diff --git a/modules/core/distribution/identity_config_change.xml b/modules/core/distribution/identity_config_change.xml
new file mode 100644
index 00000000..2b56094e
--- /dev/null
+++ b/modules/core/distribution/identity_config_change.xml
@@ -0,0 +1,32 @@
+<processor>
+	<!-- Remove the scope validator from the identity.xml if it exists. Otherwise running the build several times
+	   causes several scope validator elements to be added-->
+	<remove>
+		<name>//s:Server/s:OAuth/s:OAuthScopeValidator</name>
+	</remove>
+	<!-- Add the scope validator config element -->
+	<add>
+		<after>//s:Server/s:OAuth/s:OAuthCallbackHandlers</after>
+		<value><![CDATA[<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>]]></value>
+	</add>
+	<!-- Add the ntlm grant type validator config element -->
+	<add>
+		<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
+		<value>
+			<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
+	</add>
+	<add>
+		<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
+		<value>
+			<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
+	</add>
+	<add>
+		<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']</after>
+		<value>
+			<![CDATA[<SupportedGrantType>
+		<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
+		<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
+		<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
+	</SupportedGrantType>]]></value>
+	</add>
+</processor>
\ No newline at end of file
diff --git a/modules/core/distribution/pom.xml b/modules/core/distribution/pom.xml
index 4e8d95c3..ced1d3c1 100644
--- a/modules/core/distribution/pom.xml
+++ b/modules/core/distribution/pom.xml
@@ -90,6 +90,83 @@
 				</executions>
 			</plugin>
 
+			<plugin>
+				<groupId>com.google.code.maven-replacer-plugin</groupId>
+				<artifactId>replacer</artifactId>
+				<version>1.5.2</version>
+				<executions>
+					<!-- Replace Datasource, Scope mpl classes and OAuth callback class in identity.xml -->
+					<execution>
+						<id>replace-for-identity</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>replace</goal>
+						</goals>
+						<configuration>
+							<file>${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/identity.xml</file>
+							<replacements>
+								<replacement>
+									<xpath>/Server/JDBCPersistenceManager/DataSource/Name</xpath>
+									<token>(jdbc/WSO2CarbonDB)</token>
+									<value>jdbc/WSO2AM_DB</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/SupportedGrantTypes/SupportedGrantType</xpath>
+									<token>(org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler)</token>
+									<value>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/SupportedGrantTypes/SupportedGrantType</xpath>
+									<token>(org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler)</token>
+									<value>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/SupportedGrantTypes/SupportedGrantType</xpath>
+									<token>(org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler)</token>
+									<value>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedClientCredentialsGrantHandler</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/SupportedGrantTypes/SupportedGrantType</xpath>
+									<token>(org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler)</token>
+									<value>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedSAML2BearerGrantHandler</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/SupportedGrantTypes/SupportedGrantType</xpath>
+									<token>(org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler)</token>
+									<value>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandlerWithHandshake</value>
+								</replacement>
+								<replacement>
+									<xpath>/Server/OAuth/OAuthCallbackHandlers</xpath>
+									<token>(org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler)</token>
+									<value>org.wso2.carbon.apimgt.keymgt.util.APIManagerOAuthCallbackHandler</value>
+								</replacement>
+
+							</replacements>
+						</configuration>
+					</execution>
+					<!-- Replace Datasource, Scope mpl classes and OAuth callback class in identity.xml -->
+
+					<!-- Replace the Datasource in the thrift-authentication.xml file -->
+					<execution>
+						<id>replace-for-thrift</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>replace</goal>
+						</goals>
+						<configuration>
+							<file>${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/thrift-authentication.xml</file>
+							<replacements>
+								<replacement>
+									<xpath>/Server/JDBCPersistenceManager/DataSource/Name</xpath>
+									<token>(jdbc/WSO2CarbonDB)</token>
+									<value>jdbc/WSO2AM_DB</value>
+								</replacement>
+							</replacements>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+
 			<!-- Add the input and output adapter configs to the file -->
 			<plugin>
 				<groupId>com.google.code.maven-config-processor-plugin</groupId>
@@ -130,6 +207,43 @@
 							</transformations>
 						</configuration>
 					</execution>
+					<execution>
+						<id>add-scope-validator</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>process</goal>
+						</goals>
+						<configuration>
+							<failOnMissingXpath>false</failOnMissingXpath>
+							<transformations>
+								<transformation>
+									<input>${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/identity.xml</input>
