SYNC" owners="1"/>
+                <distributed-cache name="authenticationSessions" mode="SYNC" owners="1"/>
+                <distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
+                <distributed-cache name="clientSessions" mode="SYNC" owners="1"/>
+                <distributed-cache name="offlineClientSessions" mode="SYNC" owners="1"/>
+                <distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
+                <local-cache name="authorization">
+                    <eviction max-entries="10000" strategy="LRU"/>
+                </local-cache>
+                <replicated-cache name="work" mode="SYNC"/>
+                <local-cache name="keys">
+                    <eviction max-entries="1000" strategy="LRU"/>
+                    <expiration max-idle="3600000"/>
+                </local-cache>
+                <distributed-cache name="actionTokens" mode="SYNC" owners="2">
+                    <eviction max-entries="-1" strategy="NONE"/>
+                    <expiration max-idle="-1" interval="300000"/>
+                </distributed-cache>
+            </cache-container>
+            <cache-container name="server" aliases="singleton cluster" default-cache="default" module="org.wildfly.clustering.server">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="default" mode="SYNC">
+                    <transaction mode="BATCH"/>
+                </replicated-cache>
+            </cache-container>
+            <cache-container name="web" default-cache="repl" module="org.wildfly.clustering.web.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="repl" mode="ASYNC">
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </replicated-cache>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+            </cache-container>
+            <cache-container name="ejb" aliases="sfsb" default-cache="repl" module="org.wildfly.clustering.ejb.infinispan">
+                <transport lock-timeout="60000"/>
+                <replicated-cache name="repl" mode="ASYNC">
+                    <eviction strategy="LRU" max-entries="10000"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </replicated-cache>
+                <distributed-cache name="dist">
+                    <locking isolation="REPEATABLE_READ"/>
+                    <transaction mode="BATCH"/>
+                    <file-store/>
+                </distributed-cache>
+            </cache-container>
+            <cache-container name="hibernate" default-cache="local-query" module="org.hibernate.infinispan">
+                <transport lock-timeout="60000"/>
+                <local-cache name="local-query">
+                    <eviction strategy="LRU" max-entries="10000"/>
+                    <expiration max-idle="100000"/>
+                </local-cache>
+                <invalidation-cache name="entity">
+                    <transaction mode="NON_XA"/>
+                    <eviction strategy="LRU" max-entries="10000"/>
+                    <expiration max-idle="100000"/>
+                </invalidation-cache>
+                <replicated-cache name="timestamps" mode="ASYNC"/>
+            </cache-container>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:jca:5.0">
+            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
+            <bean-validation enabled="true"/>
+            <default-workmanager>
+                <short-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </short-running-threads>
+                <long-running-threads>
+                    <core-threads count="50"/>
+                    <queue-length count="50"/>
+                    <max-threads count="50"/>
+                    <keepalive-time time="10" unit="seconds"/>
+                </long-running-threads>
+            </default-workmanager>
+            <cached-connection-manager/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jgroups:5.0">
+            <channels default="ee">
+                <channel name="ee" stack="tcp" cluster="ejb"/>
+            </channels>
+            <stacks>
+                <stack name="udp">
+                    <transport type="UDP" socket-binding="jgroups-udp"/>
+                    <!-- ##JGROUPS_PING_PROTOCOL## -->
+                    <protocol type="MERGE3"/>
+                    <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
+                    <protocol type="FD_ALL"/>
+                    <protocol type="VERIFY_SUSPECT"/>
+                    <!-- ##JGROUPS_ENCRYPT## -->
+                    <protocol type="pbcast.NAKACK2"/>
+                    <protocol type="UNICAST3"/>
+                    <protocol type="pbcast.STABLE"/>
+                    <!-- ##JGROUPS_AUTH## -->
+                    <protocol type="pbcast.GMS"/>
+                    <protocol type="UFC"/>
+                    <protocol type="MFC"/>
+                    <protocol type="FRAG2"/>
+                </stack>
+                <stack name="tcp">
+                    <transport type="TCP" socket-binding="jgroups-tcp"/>
+                    <!-- ##JGROUPS_PING_PROTOCOL## -->
+                    <protocol type="MERGE3"/>
+                    <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
+                    <protocol type="FD_ALL"/>
+                    <protocol type="VERIFY_SUSPECT"/>
+                    <!-- ##JGROUPS_ENCRYPT## -->
+                    <protocol type="pbcast.NAKACK2"/>
+                    <protocol type="UNICAST3"/>
+                    <protocol type="pbcast.STABLE"/>
+                    <!-- ##JGROUPS_AUTH## -->
+                    <protocol type="pbcast.GMS"/>
+                    <protocol type="MFC"/>
+                    <protocol type="FRAG2"/>
+                </stack>
+            </stacks>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
+            <expose-resolved-model/>
+            <expose-expression-model/>
+            <remoting-connector/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
+            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:mail:3.0">
+            <mail-session name="default" jndi-name="java:jboss/mail/Default">
+                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
+            </mail-session>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:modcluster:3.0">
+            <mod-cluster-config advertise-socket="modcluster" connector="ajp">
+                <dynamic-load-provider>
+                    <load-metric type="cpu"/>
+                </dynamic-load-provider>
+            </mod-cluster-config>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:naming:2.0">
+            <remote-naming/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
+            <endpoint/>
+            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:resource-adapters:4.0">
