KEYCLOAK-13206 Session Status iframe cannot access cookies when 3rd party cookies are blocked

Co-authored-by: mhajas <mhajas@redhat.com>
2026-01-09 23:12:06 -03:30 · 2020-06-10 16:24:24 +02:00 · 2020-06-10 16:24:24 +02:00 · 001fe9eb11
commit 001fe9eb11
parent 3b4ebb3141
85 changed files with 672 additions and 351 deletions
--- a/adapters/oidc/js/src/main/resources/3p-cookies-step1.html
+++ b/adapters/oidc/js/src/main/resources/3p-cookies-step1.html
@ -0,0 +1,27 @@
+<!--
+  ~ Copyright 2020 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+    document.cookie = "KEYCLOAK_3P_COOKIE_SAMESITE=supported; max-age=60; samesite=none; secure"
+    document.cookie = "KEYCLOAK_3P_COOKIE=supported; max-age=60"
+    window.location = "step2.html"
+</script>
+</body>
+</html>
--- a/adapters/oidc/js/src/main/resources/3p-cookies-step2.html
+++ b/adapters/oidc/js/src/main/resources/3p-cookies-step2.html
@ -0,0 +1,32 @@
+<!--
+  ~ Copyright 2020 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+    if (document.cookie.indexOf("KEYCLOAK_3P_COOKIE") !== -1) {
+        document.cookie = "KEYCLOAK_3P_COOKIE_SAMESITE=; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure"
+        document.cookie = "KEYCLOAK_3P_COOKIE=; expires=Thu, 01 Jan 1970 00:00:00 GMT"
+        window.parent.postMessage("supported", "*")
+    }
+    else {
+        window.parent.postMessage("unsupported", "*")
+    }
+</script>
+</body>
+</html>
--- a/adapters/oidc/js/src/main/resources/keycloak.d.ts
+++ b/adapters/oidc/js/src/main/resources/keycloak.d.ts
@ -148,6 +148,13 @@ declare namespace Keycloak {
 		 */
 		silentCheckSsoRedirectUri?: string;

+		/**
+		 * Specifies whether the silent check-sso should fallback to "non-silent"
+		 * check-sso when 3rd party cookies are blocked by the browser. Defaults
+		 * to true.
+		 */
+		silentCheckSsoFallback?: boolean;
+
 		/**
 		 * Set the OpenID Connect flow.
 		 * @default standard
--- a/adapters/oidc/js/src/main/resources/keycloak.js
+++ b/adapters/oidc/js/src/main/resources/keycloak.js
@ -205,6 +205,12 @@
                    kc.silentCheckSsoRedirectUri = initOptions.silentCheckSsoRedirectUri;
                }

+                if (typeof initOptions.silentCheckSsoFallback === 'boolean') {
+                    kc.silentCheckSsoFallback = initOptions.silentCheckSsoFallback;
+                } else {
+                    kc.silentCheckSsoFallback = true;
+                }
+
                if (initOptions.pkceMethod) {
                    if (initOptions.pkceMethod !== "S256") {
                        throw 'Invalid value for pkceMethod';
@ -356,7 +362,12 @@
                }
            }

-            configPromise.then(processInit);
+            configPromise.then(function () {
+                check3pCookiesSupported().then(processInit)
+                .catch(function() {
+                    promise.setError();
+                });
+            });
            configPromise.catch(function() {
                promise.setError();
            });
@ -846,6 +857,13 @@
                            }
                            return src;
                        },
+                        thirdPartyCookiesIframe: function() {
+                            var src = getRealmUrl() + '/protocol/openid-connect/3p-cookies/step1.html';
+                            if (kc.iframeVersion) {
+                                src = src + '?version=' + kc.iframeVersion;
+                            }
+                            return src;
+                        },
                        register: function() {
                            return getRealmUrl() + '/protocol/openid-connect/registrations';
                        },
@ -1276,6 +1294,45 @@
            return promise.promise;
        }

+        function check3pCookiesSupported() {
+            var promise = createPromise();
+
+            if (loginIframe.enable || kc.silentCheckSsoRedirectUri) {
+                var iframe = document.createElement('iframe');
+                iframe.setAttribute('src', kc.endpoints.thirdPartyCookiesIframe());
+                iframe.setAttribute('title', 'keycloak-3p-check-iframe' );
+                iframe.style.display = 'none';
+                document.body.appendChild(iframe);
+
+                var messageCallback = function(event) {
+                    if (iframe.contentWindow !== event.source) {
+                        return;
+                    }
+
+                    if (event.data !== "supported" && event.data !== "unsupported") {
+                        promise.setError();
+                    } else if (event.data === "unsupported") {
+                        loginIframe.enable = false;
+                        if (kc.silentCheckSsoFallback) {
+                            kc.silentCheckSsoRedirectUri = false;
+                        }
+                        logWarn("[KEYCLOAK] 3rd party cookies aren't supported by this browser. checkLoginIframe and " +
+                            "silent check-sso are not available.")
+                    }
+
+                    document.body.removeChild(iframe);
+                    window.removeEventListener("message", messageCallback);
+                    promise.setSuccess();
+                };
+
+                window.addEventListener('message', messageCallback, false);
+            } else {
+                promise.setSuccess();
+            }
+
+            return promise.promise;
+        }
+
        function loadAdapter(type) {
            if (!type || type == 'default') {
                return {
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java
@ -35,6 +35,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
 import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
 import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
+import org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint;
 import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
 import org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint;
 import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
@ -191,6 +192,13 @@ public class OIDCLoginProtocolService {
        return endpoint;
    }

+    @Path("3p-cookies")
+    public Object thirdPartyCookiesCheck() {
+        ThirdPartyCookiesIframeEndpoint endpoint = new ThirdPartyCookiesIframeEndpoint();
+        ResteasyProviderFactory.getInstance().injectProperties(endpoint);
+        return endpoint;
+    }
+
    @OPTIONS
    @Path("certs")
    @Produces(MediaType.APPLICATION_JSON)
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LoginStatusIframeEndpoint.java
@ -17,28 +17,24 @@

 package org.keycloak.protocol.oidc.endpoints;

-import org.keycloak.common.Version;
 import org.keycloak.common.util.UriUtils;
-import org.keycloak.headers.SecurityHeadersProvider;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.utils.WebOriginsUtils;
-import org.keycloak.services.util.CacheControlUtil;
-import org.keycloak.services.util.P3PHelper;
 import org.keycloak.utils.MediaType;

 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.CacheControl;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
-import java.io.InputStream;
 import java.util.Set;

+import static org.keycloak.services.util.IframeUtil.returnIframeFromResources;
+
 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
 */
@ -50,24 +46,7 @@ public class LoginStatusIframeEndpoint {
    @GET
    @Produces(MediaType.TEXT_HTML_UTF_8)
    public Response getLoginStatusIframe(@QueryParam("version") String version) {
-        CacheControl cacheControl;
-        if (version != null) {
-            if (!version.equals(Version.RESOURCES_VERSION)) {
-                return Response.status(Response.Status.NOT_FOUND).build();
-            }
-            cacheControl = CacheControlUtil.getDefaultCacheControl();
-        } else {
-            cacheControl = CacheControlUtil.noCache();
-        }
-
-        InputStream resource = getClass().getClassLoader().getResourceAsStream("login-status-iframe.html");
-        if (resource != null) {
-            P3PHelper.addP3PHeader();
-            session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor();
-            return Response.ok(resource).cacheControl(cacheControl).build();
-        } else {
-            return Response.status(Response.Status.NOT_FOUND).build();
-        }
+        return returnIframeFromResources("login-status-iframe.html", version, session);
    }

    @GET
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/ThirdPartyCookiesIframeEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/ThirdPartyCookiesIframeEndpoint.java
@ -0,0 +1,52 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.protocol.oidc.endpoints;
+
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.utils.MediaType;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+
+import static org.keycloak.services.util.IframeUtil.returnIframeFromResources;
+
+/**
+ * @author Vaclav Muzikar <vmuzikar@redhat.com>
+ */
+public class ThirdPartyCookiesIframeEndpoint {
+    @Context
+    private KeycloakSession session;
+
+    @GET
+    @Path("step1.html")
+    @Produces(MediaType.TEXT_HTML_UTF_8)
+    public Response step1(@QueryParam("version") String version) {
+        return returnIframeFromResources("3p-cookies-step1.html", version, session);
+    }
+
+    @GET
+    @Path("step2.html")
+    @Produces(MediaType.TEXT_HTML_UTF_8)
+    public Response step2(@QueryParam("version") String version) {
+        return returnIframeFromResources("3p-cookies-step2.html", version, session);
+    }
+}
--- a/services/src/main/java/org/keycloak/services/util/IframeUtil.java
+++ b/services/src/main/java/org/keycloak/services/util/IframeUtil.java
@ -0,0 +1,49 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.util;
+
+import org.keycloak.common.Version;
+import org.keycloak.headers.SecurityHeadersProvider;
+import org.keycloak.models.KeycloakSession;
+
+import javax.ws.rs.core.CacheControl;
+import javax.ws.rs.core.Response;
+import java.io.InputStream;
+
+public class IframeUtil {
+    public static Response returnIframeFromResources(String fileName, String version, KeycloakSession session) {
+        CacheControl cacheControl;
+        if (version != null) {
+            if (!version.equals(Version.RESOURCES_VERSION)) {
+                return Response.status(Response.Status.NOT_FOUND).build();
+            }
+            cacheControl = CacheControlUtil.getDefaultCacheControl();
+        } else {
+            cacheControl = CacheControlUtil.noCache();
+        }
+
+        InputStream resource = IframeUtil.class.getClassLoader().getResourceAsStream(fileName);
+        if (resource != null) {
+            P3PHelper.addP3PHeader();
+            session.getProvider(SecurityHeadersProvider.class).options().allowAnyFrameAncestor();
+            return Response.ok(resource).cacheControl(cacheControl).build();
+        } else {
+            return Response.status(Response.Status.NOT_FOUND).build();
+        }
+    }
+}
--- a/testsuite/integration-arquillian/HOW-TO-RUN.md
+++ b/testsuite/integration-arquillian/HOW-TO-RUN.md
@ -992,4 +992,11 @@ because this is not UI testing). For debugging purposes you can override the hea
    mvn clean install -f testsuite/integration-arquillian/tests/base \
                      -Pfirefox-strict-cookies \
                      -Dtest=**.broker.** \
+                      -Dauth.server.host=[some_host] -Dauth.server.host2=[some_other_host]
+
+**JS adapter tests:**
+
+    mvn clean install -f testsuite/integration-arquillian/tests/base \
+                      -Pfirefox-strict-cookies \
+                      -Dtest=**.javascript.** \
                      -Dauth.server.host=[some_host] -Dauth.server.host2=[some_other_host]
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml
@ -33,7 +33,6 @@
    <properties>
        <js-adapter.version>${project.version}</js-adapter.version>
        <js-adapter.file.path>${project.basedir}/target/classes/javascript</js-adapter.file.path>
-        <js-adapter.auth-server-url>https://localhost:8543/auth</js-adapter.auth-server-url>
    </properties>

    <dependencies>
@ -61,21 +60,6 @@

    </dependencies>

-    <profiles>
-        <profile>
-            <id>no-ssl</id>
-            <activation>
-                <property>
-                    <name>auth.server.ssl.required</name>
-                    <value>false</value>
-                </property>
-            </activation>
-            <properties>
-                <js-adapter.auth-server-url>http://localhost:8180/auth</js-adapter.auth-server-url>
-            </properties>
-        </profile>
-    </profiles>
-
    <build>
        <pluginManagement>
            <plugins>
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestJavascriptResource.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/resource/TestJavascriptResource.java
@ -13,6 +13,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;

+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+
 /**
 * @author mhajas
 */
@ -63,6 +65,6 @@ public class TestJavascriptResource {
            line = buf.readLine();
        }