+									<output>../../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/identity/identity.xml</output>
+									<config>identity_config_change.xml</config>
+								</transformation>
+							</transformations>
+							<namespaceContexts>
+								<s>http://wso2.org/projects/carbon/carbon.xml</s>
+							</namespaceContexts>
+						</configuration>
+					</execution>
+					<execution>
+						<id>init-claim-manager</id>
+						<phase>prepare-package</phase>
+						<goals>
+							<goal>process</goal>
+						</goals>
+						<configuration>
+							<failOnMissingXpath>false</failOnMissingXpath>
+							<transformations>
+								<transformation>
+									<input>${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/user-mgt.xml</input>
+									<output>../../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/user-mgt.xml</output>
+									<config>user_mgt_config_change.xml</config>
+								</transformation>
+							</transformations>
+						</configuration>
+					</execution>
 				</executions>
 			</plugin>
 
@@ -444,6 +558,7 @@
 					</execution>
 				</executions>
 			</plugin>
+
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-deploy-plugin</artifactId>
@@ -451,52 +566,6 @@
 					<skip>true</skip>
 				</configuration>
 			</plugin>
-			<plugin>
-				<groupId>com.google.code.maven-replacer-plugin</groupId>
-				<artifactId>replacer</artifactId>
-				<version>1.5.2</version>
-				<executions>
-					<!-- Replace Datasource, Scope mpl classes and OAuth callback class in identity.xml -->
-					<execution>
-						<id>replace-for-api-manager</id>
-						<phase>prepare-package</phase>
-						<goals>
-							<goal>replace</goal>
-						</goals>
-						<configuration>
-							<file>
-								${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/conf/api-manager.xml
-							</file>
-							<replacements>
-								<replacement>
-									<xpath>/APIManager/GatewayType</xpath>
-									<token>Synapse</token>
-									<value>None</value>
-								</replacement>
-							</replacements>
-						</configuration>
-					</execution>
-					<execution>
-						<id>replace-for-api-store</id>
-						<phase>prepare-package</phase>
-						<goals>
-							<goal>replace</goal>
-						</goals>
-						<configuration>
-							<file>
-								${basedir}/../p2-profile-gen/target/wso2carbon-core-${carbon.kernel.version}/repository/deployment/server/jaggeryapps/api-store/site/conf/site.json
-							</file>
-							<replacements>
-								<replacement>
-									<token>(/store)</token>
-									<value>/api-store</value>
-								</replacement>
-							</replacements>
-						</configuration>
-					</execution>
-
-				</executions>
-			</plugin>
 		</plugins>
 	</build>
 
diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml
index 233f1d0c..f6e54c1a 100644
--- a/modules/core/distribution/src/assembly/bin.xml
+++ b/modules/core/distribution/src/assembly/bin.xml
@@ -74,6 +74,7 @@
                 <exclude>**/lib/encoder*</exclude>
                 <exclude>**/plugins/jaxb*</exclude>
                 <exclude>**/security/authenticators.xml</exclude>
+				<exclude>**/user-mgt.xml</exclude>
 
                 <exclude>**/plugins/org.wso2.carbon.localentry.ui*</exclude>
                 <exclude>**/plugins/org.wso2.carbon.mediation.security.ui*</exclude>
@@ -224,6 +225,7 @@
                 <include>**/log4j.properties</include>
                 <include>**/nhttp.properties</include>
                 <include>**/passthru-http.properties</include>
+				<include>**/user-mgt.xml</include>
             </includes>
         </fileSet>
         <fileSet>
@@ -594,6 +596,8 @@
                 <include>**/msg-mgt.properties</include>
                 <include>**/entitlement.properties</include>
                 <include>**/EndpointConfig.properties</include>
+				<include>**/identity.xml</include>
+				<include>**/thrift-authentication.xml</include>
             </includes>
         </fileSet>
         <fileSet>
@@ -850,24 +854,12 @@
             <filtered>true</filtered>
             <fileMode>644</fileMode>
         </file>
-        <file>
-            <source>src/repository/conf/identity/identity.xml</source>
-            <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/identity
-            </outputDirectory>
-            <fileMode>644</fileMode>
-        </file>
         <file>
             <source>src/repository/conf/identity/application-authentication.xml</source>
             <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/identity
             </outputDirectory>
             <fileMode>644</fileMode>
         </file>
-        <file>
-            <source>src/repository/conf/identity/thrift-authentication.xml</source>
-            <outputDirectory>${pom.artifactId}-${pom.version}/repository/conf/identity</outputDirectory>
-            <filtered>true</filtered>
-            <fileMode>644</fileMode>
-        </file>
         <file>
             <source>
                 src/repository/conf/identity/identity-providers/iot_default.xml
diff --git a/modules/core/distribution/src/repository/conf/carbon.xml b/modules/core/distribution/src/repository/conf/carbon.xml
index 9e856b84..40345945 100644
--- a/modules/core/distribution/src/repository/conf/carbon.xml
+++ b/modules/core/distribution/src/repository/conf/carbon.xml
@@ -47,12 +47,13 @@
 	   This is will become part of the End Point Reference of the
 	   services deployed on this server instance.