+            <resource-adapters>
+                <!-- ##RESOURCE_ADAPTERS## -->
+            </resource-adapters>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
+        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
+            <deployment-permissions>
+                <maximum-set>
+                    <permission class="java.security.AllPermission"/>
+                </maximum-set>
+            </deployment-permissions>
+        </subsystem>
+        <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
+            <providers>
+                <aggregate-providers name="combined-providers">
+                    <providers name="elytron"/>
+                    <providers name="openssl"/>
+                </aggregate-providers>
+                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
+                <provider-loader name="openssl" module="org.wildfly.openssl"/>
+            </providers>
+            <audit-logging>
+                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
+            </audit-logging>
+            <security-domains>
+                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local"/>
+                </security-domain>
+                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
+                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
+                    <realm name="local" role-mapper="super-user-mapper"/>
+                </security-domain>
+            </security-domains>
+            <security-realms>
+                <identity-realm name="local" identity="$local"/>
+                <properties-realm name="ApplicationRealm">
+                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
+                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+                <properties-realm name="ManagementRealm">
+                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
+                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
+                </properties-realm>
+            </security-realms>
+            <mappers>
+                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
+                    <permission-mapping>
+                        <principal name="anonymous"/>
+                        <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                        <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                        <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    </permission-mapping>
+                    <permission-mapping match-all="true">
+                        <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
+                        <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
+                        <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
+                        <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
+                    </permission-mapping>
+                </simple-permission-mapper>
+                <constant-realm-mapper name="local" realm-name="local"/>
+                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
+                <constant-role-mapper name="super-user-mapper">
+                    <role name="SuperUser"/>
+                </constant-role-mapper>
+            </mappers>
+            <http>
+                <http-authentication-factory name="management-http-authentication" http-server-mechanism-factory="global" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="DIGEST">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="BASIC">
+                            <mechanism-realm realm-name="Application Realm"/>
+                        </mechanism>
+                        <mechanism mechanism-name="FORM"/>
+                    </mechanism-configuration>
+                </http-authentication-factory>
+                <provider-http-server-mechanism-factory name="global"/>
+            </http>
+            <sasl>
+                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ManagementRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
+                    <mechanism-configuration>
+                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
+                        <mechanism mechanism-name="DIGEST-MD5">
+                            <mechanism-realm realm-name="ApplicationRealm"/>
+                        </mechanism>
+                    </mechanism-configuration>
+                </sasl-authentication-factory>
+                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
+                    <properties>
+                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
+                    </properties>
+                </configurable-sasl-server-factory>
+                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
+                    <filters>
+                        <filter provider-name="WildFlyElytron"/>
+                    </filters>
+                </mechanism-provider-filtering-sasl-server-factory>
+                <provider-sasl-server-factory name="global"/>
+            </sasl>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:security:2.0">
+            <security-domains>
+                <security-domain name="other" cache-type="default">
+                    <authentication>
+                        <login-module code="Remoting" flag="optional">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="RealmDirect" flag="required">
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <!-- ##OTHER_LOGIN_MODULES## -->
+                    </authentication>
+                </security-domain>
+                <security-domain name="jboss-web-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jboss-ejb-policy" cache-type="default">
+                    <authorization>
+                        <policy-module code="Delegating" flag="required"/>
+                    </authorization>
+                </security-domain>
+                <security-domain name="jaspitest" cache-type="default">
+                    <authentication-jaspi>
+                        <login-module-stack name="dummy">
+                            <login-module code="Dummy" flag="optional"/>
+                        </login-module-stack>
+                        <auth-module code="Dummy"/>
+                    </authentication-jaspi>
+                </security-domain>
+                <!-- ##ADDITIONAL_SECURITY_DOMAINS## -->
+            </security-domains>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:transactions:4.0">
+            <core-environment node-identifier="${jboss.node.name}">
+                <process-id>
+                    <uuid/>
+                </process-id>
+            </core-environment>