-        return sb.toString();
+        return sb.toString().replace("${js-adapter.auth-server-url}", getAuthServerContextRoot() + "/auth");
    }
 }
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/util/ServerURLs.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/util/ServerURLs.java
@ -0,0 +1,66 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.util;
+
+import static java.lang.Integer.parseInt;
+
+public class ServerURLs {
+    public static final boolean AUTH_SERVER_SSL_REQUIRED = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required", "true"));
+    public static final String AUTH_SERVER_PORT = AUTH_SERVER_SSL_REQUIRED ? System.getProperty("auth.server.https.port", "8543") : System.getProperty("auth.server.http.port", "8180");
+    public static final String AUTH_SERVER_SCHEME = AUTH_SERVER_SSL_REQUIRED ? "https" : "http";
+    public static final String AUTH_SERVER_HOST = System.getProperty("auth.server.host", "localhost");
+    public static final String AUTH_SERVER_HOST2 = System.getProperty("auth.server.host2", AUTH_SERVER_HOST);
+
+    public static String getAuthServerContextRoot() {
+        return getAuthServerContextRoot(0);
+    }
+
+    public static String getAuthServerContextRoot(int clusterPortOffset) {
+        return removeDefaultPorts(String.format("%s://%s:%s", AUTH_SERVER_SCHEME, AUTH_SERVER_HOST, parseInt(AUTH_SERVER_PORT) + clusterPortOffset));
+    }
+
+    public static String getAppServerContextRoot() {
+        return getAppServerContextRoot(0);
+    }
+
+    public static String getAppServerContextRoot(int clusterPortOffset) {
+        String host = System.getProperty("app.server.host", "localhost");
+
+        boolean sslRequired = Boolean.parseBoolean(System.getProperty("app.server.ssl.required"));
+
+        int port = sslRequired ? parsePort("app.server.https.port") : parsePort("app.server.http.port");
+        String scheme = sslRequired ? "https" : "http";
+
+        return String.format("%s://%s:%s", scheme, host, port + clusterPortOffset);
+    }
+
+    /**
+     * Removes default ports: 80 and 443 from url
+     */
+    public static String removeDefaultPorts(String url) {
+        return url != null ? url.replaceFirst("(.*)(:80)(\\/.*)?$", "$1$3").replaceFirst("(.*)(:443)(\\/.*)?$", "$1$3") : null;
+    }
+
+    private static int parsePort(String property) {
+        try {
+            return parseInt(System.getProperty(property));
+        } catch (NumberFormatException ex) {
+            throw new RuntimeException("Failed to get " + property, ex);
+        }
+    }
+}
--- a/testsuite/integration-arquillian/tests/base/pom.xml
+++ b/testsuite/integration-arquillian/tests/base/pom.xml
@ -854,6 +854,7 @@
                <app.server.port.offset>0</app.server.port.offset>
                <app.server.http.port>8080</app.server.http.port>
                <app.server.management.port>9990</app.server.management.port>
+                <app.server.config.dir>${app.server.home}/conf</app.server.config.dir>
            </properties>
            <dependencies>
                <dependency>
@ -887,6 +888,7 @@
                <app.server.port.offset>0</app.server.port.offset>
                <app.server.http.port>8080</app.server.http.port>
                <app.server.management.port>9990</app.server.management.port>
+                <app.server.config.dir>${app.server.home}/conf</app.server.config.dir>
            </properties>
            <dependencies>
                <dependency>
@ -920,6 +922,7 @@
                <app.server.port.offset>0</app.server.port.offset>
                <app.server.http.port>8080</app.server.http.port>
                <app.server.management.port>9990</app.server.management.port>
+                <app.server.config.dir>${app.server.home}/conf</app.server.config.dir>
            </properties>
            <dependencies>
                <dependency>
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AppServerTestEnricher.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AppServerTestEnricher.java
@ -49,7 +49,8 @@ import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.getAppServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 *
@ -95,29 +96,6 @@ public class AppServerTestEnricher {
        return appServerQualifiers;
    }

-    public static String getAppServerContextRoot() {
-        return getAppServerContextRoot(0);
-    }
-
-    public static String getAppServerContextRoot(int clusterPortOffset) {
-        String host = System.getProperty("app.server.host", "localhost");
-
-        boolean sslRequired = Boolean.parseBoolean(System.getProperty("app.server.ssl.required"));
-
-        int port = sslRequired ? parsePort("app.server.https.port") : parsePort("app.server.http.port");
-        String scheme = sslRequired ? "https" : "http";
-
-        return String.format("%s://%s:%s", scheme, host, port + clusterPortOffset);
-    }
-
-    private static int parsePort(String property) {
-        try {
-            return Integer.parseInt(System.getProperty(property));
-        } catch (NumberFormatException ex) {
-            throw new RuntimeException("Failed to get " + property, ex);
-        }
-    }
-
    public static String getAppServerBrowserContextRoot() throws MalformedURLException {
        return getAppServerBrowserContextRoot(new URL(getAuthServerContextRoot()));
    }
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
@ -52,6 +52,7 @@ import org.keycloak.testsuite.util.OAuthClient;
 import org.keycloak.testsuite.util.SqlUtils;
 import org.keycloak.testsuite.util.SystemInfoHelper;
 import org.keycloak.testsuite.util.VaultUtils;
+import org.keycloak.testsuite.util.ServerURLs;
 import org.wildfly.extras.creaper.commands.undertow.AddUndertowListener;
 import org.wildfly.extras.creaper.commands.undertow.RemoveUndertowListener;
 import org.wildfly.extras.creaper.commands.undertow.SslVerifyClient;
@ -84,7 +85,8 @@ import org.jboss.shrinkwrap.api.importer.ZipImporter;
 import org.jboss.shrinkwrap.api.spec.JavaArchive;
 import org.jboss.shrinkwrap.resolver.api.maven.Maven;
 import org.junit.Assert;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 /**
 *
@ -108,11 +110,6 @@ public class AuthServerTestEnricher {
    private JavaArchive testsuiteProvidersArchive;
    private String currentContainerName;

-    public static final boolean AUTH_SERVER_SSL_REQUIRED = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required", "true"));
-    public static final String AUTH_SERVER_SCHEME = AUTH_SERVER_SSL_REQUIRED ? "https" : "http";
-    public static final String AUTH_SERVER_HOST = System.getProperty("auth.server.host", "localhost");
-    public static final String AUTH_SERVER_PORT = AUTH_SERVER_SSL_REQUIRED ? System.getProperty("auth.server.https.port", "8543") : System.getProperty("auth.server.http.port", "8180");
-
    public static final String AUTH_SERVER_CONTAINER_DEFAULT = "auth-server-undertow";
    public static final String AUTH_SERVER_CONTAINER_PROPERTY = "auth.server.container";
    public static final String AUTH_SERVER_CONTAINER = System.getProperty(AUTH_SERVER_CONTAINER_PROPERTY, AUTH_SERVER_CONTAINER_DEFAULT);
@ -165,21 +162,6 @@ public class AuthServerTestEnricher {
        return AUTH_SERVER_CONTAINER.equals("auth-server-quarkus");
    }

-    public static String getAuthServerContextRoot() {
-        return getAuthServerContextRoot(0);
-    }
-
-    public static String getAuthServerContextRoot(int clusterPortOffset) {
-        String host = System.getProperty("auth.server.host", "localhost");
-        int httpPort = Integer.parseInt(System.getProperty("auth.server.http.port")); // property must be set
-        int httpsPort = Integer.parseInt(System.getProperty("auth.server.https.port")); // property must be set
-
-        String scheme = AUTH_SERVER_SSL_REQUIRED ? "https" : "http";
-        int port = AUTH_SERVER_SSL_REQUIRED ? httpsPort : httpPort;
-
-        return removeDefaultPorts(String.format("%s://%s:%s", scheme, host, port + clusterPortOffset));
-    }
-
    public static String getHttpAuthServerContextRoot() {
        String host = System.getProperty("auth.server.host", "localhost");
        int httpPort = Integer.parseInt(System.getProperty("auth.server.http.port")); // property must be set
@ -542,7 +524,7 @@ public class AuthServerTestEnricher {
    }

    public static void initializeTLS(ContainerInfo containerInfo) {
-        if (AUTH_SERVER_SSL_REQUIRED && containerInfo.isJBossBased()) {
+        if (ServerURLs.AUTH_SERVER_SSL_REQUIRED && containerInfo.isJBossBased()) {
            log.infof("\n\n### Setting up TLS for %s ##\n\n", containerInfo);
            try {
                OnlineManagementClient client = getManagementClient(containerInfo);
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/DeploymentArchiveProcessor.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/DeploymentArchiveProcessor.java
@ -52,7 +52,6 @@ import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.isRelative
 import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.isTomcatAppServer;
 import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.isWLSAppServer;
 import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.isWASAppServer;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
 import static org.keycloak.testsuite.utils.io.IOUtil.appendChildInDocument;
 import static org.keycloak.testsuite.utils.io.IOUtil.documentToString;
 import static org.keycloak.testsuite.utils.io.IOUtil.getElementTextContent;
@ -62,6 +61,7 @@ import static org.keycloak.testsuite.utils.io.IOUtil.modifyDocElementAttribute;
 import static org.keycloak.testsuite.utils.io.IOUtil.modifyDocElementValue;
 import static org.keycloak.testsuite.utils.io.IOUtil.removeElementsFromDoc;
 import static org.keycloak.testsuite.utils.io.IOUtil.removeNodeByAttributeValue;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;


 /**
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/SuiteContext.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/SuiteContext.java
@ -26,6 +26,8 @@ import org.keycloak.testsuite.arquillian.migration.MigrationContext;

 import org.keycloak.testsuite.util.TextFileChecker;
 import java.util.LinkedList;
+
+import static java.lang.Boolean.parseBoolean;
 import static org.keycloak.testsuite.util.MailServerConfiguration.FROM;
 import static org.keycloak.testsuite.util.MailServerConfiguration.HOST;
 import static org.keycloak.testsuite.util.MailServerConfiguration.PORT;
@ -58,7 +60,9 @@ public final class SuiteContext {
     * True if the testsuite is running in the adapter backward compatibility testing mode,
     * i.e. if the tests are running against newer auth server
     */
-    private static final boolean adapterCompatTesting = Boolean.parseBoolean(System.getProperty("testsuite.adapter.compat.testing"));
+    private static final boolean adapterCompatTesting = parseBoolean(System.getProperty("testsuite.adapter.compat.testing"));
+
+    private static final boolean browserStrictCookies = parseBoolean(System.getProperty("browser.strict.cookies"));

    public SuiteContext(Set<ContainerInfo> arquillianContainers) {
        this.container = arquillianContainers;
@ -190,6 +194,10 @@ public final class SuiteContext {
        return adapterCompatTesting;
    }

+    public boolean hasBrowserStrictCookies() {
+        return browserStrictCookies;
+    }
+
    @Override
    public String toString() {
        StringBuilder sb = new StringBuilder("SUITE CONTEXT:\nAuth server: ");
@ -214,7 +222,7 @@ public final class SuiteContext {
              .append("\n");

            getAuthServerBackendsInfo().forEach(bInfo -> sb.append("  Backend: ").append(bInfo).append(" - ").append(bInfo.getContextRoot().toExternalForm()).append("\n"));
-            if (Boolean.parseBoolean(System.getProperty("auth.server.jboss.legacy"))) {
+            if (parseBoolean(System.getProperty("auth.server.jboss.legacy"))) {
                sb.append("  Legacy:  ").append(getLegacyAuthServerInfo()).append("           - ").append(getLegacyAuthServerInfo().getContextRoot().toExternalForm()).append("\n");
            }
        } else {
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AppPage.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AppPage.java
@ -25,7 +25,7 @@ import org.openqa.selenium.support.FindBy;
 import javax.ws.rs.core.UriBuilder;

 import static org.keycloak.testsuite.util.UIUtils.clickLink;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java
@ -41,11 +41,11 @@ import org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.admin.client.KeycloakBuilder;
 import org.keycloak.models.Constants;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;

 import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN;
 import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER;
 import static org.keycloak.testsuite.utils.io.IOUtil.PROJECT_BUILD_DIRECTORY;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;


 public class AdminClientUtil {
@ -55,7 +55,7 @@ public class AdminClientUtil {

    }
    public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String realmName, String username, String password, String clientId, String clientSecret) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
-        return createAdminClient(ignoreUnknownProperties, AuthServerTestEnricher.getAuthServerContextRoot(), realmName, username, password, clientId, clientSecret);
+        return createAdminClient(ignoreUnknownProperties, getAuthServerContextRoot(), realmName, username, password, clientId, clientSecret);
    }

    public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String authServerContextRoot, String realmName, String username, String password, String clientId, String clientSecret) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
@ -96,11 +96,11 @@ public class AdminClientUtil {
    }

    public static Keycloak createAdminClient() throws Exception {
-        return createAdminClient(false, AuthServerTestEnricher.getAuthServerContextRoot());
+        return createAdminClient(false, getAuthServerContextRoot());
    }

    public static Keycloak createAdminClient(boolean ignoreUnknownProperties) throws Exception {
-        return createAdminClient(ignoreUnknownProperties, AuthServerTestEnricher.getAuthServerContextRoot());
+        return createAdminClient(ignoreUnknownProperties, getAuthServerContextRoot());
    }

    private static SSLContext getSSLContextWithTrustore(File file, String password) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ContainerAssume.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ContainerAssume.java
@ -22,7 +22,7 @@ import org.junit.Assume;
 import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;

 import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.APP_SERVER_SSL_REQUIRED;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

 public class ContainerAssume {

--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
@ -58,12 +58,10 @@ import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation;
 import org.keycloak.protocol.oidc.utils.OIDCResponseType;
 import org.keycloak.representations.AccessToken;
-import org.keycloak.representations.AccessTokenResponse;
 import org.keycloak.representations.IDToken;
 import org.keycloak.representations.JsonWebToken;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.representations.idm.UserRepresentation;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.runonserver.RunOnServerException;
 import org.keycloak.util.BasicAuthHelper;
 import org.keycloak.util.JsonSerialization;
@ -92,7 +90,8 @@ import java.util.function.Supplier;

 import static org.keycloak.testsuite.admin.Users.getPasswordOf;
 import static org.keycloak.testsuite.util.UIUtils.clickLink;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -106,7 +105,7 @@ public class OAuthClient {
    private static final boolean sslRequired = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required"));

    static {
-        updateURLs(AuthServerTestEnricher.getAuthServerContextRoot());
+        updateURLs(getAuthServerContextRoot());
    }