 	-->
-	<!--<HostName>localhost</HostName>-->
+
+	<HostName>localhost</HostName>
 
 	<!--
 	Host name to be used for the Carbon management console
 	-->
-	<!--<MgtHostName>localhost</MgtHostName>-->
+	<MgtHostName>localhost</MgtHostName>
 
 	<!--
 		The URL of the back end server. This is where the admin services are hosted and
diff --git a/modules/core/distribution/src/repository/conf/identity/identity.xml b/modules/core/distribution/src/repository/conf/identity/identity.xml
deleted file mode 100644
index 0f825650..00000000
--- a/modules/core/distribution/src/repository/conf/identity/identity.xml
+++ /dev/null
@@ -1,286 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
-  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
-  ~
-  ~ WSO2 Inc. licenses this file to you under the Apache License,
-  ~ Version 2.0 (the "License"); you may not use this file except
-  ~ in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~ http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing,
-  ~ software distributed under the License is distributed on an
-  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  ~ KIND, either express or implied. See the License for the
-  ~ specific language governing permissions and limitations
-  ~ under the License.
-  -->
-<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
-    <JDBCPersistenceManager>
-        <DataSource>
-            <!-- Include a data source name (jndiConfigName) from the set of data
-                sources defined in master-datasources.xml -->
-            <Name>jdbc/WSO2AM_DB</Name>
-        </DataSource>
-        <!-- If the identity database is created from another place and if it is
-            required to skip schema initialization during the server start up, set the
-            following property to "true". -->
-        <!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
-        <SessionDataPersist>
-            <Enable>false</Enable>
-            <!--RememberMePeriod>20160</RememberMePeriod-->
-            <!--CleanUp>
-                <Enable>true</Enable>
-                    <Period>1</Period>
-                    <TimeOut>20160</TimeOut-->
-            <!--/CleanUp>
-            <Temporary>false</Temporary-->
-        </SessionDataPersist>
-    </JDBCPersistenceManager>
-
-    <!-- Security configurations -->
-    <Security>
-        <UserTrustedRPStore>
-            <Location>${carbon.home}/repository/resources/security/userRP.jks
-            </Location>
-            <!-- Keystore type (JKS/PKCS12 etc.) -->
-            <Type>JKS</Type>
-            <!-- Keystore password -->
-            <Password>wso2carbon</Password>
-            <!-- Private Key password -->
-            <KeyPassword>wso2carbon</KeyPassword>
-        </UserTrustedRPStore>
-
-        <!-- The directory under which all other KeyStore files will be stored -->
-        <KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir>
-    </Security>
-
-    <Identity>
-        <IssuerPolicy>SelfAndManaged</IssuerPolicy>
-        <TokenValidationPolicy>CertValidate</TokenValidationPolicy>
-        <BlackList/>
-        <WhiteList/>
-        <System>
-            <KeyStore/>
-            <StorePass/>
-        </System>
-    </Identity>
-
-    <OpenID>
-        <OpenIDServerUrl>https://localhost:9443/openidserver</OpenIDServerUrl>
-        <OpenIDUserPattern>https://localhost:9443/openid/</OpenIDUserPattern>
-        <!-- If the users must be prompted for approval -->
-        <OpenIDSkipUserConsent>false</OpenIDSkipUserConsent>
-        <!-- Expiry time of the OpenID RememberMe token in minutes -->
-        <OpenIDRememberMeExpiry>7200</OpenIDRememberMeExpiry>
-        <!-- Multifactor Authentication configuration -->
-        <UseMultifactorAuthentication>false</UseMultifactorAuthentication>
-        <!-- To enable or disable openid dumb mode -->
-        <DisableOpenIDDumbMode>false</DisableOpenIDDumbMode>
-        <!-- remember me session timeout in seconds -->
-        <SessionTimeout>36000</SessionTimeout>
-        <!-- skips authentication if valid SAML2 Web SSO browser session available -->
-        <AcceptSAMLSSOLogin>false</AcceptSAMLSSOLogin>
-        <ClaimsRetrieverImplClass>org.wso2.carbon.identity.provider.openid.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
-    </OpenID>
-
-    <OAuth>
-        <RequestTokenUrl>https://localhost:9443/oauth/request-token</RequestTokenUrl>
-        <AccessTokenUrl>https://localhost:9443/oauth/access-token</AccessTokenUrl>
-        <AuthorizeUrl>https://localhost:9443/oauth/authorize-url</AuthorizeUrl>
-        <OAuth2TokenEPUrl>https://localhost:${mgt.transport.https.port}/oauth2/token</OAuth2TokenEPUrl>
-        <!-- Default validity period for Authorization Code in seconds -->
-        <AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod>
-        <!-- Default validity period for user access tokens in seconds -->
-        <AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
-        <!-- Default validity period for application access tokens in seconds -->
-        <UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
-        <!-- Validity period for refresh token -->
-        <RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
-        <!-- Timestamp skew in seconds -->
-        <TimestampSkew>300</TimestampSkew>