+            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager" recovery-listener="true"/>
+            <!-- ##JDBC_STORE## -->
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:undertow:4.0">
+            <buffer-cache name="default"/>
+            <server name="default-server">
+                <ajp-listener name="ajp" socket-binding="ajp"/>
+                <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" enable-http2="true" proxy-address-forwarding="true"/>
+                <!-- ##HTTPS_CONNECTOR## -->
+                <host name="default-host" alias="localhost">
+                    <location name="/" handler="sso-welcome-content"/>
+                    <!-- ##ACCESS_LOG_VALVE## -->
+                    <http-invoker security-realm="ApplicationRealm"/>
+                </host>
+            </server>
+            <servlet-container name="default">
+                <jsp-config/>
+                <websockets/>
+            </servlet-container>
+            <handlers>
+                <file name="sso-welcome-content" path="${jboss.home.dir}/root-app-redirect"/>
+            </handlers>
+        </subsystem>
+        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
+            <web-context>auth</web-context>
+            <providers>
+                <provider>classpath:${jboss.home.dir}/providers/*</provider>
+            </providers>
+            <master-realm-name>master</master-realm-name>
+            <scheduled-task-interval>900</scheduled-task-interval>
+            <theme>
+                <staticMaxAge>2592000</staticMaxAge>
+                <cacheThemes>true</cacheThemes>
+                <cacheTemplates>true</cacheTemplates>
+                <dir>${jboss.home.dir}/themes</dir>
+            </theme>
+            <spi name="eventsStore">
+                <provider name="jpa" enabled="true">
+                    <properties>
+                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="userCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="userSessionPersister">
+                <default-provider>jpa</default-provider>
+            </spi>
+            <spi name="timer">
+                <default-provider>basic</default-provider>
+            </spi>
+            <spi name="connectionsHttpClient">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsJpa">
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
+                        <property name="initializeEmpty" value="true"/>
+                        <property name="migrationStrategy" value="update"/>
+                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="realmCache">
+                <provider name="default" enabled="true"/>
+            </spi>
+            <spi name="connectionsInfinispan">
+                <default-provider>default</default-provider>
+                <provider name="default" enabled="true">
+                    <properties>
+                        <property name="cacheContainer" value="java:comp/env/infinispan/Keycloak"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="jta-lookup">
+                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
+                <provider name="jboss" enabled="true"/>
+            </spi>
+            <spi name="publicKeyStorage">
+                <provider name="infinispan" enabled="true">
+                    <properties>
+                        <property name="minTimeBetweenRequests" value="10"/>
+                    </properties>
+                </provider>
+            </spi>
+            <spi name="x509cert-lookup">
+                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
+                <provider name="default" enabled="true"/>
+            </spi>
+            <!-- ##SSO_TRUSTSTORE## -->
+        </subsystem>
+    </profile>
+    <interfaces>
+        <interface name="management">
+            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+        </interface>
+        <interface name="public">
+            <nic name="eth0"/>
+        </interface>
+        <interface name="private">
+            <inet-address value="${jboss.bind.address.private:127.0.0.1}"/>
+        </interface>
+    </interfaces>
+    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
+        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
+        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
+        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
+        <socket-binding name="http" port="${jboss.http.port:8080}"/>
+        <socket-binding name="https" port="${jboss.https.port:8443}"/>
+        <socket-binding name="proxy-https" port="443"/>
+        <socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
+        <socket-binding name="jgroups-tcp" interface="private" port="7600"/>
+        <socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
+        <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
+        <socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
+        <socket-binding name="modcluster" port="0" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/>
+        <socket-binding name="txn-recovery-environment" port="4712"/>
+        <socket-binding name="txn-status-manager" port="4713"/>
+        <outbound-socket-binding name="mail-smtp">
+            <remote-destination host="localhost" port="25"/>
+        </outbound-socket-binding>
+    </socket-binding-group>
+</server>
diff --git a/os-sso73/configure.sh b/os-sso73/configure.sh
new file mode 100755
index 00000000..fdea9106
--- /dev/null
+++ b/os-sso73/configure.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -e
+
+SCRIPT_DIR=$(dirname $0)
+ADDED_DIR=${SCRIPT_DIR}/added
+
+cp ${ADDED_DIR}/standalone-openshift.xml $JBOSS_HOME/standalone/configuration
+cp ${ADDED_DIR}/import-realm.json $JBOSS_HOME/standalone/configuration
+cp ${ADDED_DIR}/openshift-launch.sh ${ADDED_DIR}/openshift-migrate.sh $JBOSS_HOME/bin/
+
+mkdir -p ${JBOSS_HOME}/bin/launch
+cp -r ${ADDED_DIR}/launch/* ${JBOSS_HOME}/bin/launch
+
+mkdir ${JBOSS_HOME}/root-app-redirect
+cp ${ADDED_DIR}/index.html ${JBOSS_HOME}/root-app-redirect
+rm -rf ${JBOSS_HOME}/welcome-content
+
+chown -R jboss:root $JBOSS_HOME
+chmod -R g+rwX $JBOSS_HOME
diff --git a/os-sso73/module.yaml b/os-sso73/module.yaml
new file mode 100644
index 00000000..e229f602
--- /dev/null
+++ b/os-sso73/module.yaml
@@ -0,0 +1,24 @@
+schema_version: 1
+name: os-sso73
+version: '1.0'
+description: Legacy os-sso73 script package.
+
+modules:
+  install:
+  - name: os-eap-launch
+  - name: os-eap7-launch
+  - name: os-eap-migration
+
+packages:
+      repositories:
+          - jboss-os
+      install:
+          - openssl
+
+execute:
+- script: configure.sh
+
+run:
+      user: 185
+      cmd:
+          - "/opt/eap/bin/openshift-launch.sh"