    // Workaround, but many tests directly use system properties like OAuthClient.AUTH_SERVER_ROOT instead of taking the URL from suite context
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/URLUtils.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/URLUtils.java
@ -16,6 +16,7 @@ import java.util.regex.Pattern;

 import static org.keycloak.testsuite.util.DroneUtils.getCurrentDriver;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;
 import static org.openqa.selenium.support.ui.ExpectedConditions.not;
 import static org.openqa.selenium.support.ui.ExpectedConditions.urlMatches;
 import static org.openqa.selenium.support.ui.ExpectedConditions.urlToBe;
@ -133,13 +134,6 @@ public final class URLUtils {
        return true;
    }

-    /**
-     * Removes default ports: 80 and 443 from url
-     */
-    public static String removeDefaultPorts(String url) {
-        return url != null ? url.replaceFirst("(.*)(:80)(\\/.*)?$", "$1$3").replaceFirst("(.*)(:443)(\\/.*)?$", "$1$3") : null;
-    }
-
    /**
     * This will send POST request to specified URL with specified form parameters. It's not easily possible to "trick" web driver to send POST
     * request with custom parameters, which are not directly available in the form.
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/javascript/JSObjectBuilder.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/javascript/JSObjectBuilder.java
@ -22,6 +22,7 @@ public class JSObjectBuilder {
    public JSObjectBuilder defaultSettings() {
        standardFlow();
        fragmentResponse();
+        enableLogging();
        return this;
    }

@ -50,16 +51,31 @@ public class JSObjectBuilder {
        return this;
    }

+    public JSObjectBuilder disableSilentCheckSSOFallback() {
+        arguments.put("silentCheckSsoFallback", false);
+        return this;
+    }
+
    public JSObjectBuilder disableCheckLoginIframe() {
        arguments.put("checkLoginIframe", false);
        return this;
    }

+    public JSObjectBuilder setCheckLoginIframeIntervalTo1() {
+        arguments.put("checkLoginIframeInterval", 1);
+        return this;
+    }
+
    public JSObjectBuilder loginRequiredOnLoad() {
        arguments.put("onLoad", "login-required");
        return this;
    }

+    public JSObjectBuilder enableLogging() {
+        arguments.put("enableLogging", true);
+        return this;
+    }
+
    public boolean contains(String key, Object value) {
       return arguments.containsKey(key) && arguments.get(key).equals(value);
    }
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/javascript/JavascriptTestExecutor.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/javascript/JavascriptTestExecutor.java
@ -6,10 +6,13 @@ import org.keycloak.testsuite.util.WaitUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.JavascriptExecutor;
 import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.WebDriverException;
 import org.openqa.selenium.WebElement;

 import java.util.concurrent.TimeUnit;

+import static org.junit.Assert.fail;
+import static org.keycloak.testsuite.util.WaitUtils.pause;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;


@ -101,6 +104,11 @@ public class JavascriptTestExecutor {
    }

    public JavascriptTestExecutor configure(JSObjectBuilder argumentsBuilder) {
+        // a nasty hack: redirect console.warn to events
+        // mainly for FF as it doesn't yet support reading console.warn directly through webdriver
+        // see https://github.com/mozilla/geckodriver/issues/284
+        jsExecutor.executeScript("console.warn = event;");
+
        if (argumentsBuilder == null) {
            jsExecutor.executeScript("window.keycloak = Keycloak();");
        } else {
@ -126,6 +134,10 @@ public class JavascriptTestExecutor {
    }

    public JavascriptTestExecutor init(JSObjectBuilder argumentsBuilder, JavascriptStateValidator validator) {
+        return init(argumentsBuilder, validator, false);
+    }
+
+    public JavascriptTestExecutor init(JSObjectBuilder argumentsBuilder, JavascriptStateValidator validator, boolean expectPromptNoneRedirect) {
        if(!configured) {
            configure();
        }
@ -139,7 +151,23 @@ public class JavascriptTestExecutor {
                "       callback(\"Init Error\");" +
                "   });";

-        Object output = jsExecutor.executeAsyncScript(script);
+        Object output;
+
+        if (expectPromptNoneRedirect) {
+            try {
+                output = jsExecutor.executeAsyncScript(script);
+                fail("Redirect to Keycloak was expected");
+            }
+            catch (WebDriverException e) {
+                waitForPageToLoad();
+                configured = false;
+                // the redirect should use prompt=none, that means KC should immediately redirect back to the app (regardless login state)
+                return init(argumentsBuilder, validator, false);
+            }
+        }
+        else {
+            output = jsExecutor.executeAsyncScript(script);
+        }

        if (validator != null) {
            validator.validate(jsDriver, output, events);
@ -285,4 +313,13 @@ public class JavascriptTestExecutor {
        return this;
    }

+    public JavascriptTestExecutor wait(long millis, JavascriptStateValidator validator) {
+        pause(millis);
+
+        if (validator != null) {
+            validator.validate(jsDriver, null, events);
+        }
+
+        return this;
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
@ -81,13 +81,13 @@ import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertThat;
 import static org.keycloak.testsuite.admin.Users.setPasswordFor;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_HOST;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SCHEME;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER;
 import static org.keycloak.testsuite.util.URLUtils.navigateToUri;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 /**
 *
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AssertEvents.java
@ -40,7 +40,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import static org.hamcrest.Matchers.is;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java
@ -87,8 +87,9 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java
@ -46,7 +46,7 @@ import static org.junit.Assert.assertTrue;
 import static org.keycloak.authentication.authenticators.browser.ConditionalOtpFormAuthenticator.*;
 import static org.keycloak.models.UserModel.RequiredAction.CONFIGURE_TOTP;
 import static org.keycloak.representations.idm.CredentialRepresentation.PASSWORD;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AbstractAppInitiatedActionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/actions/AbstractAppInitiatedActionTest.java
@ -33,7 +33,8 @@ import javax.ws.rs.core.UriBuilder;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.util.List;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
+
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author Stan Silvert
@ -61,7 +62,7 @@ public abstract class AbstractAppInitiatedActionTest extends AbstractTestRealmKe
                            .queryParam("response_type", "code")
                            .queryParam("client_id", "test-app")
                            .queryParam("scope", "openid")
-                            .queryParam("redirect_uri", AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/master/app/auth")
+                            .queryParam("redirect_uri", getAuthServerContextRoot() + "/auth/realms/master/app/auth")
                            .build(TEST_REALM_NAME).toString();
        driver.navigate().to(uri);
        WaitUtils.waitForPageToLoad();
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/AbstractAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/AbstractAdapterTest.java
@ -50,7 +50,7 @@ import java.util.Map;
 import java.util.concurrent.TimeoutException;

 import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.APP_SERVER_SSL_REQUIRED;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozJavascriptExecutorTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozJavascriptExecutorTest.java
@ -20,7 +20,7 @@ import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.WebElement;

 import static org.hamcrest.CoreMatchers.containsString;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
 import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/hal/ConsoleProtectionTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/hal/ConsoleProtectionTest.java
@ -18,6 +18,7 @@ package org.keycloak.testsuite.adapter.example.hal;

 import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.utils.io.IOUtil.loadRealm;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 import java.io.IOException;
 import java.util.List;
@ -31,7 +32,6 @@ import org.junit.Test;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.adapter.AbstractAdapterTest;
 import org.keycloak.testsuite.arquillian.AppServerTestEnricher;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
 import org.keycloak.testsuite.utils.arquillian.ContainerConstants;
 import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
@ -83,7 +83,7 @@ public class ConsoleProtectionTest extends AbstractAdapterTest {
            Assume.assumeTrue(operations.exists(Address.subsystem("elytron").and("security-domain", "KeycloakDomain")));

            // Create a realm for both wildfly console and mgmt interface
-            clientWorkerNodeClient.execute("/subsystem=keycloak/realm=jboss-infra:add(auth-server-url=" + AuthServerTestEnricher.getAuthServerContextRoot() + "/auth,realm-public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB)");
+            clientWorkerNodeClient.execute("/subsystem=keycloak/realm=jboss-infra:add(auth-server-url=" + getAuthServerContextRoot() + "/auth,realm-public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB)");

            // Create a secure-deployment in order to protect mgmt interface
            clientWorkerNodeClient.execute("/subsystem=keycloak/secure-deployment=wildfly-management:add(realm=jboss-infra,resource=wildfly-management,principal-attribute=preferred_username,bearer-only=true,ssl-required=EXTERNAL)");
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/ClientInitiatedAccountLinkTest.java
@ -41,7 +41,6 @@ import org.keycloak.services.resources.LoginActionsService;
 import org.keycloak.testsuite.ActionURIUtils;
 import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
 import org.keycloak.testsuite.utils.arquillian.ContainerConstants;
 import org.keycloak.testsuite.broker.BrokerTestTools;
@ -67,6 +66,7 @@ import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT;
 import static org.keycloak.models.AccountRoles.MANAGE_ACCOUNT_LINKS;
 import static org.keycloak.models.Constants.ACCOUNT_MANAGEMENT_CLIENT_ID;
 import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWithAdminClient;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -215,7 +215,7 @@ public class ClientInitiatedAccountLinkTest extends AbstractServletsAdapterTest
                .path("link")
                .queryParam("response", "true");

-        UriBuilder directLinking = UriBuilder.fromUri(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth")
+        UriBuilder directLinking = UriBuilder.fromUri(getAuthServerContextRoot() + "/auth")
                .path("realms/child/broker/{provider}/link")
                .queryParam("client_id", "client-linking")
                .queryParam("redirect_uri", redirectUri.build())
@ -509,7 +509,7 @@ public class ClientInitiatedAccountLinkTest extends AbstractServletsAdapterTest

            String uri = "/auth/realms/child/broker/parent-idp/login";

-            uri = UriBuilder.fromUri(AuthServerTestEnricher.getAuthServerContextRoot())
+            uri = UriBuilder.fromUri(getAuthServerContextRoot())
                    .path(uri)
                    .queryParam(LoginActionsService.SESSION_CODE, queryParams.get(LoginActionsService.SESSION_CODE))
                    .queryParam(Constants.CLIENT_ID, queryParams.get(Constants.CLIENT_ID))
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLSameSiteTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SAMLSameSiteTest.java
@ -6,7 +6,6 @@ import org.jboss.shrinkwrap.api.spec.WebArchive;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.keycloak.adapters.rotation.PublicKeyLocator;
-import org.keycloak.testsuite.adapter.AbstractServletsAdapterTest;
 import org.keycloak.testsuite.adapter.filter.AdapterActionsFilter;
 import org.keycloak.testsuite.adapter.page.Employee2Servlet;
 import org.keycloak.testsuite.adapter.page.EmployeeSigServlet;
@ -19,18 +18,15 @@ import org.keycloak.testsuite.utils.arquillian.ContainerConstants;
 import org.openqa.selenium.By;

 import javax.ws.rs.core.UriBuilder;
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.net.URL;
 import java.util.Collections;

-import static org.keycloak.testsuite.arquillian.AppServerTestEnricher.getAppServerContextRoot;
 import static org.keycloak.testsuite.auth.page.AuthRealm.SAMLSERVLETDEMO;
 import static org.keycloak.testsuite.saml.AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2;
 import static org.keycloak.testsuite.saml.AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_SIG;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;
 import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;
+import static org.keycloak.testsuite.util.ServerURLs.getAppServerContextRoot;

 /**
 * @author mhajas
@ -42,9 +38,9 @@ import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;
@AppServerContainer(ContainerConstants.APP_SERVER_TOMCAT9)
@AuthServerContainerExclude(AuthServerContainerExclude.AuthServer.REMOTE)
 public class SAMLSameSiteTest extends AbstractSAMLServletAdapterTest {
-    private static final String NIP_IO_URL = "app-saml-127-0-0-1.nip.io";
-    private static final String NIP_IO_EMPLOYEE2_URL = getAppServerContextRoot().replace("localhost", NIP_IO_URL) + "/employee2/";
-    private static final String NIP_IO_EMPLOYEE_SIG_URL = getAppServerContextRoot().replace("localhost", NIP_IO_URL) + "/employee-sig/";
+    // private static final String NIP_IO_URL = "app-saml-127-0-0-1.nip.io";
+    private static final String NIP_IO_EMPLOYEE2_URL = getAppServerContextRoot() + "/employee2/";
+    private static final String NIP_IO_EMPLOYEE_SIG_URL = getAppServerContextRoot() + "/employee-sig/";

    @Deployment(name = Employee2Servlet.DEPLOYMENT_NAME)
    protected static WebArchive employee2() {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SecuredDeploymentsAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SecuredDeploymentsAdapterTest.java
@ -21,7 +21,7 @@ package org.keycloak.testsuite.adapter.servlet;
 import static org.hamcrest.Matchers.containsString;

 import static org.junit.Assert.assertThat;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/CrossRealmPermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/CrossRealmPermissionsTest.java
@ -27,7 +27,6 @@ import org.keycloak.models.Constants;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.UserBuilder;
@ -40,6 +39,7 @@ import java.util.concurrent.atomic.AtomicReference;

 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -66,7 +66,7 @@ public class CrossRealmPermissionsTest extends AbstractKeycloakTest {
                .addPassword("password"));
        testRealms.add(builder.build());

-        adminClient1 = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret", TLSUtils.initializeTLS());
+        adminClient1 = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret", TLSUtils.initializeTLS());
        realm1 = adminClient1.realm(REALM_NAME);

        builder = RealmBuilder.create().name(REALM2_NAME).testMail();
@ -79,7 +79,7 @@ public class CrossRealmPermissionsTest extends AbstractKeycloakTest {

        testRealms.add(builder.build());

-        adminClient2 = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM2_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret", TLSUtils.initializeTLS());
+        adminClient2 = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM2_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret", TLSUtils.initializeTLS());
        realm2 = adminClient2.realm(REALM2_NAME);
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@ -52,7 +52,6 @@ import org.keycloak.services.resources.admin.permissions.AdminPermissions;
 import org.keycloak.services.resources.admin.permissions.ClientPermissionManagement;
 import org.keycloak.services.resources.admin.permissions.GroupPermissionManagement;
 import org.keycloak.testsuite.AbstractKeycloakTest;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
 import org.keycloak.testsuite.auth.page.AuthRealm;
@ -71,6 +70,7 @@ import static org.keycloak.testsuite.admin.ImpersonationDisabledTest.IMPERSONATI
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -880,7 +880,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
    public void testWithTokenExchange() throws Exception {
        String exchanged = checkTokenExchange(true);
        Assert.assertNotNull(exchanged);
-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                AuthRealm.MASTER, Constants.ADMIN_CLI_CLIENT_ID, exchanged, TLSUtils.initializeTLS())) {
            Assert.assertNotNull(client.realm("master").roles().get("offline_access"));
        }
@ -936,7 +936,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            }
        });

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "customer-a-manager", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            List<UserRepresentation> result = client.realm("test").users().search(null, "test", null, null, -1, 20);
@ -949,7 +949,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            Assert.assertEquals(0, result.size());
        }

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            List<UserRepresentation> result = client.realm("test").users().search(null, "test", null, null, -1, 20);
@ -963,7 +963,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            Assert.assertThat(result, Matchers.everyItem(Matchers.hasProperty("username", Matchers.startsWith("a"))));
        }

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "customer-a-manager", "password", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            List<UserRepresentation> result = client.realm("test").users().search(null, null, null, null, -1, 20);
@ -1019,7 +1019,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            policy.addAssociatedPolicy(RepresentationToModel.toModel(userPolicyRepresentation, provider, userPolicy));
        });

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

@ -1049,7 +1049,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName("Only regular-admin-user", realmAdminClient.getId()));
        });

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

@ -1058,7 +1058,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            Assert.assertEquals(2, result.size());
        }

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

@ -1067,7 +1067,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            Assert.assertEquals(2, result.size());
        }

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

@ -1086,7 +1086,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            Assert.assertTrue(result.isEmpty());
        }
        
-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

@ -1118,7 +1118,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            }
        });

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {
            
@ -1202,7 +1202,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
            }
        });

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                "test", "regular-admin-user", "password", Constants.ADMIN_CLI_CLIENT_ID,
                TLSUtils.initializeTLS())) {

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
@ -17,11 +17,8 @@

 package org.keycloak.testsuite.admin;

-import org.hamcrest.Matchers;
 import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
-import org.junit.Rule;
 import org.junit.Test;
-import org.junit.rules.ExpectedException;
 import org.keycloak.admin.client.resource.IdentityProviderResource;
 import org.keycloak.common.enums.SslRequired;
 import org.keycloak.dom.saml.v2.metadata.EndpointType;
@ -35,7 +32,6 @@ import org.keycloak.events.admin.ResourceType;
 import org.keycloak.models.IdentityProviderMapperModel;
 import org.keycloak.models.IdentityProviderMapperSyncMode;
 import org.keycloak.models.IdentityProviderModel;
-import org.keycloak.models.IdentityProviderSyncMode;
 import org.keycloak.models.utils.StripSecretsUtils;
 import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.representations.idm.AdminEventRepresentation;
@ -44,7 +40,6 @@ import org.keycloak.representations.idm.ErrorRepresentation;
 import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
 import org.keycloak.representations.idm.IdentityProviderMapperTypeRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
-import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.saml.common.exceptions.ParsingException;
 import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
 import org.keycloak.testsuite.Assert;
@ -90,7 +85,7 @@ import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
@ -55,7 +55,6 @@ import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import org.keycloak.testsuite.auth.page.AuthRealm;
@ -82,6 +81,7 @@ import java.util.Map;

 import static org.hamcrest.Matchers.containsString;
 import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * Tests Undertow Adapter
@ -318,7 +318,7 @@ public class ImpersonationTest extends AbstractKeycloakTest {
            password = username.equals("admin") ? "admin" : "password";
        }

-        return KeycloakBuilder.builder().serverUrl(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth")
+        return KeycloakBuilder.builder().serverUrl(getAuthServerContextRoot() + "/auth")
                .realm(realm)
                .username(username)
                .password(password)
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@ -58,7 +58,6 @@ import org.keycloak.representations.idm.authorization.ScopeRepresentation;
 import org.keycloak.services.resources.admin.AdminAuth.Resource;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.Assert;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.AdminClientUtil;
 import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.CredentialBuilder;
@ -83,6 +82,7 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.fail;
 import static org.keycloak.services.resources.admin.AdminAuth.Resource.AUTHORIZATION;
 import static org.keycloak.services.resources.admin.AdminAuth.Resource.CLIENT;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 import org.keycloak.testsuite.utils.tls.TLSUtils;

@ -196,31 +196,31 @@ public class PermissionsTest extends AbstractKeycloakTest {
        super.beforeAbstractKeycloakTest();

        clients.put(AdminRoles.REALM_ADMIN,
-                Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, AdminRoles.REALM_ADMIN, "password", "test-client",
+                Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM_NAME, AdminRoles.REALM_ADMIN, "password", "test-client",
                        "secret", TLSUtils.initializeTLS()));

        clients.put("none",
-                Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, "none", "password", "test-client", "secret", TLSUtils.initializeTLS()));
+                Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM_NAME, "none", "password", "test-client", "secret", TLSUtils.initializeTLS()));

        clients.put("multi",
-                Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, "multi", "password", "test-client", "secret", TLSUtils.initializeTLS()));
+                Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM_NAME, "multi", "password", "test-client", "secret", TLSUtils.initializeTLS()));

        for (String role : AdminRoles.ALL_REALM_ROLES) {
-            clients.put(role, Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, role, "password", "test-client", TLSUtils.initializeTLS()));
+            clients.put(role, Keycloak.getInstance(getAuthServerContextRoot() + "/auth", REALM_NAME, role, "password", "test-client", TLSUtils.initializeTLS()));
        }

-        clients.put("REALM2", Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "realm2", "admin", "password", "test-client", TLSUtils.initializeTLS()));
+        clients.put("REALM2", Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "realm2", "admin", "password", "test-client", TLSUtils.initializeTLS()));

        clients.put("master-admin", adminClient);

        clients.put("master-none",
-                Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "master", "permissions-test-master-none", "password",
+                Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "master", "permissions-test-master-none", "password",
                        Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS()));


        for (String role : AdminRoles.ALL_REALM_ROLES) {
            clients.put("master-" + role,
-                    Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "master", "permissions-test-master-" + role, "password",
+                    Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "master", "permissions-test-master-" + role, "password",
                            Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS()));
        }
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/InstallationTest.java
@ -35,7 +35,6 @@ import org.keycloak.protocol.saml.SamlProtocol;
 import org.keycloak.protocol.saml.installation.SamlSPDescriptorClientInstallation;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
 import org.keycloak.testsuite.util.AdminEventPaths;
 import org.w3c.dom.Document;
@ -47,6 +46,7 @@ import org.xml.sax.SAXException;
 import javax.ws.rs.NotFoundException;
 import static org.junit.Assert.assertThat;
 import static org.hamcrest.Matchers.*;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * Test getting the installation/configuration files for OIDC and SAML.
@ -89,7 +89,7 @@ public class InstallationTest extends AbstractClientTest {
    }

    private String authServerUrl() {
-        return AuthServerTestEnricher.getAuthServerContextRoot() + "/auth";
+        return getAuthServerContextRoot() + "/auth";
    }

    private String samlUrl() {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java
@ -25,8 +25,6 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;

-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLSession;
 import javax.ws.rs.core.Response;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
@ -36,13 +34,11 @@ import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.client.utils.URLEncodedUtils;
-import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.LaxRedirectStrategy;
 import org.apache.http.message.BasicNameValuePair;
 import org.apache.http.util.EntityUtils;
-import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Element;
 import org.junit.Assert;
@ -72,7 +68,7 @@ import org.hamcrest.Matchers;
 import org.keycloak.util.JsonSerialization;

 import static org.hamcrest.Matchers.containsString;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 /**
 * @author <a href="mailto:vramik@redhat.com">Vlastislav Ramik</a>
 */
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/event/AdminEventAuthDetailsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/event/AdminEventAuthDetailsTest.java
@ -33,7 +33,6 @@ import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AbstractAuthTest;
 import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.AdminEventPaths;
 import org.keycloak.testsuite.util.AssertAdminEvents;
 import org.keycloak.testsuite.util.ClientBuilder;
@ -47,6 +46,7 @@ import org.junit.After;

 import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN;
 import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * Test authDetails in admin events
@ -134,7 +134,7 @@ public class AdminEventAuthDetailsTest extends AbstractAuthTest {
    }

    private void testClient(String realmName, String username, String password, String clientId, String expectedRealmId, String expectedClientUuid, String expectedUserId) {
-        try (Keycloak keycloak = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak keycloak = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                realmName, username, password, clientId, TLSUtils.initializeTLS())) {
            UserRepresentation rep = UserBuilder.create().id(appUserId).username("app-user").email("foo@email.org").build();
            keycloak.realm("test").users().get(appUserId).update(rep);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/AbstractGroupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/AbstractGroupTest.java
@ -23,14 +23,12 @@ import org.keycloak.RSATokenVerifier;
 import org.keycloak.common.util.PemUtils;
 import org.keycloak.events.Details;
 import org.keycloak.jose.jws.JWSInput;
-import org.keycloak.jose.jws.crypto.RSAProvider;
 import org.keycloak.representations.AccessToken;
 import org.keycloak.representations.RefreshToken;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.AssertAdminEvents;
 import org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse;

@ -38,6 +36,7 @@ import java.security.PublicKey;
 import java.util.List;

 import static org.keycloak.testsuite.utils.io.IOUtil.loadRealm;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
@ -58,7 +57,7 @@ public abstract class AbstractGroupTest extends AbstractKeycloakTest {

        PublicKey publicKey = PemUtils.decodePublicKey(ApiUtil.findActiveKey(adminClient.realm("test")).getPublicKey());

-        AccessToken accessTokenRepresentation = RSATokenVerifier.verifyToken(accessToken, publicKey, AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test");
+        AccessToken accessTokenRepresentation = RSATokenVerifier.verifyToken(accessToken, publicKey, getAuthServerContextRoot() + "/auth/realms/test");

        JWSInput jws = new JWSInput(refreshToken);
        RefreshToken refreshTokenRepresentation = jws.readJsonContent(RefreshToken.class);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java
@ -74,8 +74,8 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import static org.keycloak.testsuite.Assert.assertNames;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
 import org.keycloak.testsuite.auth.page.AuthRealm;
 import org.keycloak.testsuite.runonserver.RunOnServerException;
@ -699,7 +699,7 @@ public class GroupTest extends AbstractGroupTest {
        final String realmName = AuthRealm.MASTER;
        createUser(realmName, userName, "pwd");

-        try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
          realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            expectedException.expect(ClientErrorException.class);
@ -728,7 +728,7 @@ public class GroupTest extends AbstractGroupTest {
        RoleMappingResource mappings = realm.users().get(userId).roles();
        mappings.realmLevel().add(Collections.singletonList(adminRole));

-        try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
          realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            assertThat(userClient.realms().findAll(),  // Any admin operation will do
@ -761,7 +761,7 @@ public class GroupTest extends AbstractGroupTest {

            realm.users().get(userId).joinGroup(groupId);
        }
-        try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
          realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            assertThat(userClient.realms().findAll(),  // Any admin operation will do
@ -796,7 +796,7 @@ public class GroupTest extends AbstractGroupTest {

            mappings.realmLevel().add(Collections.singletonList(adminRole));
        }
-        try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak userClient = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
          realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {

            assertThat(userClient.realms().findAll(),  // Any admin operation will do
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
@ -47,7 +47,6 @@ import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.AbstractAdminTest;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import org.keycloak.testsuite.auth.page.AuthRealm;
@ -79,6 +78,7 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -298,7 +298,7 @@ public class RealmTest extends AbstractAdminTest {
    public void loginAfterRemoveRealm() {
        realm.remove();

-        try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "master", "admin", "admin", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
+        try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", "master", "admin", "admin", Constants.ADMIN_CLI_CLIENT_ID, TLSUtils.initializeTLS())) {
            client.serverInfo().getInfo();
        }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/BrokerTestTools.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/BrokerTestTools.java
@ -4,7 +4,6 @@ import org.apache.http.client.utils.URIBuilder;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.IdentityProviderRepresentation;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.pages.PageUtils;
 import org.openqa.selenium.By;
 import org.openqa.selenium.WebDriver;
@ -19,9 +18,10 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Map;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_HOST;
 import static org.keycloak.testsuite.broker.BrokerTestConstants.IDP_OIDC_PROVIDER_ID;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST2;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 *
@ -36,14 +36,14 @@ public class BrokerTestTools {
        if (providerRoot == null) {
            // everything is identical to consumerRoot but the host (it's technically the same server instance)
            providerRoot = new URIBuilder(URI.create(getConsumerRoot()))
-                    .setHost(System.getProperty("auth.server.host2", AUTH_SERVER_HOST)).toString();
+                    .setHost(AUTH_SERVER_HOST2).toString();
        }
        return providerRoot;
    }

    public static String getConsumerRoot() {
        if (consumerRoot == null) {
-            consumerRoot = AuthServerTestEnricher.getAuthServerContextRoot();
+            consumerRoot = getAuthServerContextRoot();
        }
        return consumerRoot;
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmTruststoreTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmTruststoreTest.java
@ -13,7 +13,7 @@ import java.io.IOException;

 import static org.keycloak.client.admin.cli.util.ConfigUtil.DEFAULT_CONFIG_FILE_PATH;
 import static org.keycloak.client.admin.cli.util.OsUtil.EOL;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.cli.KcAdmExec.CMD;
 import static org.keycloak.testsuite.cli.KcAdmExec.execute;

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegCreateTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegCreateTest.java
@ -27,7 +27,7 @@ import java.io.IOException;
 import java.util.Arrays;
 import java.util.List;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.cli.KcRegExec.execute;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegTest.java
@ -19,7 +19,7 @@ import java.util.UUID;

 import static org.keycloak.client.registration.cli.util.OsUtil.CMD;
 import static org.keycloak.client.registration.cli.util.OsUtil.EOL;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import static org.keycloak.testsuite.cli.KcRegExec.execute;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegTruststoreTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/registration/KcRegTruststoreTest.java
@ -14,7 +14,7 @@ import java.io.IOException;
 import static org.keycloak.client.registration.cli.util.ConfigUtil.DEFAULT_CONFIG_FILE_PATH;
 import static org.keycloak.client.registration.cli.util.OsUtil.CMD;
 import static org.keycloak.client.registration.cli.util.OsUtil.EOL;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.cli.KcRegExec.execute;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AdapterInstallationConfigTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AdapterInstallationConfigTest.java
@ -28,7 +28,7 @@ import org.keycloak.representations.idm.ClientRepresentation;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.fail;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cookies/CookiesPathTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cookies/CookiesPathTest.java
@ -42,7 +42,7 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_HOST;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST;

 import org.junit.After;

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/docker/DockerClientTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/docker/DockerClientTest.java
@ -25,7 +25,7 @@ import java.util.Optional;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assume.assumeTrue;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import static org.keycloak.testsuite.util.WaitUtils.pause;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java
@ -40,7 +40,6 @@ import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.console.page.AdminConsole;
 import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
 import org.keycloak.testsuite.pages.AppPage;
@ -83,6 +82,7 @@ import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId;
 import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
 import static org.keycloak.testsuite.util.OAuthClient.SERVER_ROOT;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
@ -460,7 +460,7 @@ public class LoginTest extends AbstractTestRealmKeycloakTest {

        events.expectLogin().user(userId).detail(Details.USERNAME, "login-test").assertEvent();

-        driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/");
+        driver.navigate().to(getAuthServerContextRoot() + "/auth/realms/test/");
        String keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue();

        // Check identity cookie is signed with HS256
@ -473,7 +473,7 @@ public class LoginTest extends AbstractTestRealmKeycloakTest {
            oauth.openLoginForm();
            Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());

-            driver.navigate().to(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/test/");
+            driver.navigate().to(getAuthServerContextRoot() + "/auth/realms/test/");
            keycloakIdentity = driver.manage().getCookieNamed("KEYCLOAK_IDENTITY").getValue();

            // Check identity cookie is still signed with HS256
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
@ -49,8 +49,8 @@ import org.keycloak.testsuite.util.UserBuilder;
 import org.openqa.selenium.NoSuchElementException;

 import static org.junit.Assert.fail;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 /**
 * Tries to simulate testing with multiple browser tabs
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/hok/HoKTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/hok/HoKTest.java
@ -9,7 +9,7 @@ import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

 import java.io.IOException;
 import java.net.URI;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/jaas/LoginModulesTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/jaas/LoginModulesTest.java
@ -58,7 +58,7 @@ import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.admin.ApiUtil;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
 import org.keycloak.testsuite.utils.io.IOUtil;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/javascript/AbstractJavascriptTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/javascript/AbstractJavascriptTest.java
@ -33,6 +33,8 @@ import java.util.List;

 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.collection.IsMapContaining.hasEntry;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST2;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;
 import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;
@ -47,7 +49,7 @@ public abstract class AbstractJavascriptTest extends AbstractAuthTest {
        void apply(T a, U b, V c, W d);
    }

-    public static final String NIP_IO_URL = "js-app-127-0-0-1.nip.io";
+    public static final String JS_APP_HOST = AUTH_SERVER_HOST2;
    public static final String CLIENT_ID = "js-console";
    public static final String REALM_NAME = "test";
    public static final String SPACE_REALM_NAME = "Example realm";
@ -120,8 +122,8 @@ public abstract class AbstractJavascriptTest extends AbstractAuthTest {
                .client(
                        ClientBuilder.create()
                                .clientId(CLIENT_ID)
-                                .redirectUris(oauth.SERVER_ROOT.replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/*", oauth.SERVER_ROOT + JAVASCRIPT_ENCODED_SPACE_URL + "/*")
-                                .addWebOrigin(oauth.SERVER_ROOT.replace("localhost", NIP_IO_URL))
+                                .redirectUris(oauth.SERVER_ROOT.replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/*", oauth.SERVER_ROOT + JAVASCRIPT_ENCODED_SPACE_URL + "/*")
+                                .addWebOrigin(oauth.SERVER_ROOT.replace(AUTH_SERVER_HOST, JS_APP_HOST))
                                .publicClient()
                )
                .accessTokenLifespan(30 + TOKEN_LIFESPAN_LEEWAY)
@ -151,7 +153,7 @@ public abstract class AbstractJavascriptTest extends AbstractAuthTest {

    protected abstract RealmRepresentation updateRealm(RealmBuilder builder);

-    protected void assertSuccessfullyLoggedIn(WebDriver driver1, Object output, WebElement events) {
+    protected void assertInitAuth(WebDriver driver1, Object output, WebElement events) {
        buildFunction(this::assertOutputContains, "Init Success (Authenticated)").validate(driver1, output, events);
        waitUntilElement(events).text().contains("Auth Success");
    }
@ -193,6 +195,10 @@ public abstract class AbstractJavascriptTest extends AbstractAuthTest {
        waitUntilElement(events).text().contains(value);
    }

+    public void assertEventsWebElementDoesntContain(String value, WebDriver driver1, Object output, WebElement events) {
+        waitUntilElement(events).text().not().contains(value);
+    }
+
    public ResponseValidator assertResponseStatus(long status) {
        return output -> Assert.assertThat(output, hasEntry("status", status));
    }
@ -204,4 +210,8 @@ public abstract class AbstractJavascriptTest extends AbstractAuthTest {
    public JavascriptStateValidator assertEventsContains(String text) {
        return buildFunction(this::assertEventsWebElementContains, text);
    }
+
+    public JavascriptStateValidator assertEventsDoesntContain(String text) {
+        return buildFunction(this::assertEventsWebElementDoesntContain, text);
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/javascript/JavascriptAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/javascript/JavascriptAdapterTest.java
@ -16,7 +16,6 @@ import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.AssertEvents;
-import org.keycloak.testsuite.ProfileAssume;
 import org.keycloak.testsuite.admin.ApiUtil;
 import org.keycloak.testsuite.auth.page.account.Applications;
 import org.keycloak.testsuite.auth.page.login.OAuthGrant;
@ -35,8 +34,6 @@ import org.openqa.selenium.WebElement;

 import java.util.List;
 import java.util.Map;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;

 import static java.lang.Math.toIntExact;
 import static org.hamcrest.CoreMatchers.anyOf;
@ -52,10 +49,13 @@ import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
+
+import static org.junit.Assume.assumeFalse;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlDoesntStartWith;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
 import static org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad;
 import static org.keycloak.testsuite.util.WaitUtils.waitUntilElement;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_HOST;

 /**
 * @author mhajas
@ -89,7 +89,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {

    @Before
    public void setDefaultEnvironment() {
-        testAppUrl = authServerContextRootPage.toString().replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/index.html";
+        testAppUrl = authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/index.html";

        jsDriverTestRealmLoginPage.setAuthRealm(REALM_NAME);
        oAuthGrantPage.setAuthRealm(REALM_NAME);
@ -133,7 +133,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .loginForm(UserBuilder.create().username("invalid-user").password("password").build(),
                        (driver1, output, events) -> assertCurrentUrlDoesntStartWith(testAppUrl, driver1))
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn)
+                .init(defaultArguments(), this::assertInitAuth)
                .logout(this::assertOnTestAppUrl)
                .init(defaultArguments(), this::assertInitNotAuth);
    }
@ -144,61 +144,101 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        testExecutor.init(pkceS256, this::assertInitNotAuth)
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(pkceS256, this::assertSuccessfullyLoggedIn)
+                .init(pkceS256, this::assertInitAuth)
                .logout(this::assertOnTestAppUrl)
                .init(pkceS256, this::assertInitNotAuth);
    }

    @Test
    public void testSilentCheckSso() {
-        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad();
-        testExecutor.init(checkSSO, this::assertInitNotAuth)
+        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad()
+                .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/silent-check-sso.html");
+
+        // when 3rd party cookies are disabled, the adapter has to do a full redirect to KC to check whether the user
+        // is logged in or not – it can't rely on silent check-sso iframe
+        testExecutor.init(checkSSO, this::assertInitNotAuth, suiteContext.hasBrowserStrictCookies())
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(checkSSO, this::assertSuccessfullyLoggedIn)
+                .init(checkSSO, this::assertInitAuth, false)
                .refresh()
                .init(checkSSO
-                        .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/silent-check-sso.html")
-                        , this::assertSuccessfullyLoggedIn);
+                        , this::assertInitAuth, suiteContext.hasBrowserStrictCookies());
    }

    @Test
    public void testSilentCheckSsoLoginWithLoginIframeDisabled() {
-        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad();
-        testExecutor.init(checkSSO, this::assertInitNotAuth)
+        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad()
+                .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/silent-check-sso.html");
+
+        testExecutor.init(checkSSO, this::assertInitNotAuth, suiteContext.hasBrowserStrictCookies())
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(checkSSO, this::assertSuccessfullyLoggedIn)
+                .init(checkSSO, this::assertInitAuth, false)
                .refresh()
                .init(checkSSO
                        .disableCheckLoginIframe()
-                        .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/silent-check-sso.html")
-                        , this::assertSuccessfullyLoggedIn);
+                        , this::assertInitAuth, suiteContext.hasBrowserStrictCookies());
    }

    @Test
-    public void testSilentCheckSsoWithoutRedirectUri() {
+    public void testSilentCheckSsoWithFallbackDisabled() {
+        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad().disableSilentCheckSSOFallback()
+                .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/silent-check-sso.html");
+
+        testExecutor.init(checkSSO, this::assertInitNotAuth)
+                .login(this::assertOnLoginPage)
+                .loginForm(testUser, this::assertOnTestAppUrl)
+                .init(checkSSO, this::assertInitAuth)
+                .refresh()
+                .init(checkSSO
+                        // with the fall back disabled, the adapter won't do full redirect to KC
+                        , suiteContext.hasBrowserStrictCookies() ? this::assertInitNotAuth : this::assertInitAuth);
+    }
+
+    @Test
+    public void testCheckSso() {
        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad();
-        try {
-            testExecutor.init(checkSSO, this::assertInitNotAuth)
-                    .login(this::assertOnLoginPage)
-                    .loginForm(testUser, this::assertOnTestAppUrl)
-                    .init(checkSSO, this::assertSuccessfullyLoggedIn)
-                    .refresh()
-                    .init(checkSSO);
-            fail();
-        } catch (WebDriverException e) {
-            // should happen
-        }
+
+        // when 3rd party cookies are disabled, the adapter has to do a full redirect to KC to check whether the user
+        // is logged in or not – it can't rely on the login iframe
+        testExecutor.init(checkSSO, this::assertInitNotAuth, suiteContext.hasBrowserStrictCookies())
+                .login(this::assertOnLoginPage)
+                .loginForm(testUser, this::assertOnTestAppUrl)
+                .init(checkSSO, this::assertInitAuth, false)
+                .refresh()
+                .init(checkSSO, this::assertInitAuth, true);
    }

    @Test
    public void testSilentCheckSsoNotAuthenticated() {
-        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad();
-        testExecutor.init(checkSSO
+        JSObjectBuilder checkSSO = defaultArguments().checkSSOOnLoad()
                .add("checkLoginIframe", false)
-                .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/silent-check-sso.html")
-                , this::assertInitNotAuth);
+                .add("silentCheckSsoRedirectUri", authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/silent-check-sso.html");
+
+        testExecutor.init(checkSSO
+                , this::assertInitNotAuth, suiteContext.hasBrowserStrictCookies());
+    }
+
+    @Test
+    // KEYCLOAK-13206
+    public void testIframeInit() {
+        JSObjectBuilder iframeInterval = defaultArguments().setCheckLoginIframeIntervalTo1(); // to speed up the test a bit
+        testExecutor.init(iframeInterval)
+                .login()
+                .loginForm(testUser)
+                .init(iframeInterval)
+                .wait(2000, (driver1, output, events) -> { // iframe is initialized after ~1 second, 2 seconds is just to be sure
+                    assertAdapterIsLoggedIn(driver1, output, events);
+                    final String logMsg = "3rd party cookies aren't supported by this browser.";
+                    if (suiteContext.hasBrowserStrictCookies()) {
+                        // this is here not really to test the log but also to make sure the browser is configured properly
+                        // and cookies were blocked
+                        assertEventsWebElementContains(logMsg, driver1, output, events);
+                    }
+                    else {
+                        assertEventsWebElementDoesntContain(logMsg, driver1, output, events);
+                    }
+                });
    }

    @Test
@ -207,7 +247,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .refreshToken(9999, assertOutputContains("Failed to refresh token"))
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn)
+                .init(defaultArguments(), this::assertInitAuth)
                .refreshToken(9999, assertEventsContains("Auth Refresh Success"));
    }

@ -216,7 +256,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        testExecutor.init(defaultArguments(), this::assertInitNotAuth)
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn)
+                .init(defaultArguments(), this::assertInitAuth)
                .refreshToken(30, assertOutputContains("Token not refreshed, valid for"))
                .addTimeSkew(-5) // instead of wait move in time
                .refreshToken(30, assertEventsContains("Auth Refresh Success"));
@ -228,7 +268,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .getProfile(assertOutputContains("Failed to load profile"))
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn)
+                .init(defaultArguments(), this::assertInitAuth)
                .getProfile((driver1, output, events) -> Assert.assertThat((Map<String, String>) output, hasEntry("username", testUser.getUsername())));
    }

@ -258,7 +298,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                  .assertEvent();
            String codeId = loginEvent.getDetails().get(Details.CODE_ID);

-            testExecutor.init(defaultArguments(), this::assertSuccessfullyLoggedIn);
+            testExecutor.init(defaultArguments(), this::assertInitAuth);

            applicationsPage.navigateTo();
            events.expectCodeToToken(codeId, loginEvent.getSessionId()).client(CLIENT_ID).assertEvent();
@ -297,13 +337,13 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        testExecutor.init(defaultArguments().implicitFlow(), this::assertInitNotAuth)
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments().implicitFlow(), this::assertSuccessfullyLoggedIn);
+                .init(defaultArguments().implicitFlow(), this::assertInitAuth);

    }

    @Test
    public void testCertEndpoint() {
-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .sendXMLHttpRequest(XMLHttpRequest.create()
                                .url(authServerContextRootPage + "/auth/realms/" + REALM_NAME + "/protocol/openid-connect/certs")
                                .method("GET")
@ -325,7 +365,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
    @Test
    public void implicitFlowRefreshTokenTest() {
        setImplicitFlowForClient();
-        testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertInitAuth)
            .refreshToken(9999, assertOutputContains("Failed to refresh token"));
    }

@ -338,7 +378,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
            adminClient.realms().realm(REALM_NAME).update(realm);

            setImplicitFlowForClient();
-            testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertSuccessfullyLoggedIn)
+            testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertInitAuth)
                  .addTimeSkew(-5); // Move in time instead of wait

            waitUntilElement(eventsArea).text().contains("Access token expired");
@ -352,7 +392,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
    @Test
    public void implicitFlowCertEndpoint() {
        setImplicitFlowForClient();
-        testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments().implicitFlow(), testUser, this::assertInitAuth)
                .sendXMLHttpRequest(XMLHttpRequest.create()
                                .url(authServerContextRootPage + "/auth/realms/" + REALM_NAME + "/protocol/openid-connect/certs")
                                .method("GET")
@ -375,12 +415,12 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .refresh();
        if (!"phantomjs".equals(System.getProperty("js.browser"))) {
            // I have no idea why, but this request doesn't work with phantomjs, it works in chrome
-            testExecutor.logInAndInit(defaultArguments(), unauthorizedUser, this::assertSuccessfullyLoggedIn)
+            testExecutor.logInAndInit(defaultArguments(), unauthorizedUser, this::assertInitAuth)
                    .sendXMLHttpRequest(request, output -> Assert.assertThat(output, hasEntry("status", 403L)))
                    .logout(this::assertOnTestAppUrl)
                    .refresh();
        }
-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .sendXMLHttpRequest(request, assertResponseStatus(200));
    }

@ -397,7 +437,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        }

        testExecutor.loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn);
+                .init(defaultArguments(), this::assertInitAuth);
    }

    @Test
@ -408,7 +448,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .addHeader("Accept", "application/json")
                .addHeader("Authorization", "Bearer ' + keycloak.token + '");

-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .addTimeSkew(-33);
        setTimeOffset(33);
        testExecutor.refreshToken(5, assertEventsContains("Auth Refresh Success"));
@ -423,7 +463,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {

    @Test
    public void timeSkewTest() {
-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .checkTimeSkew((driver1, output, events) -> assertThat(toIntExact((long) output),
                        is(
                            both(greaterThan(0 - TIME_SKEW_TOLERANCE))
@ -446,7 +486,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
    public void testOneSecondTimeSkewTokenUpdate() {
        setTimeOffset(1);

-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .refreshToken(9999, assertEventsContains("Auth Refresh Success"));

        try {
@ -470,7 +510,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .addHeader("Authorization", "Bearer ' + keycloak.token + '")
                .addHeader("Content-Type", "application/json; charset=UTF-8");

-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
                .sendXMLHttpRequest(request, response -> {
                            List<UserRepresentation> users = adminClient.realm(REALM_NAME).users().search("mhajas", 0, 1);
                            assertEquals("There should be created user mhajas", 1, users.size());
@ -481,7 +521,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {

    @Test
    public void equalsSignInRedirectUrl() {
-        testAppUrl = authServerContextRootPage.toString().replace("localhost", NIP_IO_URL) + JAVASCRIPT_URL + "/index.html?test=bla=bla&super=man";
+        testAppUrl = authServerContextRootPage.toString().replace(AUTH_SERVER_HOST, JS_APP_HOST) + JAVASCRIPT_URL + "/index.html?test=bla=bla&super=man";
        jsDriver.navigate().to(testAppUrl);

        JSObjectBuilder arguments = defaultArguments();
@ -491,7 +531,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .loginForm(testUser, this::assertOnTestAppUrl)
                .init(arguments, (driver1, output1, events2) -> {
                    assertTrue(driver1.getCurrentUrl().contains("bla=bla"));
-                    assertSuccessfullyLoggedIn(driver1, output1, events2);
+                    assertInitAuth(driver1, output1, events2);
                });
    }

@ -518,7 +558,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                  .login(this::assertOnLoginPage)
                  .loginForm(testUser, this::assertOnTestAppUrl)
                  .configure(configuration)
-                  .init(defaultArguments(), this::assertSuccessfullyLoggedIn);
+                  .init(defaultArguments(), this::assertInitAuth);
        } finally {
            adminClient.realm(SPACE_REALM_NAME).update(RealmBuilder.edit(adminClient.realm(SPACE_REALM_NAME).toRepresentation()).name(REALM_NAME).build());
            jsDriverTestRealmLoginPage.setAuthRealm(REALM_NAME);
@ -542,7 +582,16 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        testExecutor.init(JSObjectBuilder.create()
                    .add("token", token)
                    .add("refreshToken", refreshToken)
-                , this::assertSuccessfullyLoggedIn)
+                , (driver1, output, events) -> {
+                    assertInitAuth(driver1, output, events);
+                    if (suiteContext.hasBrowserStrictCookies()) {
+                        // iframe is unsupported so a token refresh had to be performed
+                        assertEventsContains("Auth Refresh Success").validate(driver1, output, events);
+                    }
+                    else {
+                        assertEventsDoesntContain("Auth Refresh Success").validate(driver1, output, events);
+                    }
+                })
                .refreshToken(9999, assertEventsContains("Auth Refresh Success"));
    }

@ -567,7 +616,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                        .add("token", token)
                        .add("refreshToken", refreshToken)
                        .add("timeSkew", -600)
-                , this::assertSuccessfullyLoggedIn)
+                , this::assertInitAuth)
                .checkTimeSkew((driver1, output, events) -> assertThat((Long) output, is(
                                both(greaterThan(-600L - TIME_SKEW_TOLERANCE))
                                .and(lessThan(-600L + TIME_SKEW_TOLERANCE))
@ -605,7 +654,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {

    @Test
    public void reentrancyCallbackTest() {
-        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertSuccessfullyLoggedIn)
+        testExecutor.logInAndInit(defaultArguments(), testUser, this::assertInitAuth)
            .executeAsyncScript(
                "var callback = arguments[arguments.length - 1];" +
                "keycloak.updateToken(60).then(function () {" +
@ -631,7 +680,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
                .init(defaultArguments(), (driver1, output, events1) -> {
-                    assertSuccessfullyLoggedIn(driver1, output, events1);
+                    assertInitAuth(driver1, output, events1);
                    assertThat(driver1.getCurrentUrl(), containsString("#fragmentPart"));
                });
    }
@ -644,7 +693,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
                        .build(), this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
                .init(defaultArguments(), (driver1, output, events1) -> {
-                    assertSuccessfullyLoggedIn(driver1, output, events1);
+                    assertInitAuth(driver1, output, events1);
                    assertThat(driver1.getCurrentUrl(), containsString("#fragmentPart"));
                });
    }
@ -654,15 +703,15 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        String refreshWithDeprecatedHandles = "var callback = arguments[arguments.length - 1];" +
                "   window.keycloak.updateToken(9999).success(function (refreshed) {" +
            "            callback('Success handle');" +
-                "   }).catch(function () {" +
-                "       callback('Catch handle');" +
+                "   }).error(function () {" +
+                "       callback('Error handle');" +
                "   });";

        testExecutor.init(defaultArguments(), this::assertInitNotAuth)
-                .executeAsyncScript(refreshWithDeprecatedHandles, assertOutputContains("Catch handle"))
+                .executeAsyncScript(refreshWithDeprecatedHandles, assertOutputContains("Error handle"))
                .login(this::assertOnLoginPage)
                .loginForm(testUser, this::assertOnTestAppUrl)
-                .init(defaultArguments(), this::assertSuccessfullyLoggedIn)
+                .init(defaultArguments(), this::assertInitAuth)
                .executeAsyncScript(refreshWithDeprecatedHandles, assertOutputContains("Success handle"));
    }

@ -677,7 +726,7 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        updatePasswordPage.updatePasswords(USER_PASSWORD, USER_PASSWORD);

        testExecutor.init(defaultArguments(), (driver1, output, events1) -> {
-            assertSuccessfullyLoggedIn(driver1, output, events1);
+            assertInitAuth(driver1, output, events1);
            waitUntilElement(events1).text().contains("AIA status: success");
        });
    }
@ -693,8 +742,12 @@ public class JavascriptAdapterTest extends AbstractJavascriptTest {
        updatePasswordPage.cancel();

        testExecutor.init(defaultArguments(), (driver1, output, events1) -> {
-            assertSuccessfullyLoggedIn(driver1, output, events1);
+            assertInitAuth(driver1, output, events1);
            waitUntilElement(events1).text().contains("AIA status: cancelled");
        });
    }
+
+    protected void assertAdapterIsLoggedIn(WebDriver driver1, Object output, WebElement events) {
+        assertTrue(testExecutor.isLoggedIn());
+    }
 }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenDuplicateEmailsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenDuplicateEmailsTest.java
@ -30,7 +30,8 @@ import java.util.List;
 import static org.junit.Assert.assertEquals;
 import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+
 import org.openqa.selenium.By;

 /**
@ -62,7 +63,7 @@ public class AccessTokenDuplicateEmailsTest extends AbstractKeycloakTest {
    @Test
    public void loginFormUsernameLabel() throws Exception {
        oauth.openLoginForm();
-        oauth.redirectUri(AuthServerTestEnricher.getAuthServerContextRoot() + "/does/not/matter/");
+        oauth.redirectUri(getAuthServerContextRoot() + "/does/not/matter/");
        
        assertEquals("Username", driver.findElement(By.xpath("//label[@for='username']")).getText());
    }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@ -45,7 +45,6 @@ import org.keycloak.events.Errors;
 import org.keycloak.jose.jws.JWSHeader;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
-import org.keycloak.models.Constants;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
@ -66,7 +65,6 @@ import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.ActionURIUtils;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.util.ClientBuilder;
 import org.keycloak.testsuite.util.ClientManager;
 import org.keycloak.testsuite.util.OAuthClient;
@ -106,7 +104,7 @@ import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
 import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsernameId;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
 import static org.keycloak.testsuite.util.ProtocolMapperUtil.createRoleNameMapper;
 import static org.keycloak.testsuite.Assert.assertExpiration;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OAuth2OnlyTest.java
@ -17,7 +17,6 @@

 package org.keycloak.testsuite.oauth;

-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.stream.Collectors;
@ -47,7 +46,7 @@ import org.keycloak.testsuite.util.ClientManager;
 import org.keycloak.testsuite.util.OAuthClient;

 import static org.junit.Assert.assertEquals;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

 /**
 * Test for scenarios when 'scope=openid' is missing. Which means we have pure OAuth2 request (not OpenID Connect)
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
@ -51,7 +51,6 @@ import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AbstractKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.auth.page.AuthRealm;
 import org.keycloak.testsuite.pages.AccountApplicationsPage;
 import org.keycloak.testsuite.pages.LoginPage;
@ -85,6 +84,7 @@ import static org.keycloak.testsuite.admin.ApiUtil.findRealmRoleByName;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsernameId;
 import static org.keycloak.testsuite.util.OAuthClient.APP_ROOT;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
@ -500,7 +500,7 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
        tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1");

        // Use accessToken to admin REST request
-        try (Keycloak offlineTokenAdmin = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
+        try (Keycloak offlineTokenAdmin = Keycloak.getInstance(getAuthServerContextRoot() + "/auth",
                AuthRealm.MASTER, Constants.ADMIN_CLI_CLIENT_ID, tokenResponse.getAccessToken(), TLSUtils.initializeTLS())) {
            RealmRepresentation testRealm = offlineTokenAdmin.realm("test").toRepresentation();
            Assert.assertNotNull(testRealm);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/RefreshTokenTest.java
@ -83,7 +83,7 @@ import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.Assert.assertExpiration;
 import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
 import static org.keycloak.testsuite.admin.ApiUtil.findUserByUsername;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/openshift/OpenShiftTokenReviewEndpointTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/openshift/OpenShiftTokenReviewEndpointTest.java
@ -31,12 +31,9 @@ import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
-import org.keycloak.testsuite.arquillian.annotation.RestartContainer;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
-import org.keycloak.testsuite.util.ContainerAssume;
 import org.keycloak.testsuite.util.OAuthClient;
 import org.keycloak.testsuite.util.UserBuilder;
 import org.keycloak.util.JsonSerialization;
@ -53,7 +50,8 @@ import java.util.Map;
 import static org.hamcrest.collection.IsIterableContainingInAnyOrder.containsInAnyOrder;
 import static org.junit.Assert.*;
 import static org.keycloak.common.Profile.Feature.OPENSHIFT_INTEGRATION;
-import static org.keycloak.testsuite.ProfileAssume.assumeFeatureEnabled;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;

@AuthServerContainerExclude({AuthServer.REMOTE, AuthServer.QUARKUS})
@ -377,7 +375,7 @@ public class OpenShiftTokenReviewEndpointTest extends AbstractTestRealmKeycloakT
                }

                try (CloseableHttpClient client = HttpClientBuilder.create().build()) {
-                    String url = AuthServerTestEnricher.getAuthServerContextRoot() + "/auth/realms/" + realm + "/protocol/openid-connect/ext/openshift-token-review/" + clientId;
+                    String url = getAuthServerContextRoot() + "/auth/realms/" + realm + "/protocol/openid-connect/ext/openshift-token-review/" + clientId;

                    OpenShiftTokenReviewRequestRepresentation request = new OpenShiftTokenReviewRequestRepresentation();
                    OpenShiftTokenReviewRequestRepresentation.Spec spec = new OpenShiftTokenReviewRequestRepresentation.Spec();
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AbstractSamlTest.java
@ -18,7 +18,7 @@ import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 import java.util.List;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getAuthServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
 import static org.keycloak.testsuite.utils.io.IOUtil.loadRealm;

 /**
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AudienceProtocolMappersTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AudienceProtocolMappersTest.java
@ -36,11 +36,9 @@ import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
 import org.keycloak.testsuite.admin.ApiUtil;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SCHEME;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
-import static org.keycloak.testsuite.saml.AbstractSamlTest.REALM_NAME;
-import static org.keycloak.testsuite.saml.AbstractSamlTest.SAML_CLIENT_ID_EMPLOYEE_2;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.saml.RoleMapperTest.createSamlProtocolMapper;
 import org.keycloak.testsuite.updaters.ClientAttributeUpdater;
 import org.keycloak.testsuite.updaters.ProtocolMappersUpdater;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BasicSamlTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/BasicSamlTest.java
@ -44,8 +44,7 @@ import org.w3c.dom.Document;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.Matchers.containsString;
 import static org.junit.Assert.assertThat;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.saml.AbstractSamlTest.REALM_NAME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
 import static org.keycloak.testsuite.utils.io.IOUtil.documentToString;
 import static org.keycloak.testsuite.utils.io.IOUtil.setDocElementAttributeValue;
 import static org.keycloak.testsuite.util.Matchers.statusCodeIsHC;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/RoleMapperTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/RoleMapperTest.java
@ -47,10 +47,9 @@ import org.junit.Test;

 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.junit.Assert.assertThat;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SCHEME;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
-import static org.keycloak.testsuite.saml.AbstractSamlTest.REALM_NAME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.util.SamlStreams.assertionsUnencrypted;
 import static org.keycloak.testsuite.util.SamlStreams.attributesUnecrypted;
 import static org.keycloak.testsuite.util.SamlStreams.attributeStatements;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TLSTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/ssl/TLSTest.java
@ -1,6 +1,6 @@
 package org.keycloak.testsuite.ssl;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

 import org.junit.Assume;
 import org.junit.BeforeClass;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/url/DefaultHostnameTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/url/DefaultHostnameTest.java
@ -6,7 +6,6 @@ import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.jboss.arquillian.container.test.api.ContainerController;
 import org.jboss.arquillian.test.api.ArquillianResource;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.admin.client.resource.RealmResource;
@ -25,11 +24,9 @@ import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
 import org.keycloak.representations.idm.ClientInitialAccessPresentation;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.util.AdminClientUtil;
 import org.keycloak.testsuite.util.ClientBuilder;
-import org.keycloak.testsuite.util.ContainerAssume;
 import org.keycloak.testsuite.util.OAuthClient;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.UserBuilder;
@ -44,6 +41,7 @@ import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;
 import static org.keycloak.testsuite.util.OAuthClient.AUTH_SERVER_ROOT;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;

@AuthServerContainerExclude({REMOTE, QUARKUS})
 public class DefaultHostnameTest extends AbstractHostnameTest {
@ -79,7 +77,7 @@ public class DefaultHostnameTest extends AbstractHostnameTest {

        oauth.clientId("direct-grant");

-        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), AuthServerTestEnricher.getAuthServerContextRoot())) {
+        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), getAuthServerContextRoot())) {
            assertWellKnown("test", expectedBackendUrl);

            configureDefault(globalFrontEndUrl, false, null);
@ -150,7 +148,7 @@ public class DefaultHostnameTest extends AbstractHostnameTest {

        oauth.clientId("direct-grant");

-        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), AuthServerTestEnricher.getAuthServerContextRoot())) {
+        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), getAuthServerContextRoot())) {
            assertWellKnown("test", expectedBackendUrl);

            configureDefault(globalFrontEndUrl, true, null);
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/url/FixedHostnameTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/url/FixedHostnameTest.java
@ -30,7 +30,6 @@ import org.keycloak.saml.common.constants.GeneralConstants;
 import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
 import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
-import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
 import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
 import org.keycloak.testsuite.updaters.Creator;
 import org.keycloak.testsuite.util.AdminClientUtil;
@ -59,13 +58,12 @@ import static org.hamcrest.Matchers.notNullValue;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SCHEME;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.QUARKUS;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;

-import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
-
@AuthServerContainerExclude({REMOTE, QUARKUS})
 public class FixedHostnameTest extends AbstractHostnameTest {

@ -96,7 +94,7 @@ public class FixedHostnameTest extends AbstractHostnameTest {

        oauth.clientId("direct-grant");

-        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), AuthServerTestEnricher.getAuthServerContextRoot())) {
+        try (Keycloak testAdminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), getAuthServerContextRoot())) {
            assertWellKnown("test", AUTH_SERVER_SCHEME + "://localhost:" + AUTH_SERVER_PORT);
            assertSamlIdPDescriptor("test", AUTH_SERVER_SCHEME + "://localhost:" + AUTH_SERVER_PORT);

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ReverseProxy.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ReverseProxy.java
@ -1,8 +1,8 @@
 package org.keycloak.testsuite.util;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.getHttpAuthServerContextRoot;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 import org.junit.rules.TestRule;
 import org.junit.runner.Description;
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/URLAssert.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/URLAssert.java
@ -41,7 +41,7 @@ import static org.junit.Assert.assertTrue;
 import static org.keycloak.testsuite.util.URLUtils.currentUrlDoesntStartWith;
 import static org.keycloak.testsuite.util.URLUtils.currentUrlEquals;
 import static org.keycloak.testsuite.util.URLUtils.currentUrlStartsWith;
-import static org.keycloak.testsuite.util.URLUtils.removeDefaultPorts;
+import static org.keycloak.testsuite.util.ServerURLs.removeDefaultPorts;

 /**
 *
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnFeatureTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnFeatureTest.java
@ -18,7 +18,6 @@

 package org.keycloak.testsuite.webauthn;

-import java.util.List;
 import java.util.Set;

 import org.junit.Assert;
@ -34,7 +33,7 @@ import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;

-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

@EnableFeature(value = Profile.Feature.WEB_AUTHN, skipRestart = true, onlyForProduct = true)
 public class WebAuthnFeatureTest extends AbstractTestRealmKeycloakTest {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/webauthn/WebAuthnRegisterAndLoginTest.java
@ -22,8 +22,6 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.keycloak.WebAuthnConstants;
-import org.keycloak.authentication.AuthenticatorSpi;
-import org.keycloak.authentication.authenticators.browser.WebAuthnAuthenticatorFactory;
 import org.keycloak.authentication.requiredactions.WebAuthnRegisterFactory;
 import org.keycloak.authentication.requiredactions.WebAuthnPasswordlessRegisterFactory;
 import org.keycloak.common.Profile;
@ -36,13 +34,10 @@ import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.representations.idm.EventRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
-import org.keycloak.representations.info.ServerInfoRepresentation;
 import org.keycloak.testsuite.AssertEvents;
-import org.keycloak.testsuite.ProfileAssume;
 import org.keycloak.testsuite.admin.AbstractAdminTest;
 import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.admin.ApiUtil;
-import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
 import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
 import org.keycloak.testsuite.pages.LoginPage;
 import org.keycloak.testsuite.pages.RegisterPage;
@ -58,11 +53,10 @@ import static org.junit.Assert.assertEquals;
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.List;
-import java.util.Set;

 import org.junit.Assume;
 import org.junit.BeforeClass;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;

@EnableFeature(value = Profile.Feature.WEB_AUTHN, skipRestart = true, onlyForProduct = true)
 public class WebAuthnRegisterAndLoginTest extends AbstractTestRealmKeycloakTest {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/x509/AbstractX509AuthenticationTest.java
@ -18,7 +18,6 @@

 package org.keycloak.testsuite.x509;

-import org.hamcrest.CoreMatchers;
 import org.hamcrest.Matchers;
 import org.jboss.arquillian.graphene.page.Page;
 import org.jboss.logging.Logger;
@ -82,11 +81,9 @@ import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorC
 import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN;
 import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_CN;
 import static org.keycloak.authentication.authenticators.x509.X509AuthenticatorConfigModel.MappingSourceType.SUBJECTDN_EMAIL;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer.REMOTE;

-import org.keycloak.testsuite.util.ContainerAssume;
-
 /**
 * @author <a href="mailto:brat000012001@gmail.com">Peter Nalyvayko</a>
 * @version $Revision: 1 $
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
@ -134,7 +134,10 @@
            <property name="jbossArguments">
                -Djboss.as.management.blocking.timeout=${auth.server.jboss.startup.timeout}
                -Djboss.socket.binding.port-offset=${auth.server.port.offset}
-                -Djboss.bind.address=0.0.0.0 
+                -Djboss.bind.address=0.0.0.0
+                -Dauth.server.host=${auth.server.host}
+                -Dauth.server.host2=${auth.server.host2}
+                -Dauth.server.ssl.required=${auth.server.ssl.required}
                -Dauth.server.http.port=${auth.server.http.port}
                -Dauth.server.https.port=${auth.server.https.port}
                -Dkeycloak.password.blacklists.path=${keycloak.password.blacklists.path}
--- a/testsuite/integration-arquillian/tests/base/src/test/resources/firefox-cookies-prefs.js
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/firefox-cookies-prefs.js
@ -1,4 +1,5 @@
+// DO NOT USE ANY COMMENTS THAT ARE PLACED ON THE SAME LINE AS user_pref !!!
 user_pref("network.cookie.sameSite.laxByDefault", true);
 user_pref("network.cookie.sameSite.laxPlusPOST.timeout", 0);
 user_pref("network.cookie.sameSite.noneRequiresSecure", true);
-user_pref("network.cookie.cookieBehavior", 1); // only accept from the originating site (block third party cookies)
+user_pref("network.cookie.cookieBehavior", 1);
--- a/testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/realm/LoginSettingsTest.java
+++ b/testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/realm/LoginSettingsTest.java
@ -41,8 +41,8 @@ import static org.junit.Assert.assertTrue;
 import static org.keycloak.representations.idm.CredentialRepresentation.PASSWORD;
 import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWithAdminClient;
 import static org.keycloak.testsuite.admin.Users.setPasswordFor;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_PORT;
-import static org.keycloak.testsuite.arquillian.AuthServerTestEnricher.AUTH_SERVER_SSL_REQUIRED;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT;
+import static org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED;
 import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith;
 import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;
--- a/testsuite/integration-arquillian/tests/other/springboot-tests/src/test/java/org/keycloak/testsuite/springboot/AccountLinkSpringBootTest.java
+++ b/testsuite/integration-arquillian/tests/other/springboot-tests/src/test/java/org/keycloak/testsuite/springboot/AccountLinkSpringBootTest.java
@ -184,7 +184,7 @@ public class AccountLinkSpringBootTest extends AbstractSpringBootTest {

        UriBuilder redirectUri = UriBuilder.fromUri(LINKING_URL).queryParam("response", "true");

-        UriBuilder directLinking = UriBuilder.fromUri(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth")
+        UriBuilder directLinking = UriBuilder.fromUri(getAuthServerContextRoot() + "/auth")
                .path("realms/{child-realm}/broker/{provider}/link")
                .queryParam("client_id", CLIENT_ID)
                .queryParam("redirect_uri", redirectUri.build())
@ -470,7 +470,7 @@ public class AccountLinkSpringBootTest extends AbstractSpringBootTest {

            String uri = "/auth/realms/" + REALM_NAME + "/broker/" + PARENT_REALM + "/login";

-            uri = UriBuilder.fromUri(AuthServerTestEnricher.getAuthServerContextRoot())
+            uri = UriBuilder.fromUri(getAuthServerContextRoot())
                    .path(uri)
                    .queryParam(LoginActionsService.SESSION_CODE, queryParams.get(LoginActionsService.SESSION_CODE))
                    .queryParam(Constants.CLIENT_ID, queryParams.get(Constants.CLIENT_ID))
--- a/testsuite/integration-arquillian/tests/pom.xml
+++ b/testsuite/integration-arquillian/tests/pom.xml
@ -172,6 +172,7 @@
        <skip.copy.example.wars>false</skip.copy.example.wars>

        <browser>htmlUnit</browser>
+        <browser.strict.cookies>false</browser.strict.cookies>
        <webdriverDownloadBinaries>true</webdriverDownloadBinaries>
        <droneInstantiationTimeoutInSeconds>60</droneInstantiationTimeoutInSeconds>
        <github.username/>
@ -559,6 +560,7 @@
                            <dependency.keystore.password>${dependency.keystore.password}</dependency.keystore.password>

                            <browser>${browser}</browser>
+                            <browser.strict.cookies>${browser.strict.cookies}</browser.strict.cookies>
                            <js.browser>${js.browser}</js.browser>
                            <js.chromeArguments>${js.chromeArguments}</js.chromeArguments>
                            <htmlUnitBrowserVersion>${htmlUnitBrowserVersion}</htmlUnitBrowserVersion>
@ -1976,8 +1978,10 @@
            <id>firefox-strict-cookies</id>
            <properties>
                <browser>firefox</browser>
+                <js.browser>firefox</js.browser>
                <firefoxUserPreferences>${project.build.directory}/dependency/firefox-cookies-prefs.js</firefoxUserPreferences>
                <firefoxHeadless>true</firefoxHeadless>
+                <browser.strict.cookies>true</browser.strict.cookies>
            </properties>
        </profile>

--- a/testsuite/integration-arquillian/util/pom.xml
+++ b/testsuite/integration-arquillian/util/pom.xml
@ -42,6 +42,11 @@
            <groupId>org.keycloak</groupId>
            <artifactId>keycloak-servlet-filter-adapter</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.keycloak.testsuite</groupId>
+            <artifactId>integration-arquillian-testsuite-providers</artifactId>
+            <version>${project.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.jboss.shrinkwrap.resolver</groupId>
            <artifactId>shrinkwrap-resolver-api-maven</artifactId>
--- a/testsuite/integration-arquillian/util/src/main/java/org/keycloak/testsuite/utils/arquillian/DeploymentArchiveProcessorUtils.java
+++ b/testsuite/integration-arquillian/util/src/main/java/org/keycloak/testsuite/utils/arquillian/DeploymentArchiveProcessorUtils.java
@ -40,6 +40,10 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;

+import static org.keycloak.testsuite.utils.io.IOUtil.modifyDocElementAttribute;
+import static org.keycloak.testsuite.util.ServerURLs.getAppServerContextRoot;
+import static org.keycloak.testsuite.util.ServerURLs.getAuthServerContextRoot;
+
 /**
 *
 * @author <a href="mailto:vramik@redhat.com">Vlasta Ramik</a>
@ -51,6 +55,10 @@ public class DeploymentArchiveProcessorUtils {
    private static final boolean AUTH_SERVER_SSL_REQUIRED = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required"));
    private static final boolean APP_SERVER_SSL_REQUIRED = Boolean.parseBoolean(System.getProperty("app.server.ssl.required"));

+    private static final String APP_SERVER_SCHEMA = APP_SERVER_SSL_REQUIRED ? "https" : "http";
+    private static final String APP_SERVER_PORT_PROPERTY = "auth.server." + APP_SERVER_SCHEMA + ".port";
+    private static final String AUTH_SERVER_REPLACED_URL = "http://localhost:8080";
+
    public static final String WEBXML_PATH = "/WEB-INF/web.xml";
    public static final String ADAPTER_CONFIG_PATH = "/WEB-INF/keycloak.json";
    public static final String ADAPTER_CONFIG_PATH_TENANT1 = "/WEB-INF/classes/tenant1-keycloak.json";
@ -223,28 +231,12 @@ public class DeploymentArchiveProcessorUtils {
    public static void modifySAMLAdapterConfig(Archive<?> archive, String adapterConfigPath) {
        Document doc = IOUtil.loadXML(archive.get(adapterConfigPath).getAsset().openStream());

-        if (AUTH_SERVER_SSL_REQUIRED) {
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "bindingUrl", "8080", System.getProperty("auth.server.https.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "bindingUrl", "http", "https");
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "postBindingUrl", "8080", System.getProperty("auth.server.https.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "postBindingUrl", "http", "https");
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "redirectBindingUrl", "8080", System.getProperty("auth.server.https.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "redirectBindingUrl", "http", "https");
-        } else {
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "bindingUrl", "8080", System.getProperty("auth.server.http.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "postBindingUrl", "8080", System.getProperty("auth.server.http.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "redirectBindingUrl", "8080", System.getProperty("auth.server.http.port"));
-        }
+        modifyDocElementAttribute(doc, "SingleSignOnService", "bindingUrl", AUTH_SERVER_REPLACED_URL, getAuthServerContextRoot());
+        modifyDocElementAttribute(doc, "SingleLogoutService", "postBindingUrl", AUTH_SERVER_REPLACED_URL, getAuthServerContextRoot());
+        modifyDocElementAttribute(doc, "SingleLogoutService", "redirectBindingUrl", AUTH_SERVER_REPLACED_URL, getAuthServerContextRoot());

-        if (APP_SERVER_SSL_REQUIRED) {
-            IOUtil.modifyDocElementAttribute(doc, "SP", "logoutPage", "8080", System.getProperty("app.server.https.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SP", "logoutPage", "http", "https");
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "assertionConsumerServiceUrl", "8080", System.getProperty("app.server.https.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "assertionConsumerServiceUrl", "http", "https");
-        } else {
-            IOUtil.modifyDocElementAttribute(doc, "SP", "logoutPage", "8080", System.getProperty("app.server.http.port"));
-            IOUtil.modifyDocElementAttribute(doc, "SingleSignOnService", "assertionConsumerServiceUrl", "8080", System.getProperty("app.server.http.port"));
-        }
+        modifyDocElementAttribute(doc, "SingleSignOnService", "assertionConsumerServiceUrl", AUTH_SERVER_REPLACED_URL, getAppServerContextRoot());
+        modifyDocElementAttribute(doc, "SP", "logoutPage", AUTH_SERVER_REPLACED_URL, getAppServerContextRoot());

        archive.add(new StringAsset(IOUtil.documentToString(doc)), adapterConfigPath);