-        <!-- Enable OAuth caching -->
-        <EnableOAuthCache>true</EnableOAuthCache>
-        <!-- Enable renewal of refresh token for refresh_token grant -->
-        <RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
-        <!-- Process the token before storing it in database, e.g. encrypting -->
-        <TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
-        <!-- Supported Client Autnetication Methods -->
-        <ClientAuthHandlers>
-            <ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler">
-                <Property Name="StrictClientCredentialValidation">false</Property>
-            </ClientAuthHandler>
-        </ClientAuthHandlers>
-        <!-- Supported Response Types -->
-        <SupportedResponseTypes>
-            <SupportedResponseType>
-                <ResponseTypeName>token</ResponseTypeName>
-                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler</ResponseTypeHandlerImplClass>
-            </SupportedResponseType>
-            <SupportedResponseType>
-                <ResponseTypeName>code</ResponseTypeName>
-                <ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler</ResponseTypeHandlerImplClass>
-            </SupportedResponseType>
-        </SupportedResponseTypes>
-        <!-- Supported Grant Types -->
-        <SupportedGrantTypes>
-            <SupportedGrantType>
-                <GrantTypeName>authorization_code</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-
-            <SupportedGrantType>
-                <GrantTypeName>password</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-            <SupportedGrantType>
-                <GrantTypeName>refresh_token</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-            <SupportedGrantType>
-                <GrantTypeName>client_credentials</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-            <SupportedGrantType>
-                <GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-            <SupportedGrantType>
-                <GrantTypeName>iwa:ntlm</GrantTypeName>
-                <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler</GrantTypeHandlerImplClass>
-            </SupportedGrantType>
-			<SupportedGrantType>
-				<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
-				<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
-				<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
-			</SupportedGrantType>
-        </SupportedGrantTypes>
-        <OAuthCallbackHandlers>
-            <OAuthCallbackHandler Class="org.wso2.carbon.device.mgt.oauth.extensions.handlers.DeviceMgtOAuthCallbackHandler"/>
-        </OAuthCallbackHandlers>
-        <OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>
-        <TokenValidators>
-            <TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator"/>
-        </TokenValidators>
-        <!-- Assertions can be used to embedd parameters into access token. -->
-        <EnableAssertions>
-            <UserName>false</UserName>
-        </EnableAssertions>
-
-        <!-- This should be set to true when using multiple user stores and keys
-            should saved into different tables according to the user store. By default
-            all the application keys are saved in to the same table. UserName Assertion
-            should be 'true' to use this. -->
-        <EnableAccessTokenPartitioning>false</EnableAccessTokenPartitioning>
-        <!-- user store domain names and mapping to new table name. eg: if you
-            provide 'A:foo.com', foo.com should be the user store domain name and 'A'
-            represent the relavant mapping of token store table, i.e. tokens will be
-            added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. -->
-        <AccessTokenPartitioningDomains><!-- A:foo.com, B:bar.com -->
-        </AccessTokenPartitioningDomains>
-        <AuthorizationContextTokenGeneration>
-            <Enabled>false</Enabled>
-            <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
-            <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
-            <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
-            <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
-            <AuthorizationContextTTL>15</AuthorizationContextTTL>
-        </AuthorizationContextTokenGeneration>
-        <SAML2Grant>
-            <!--SAML2TokenHandler></SAML2TokenHandler-->
-        </SAML2Grant>
-        <OpenIDConnect>
-            <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
-            <IDTokenIssuerID>https://localhost:9443/oauth2endpoints/token</IDTokenIssuerID>
-            <IDTokenSubjectClaim>http://wso2.org/claims/givenname</IDTokenSubjectClaim>
-            <IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
-            <IDTokenExpiration>3600</IDTokenExpiration>
-            <UserInfoEndpointClaimDialect>http://wso2.org/claims</UserInfoEndpointClaimDialect>
-            <UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
-            <UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
-            <UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
-            <UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
-            <SkipUserConsent>false</SkipUserConsent>
-        </OpenIDConnect>
-    </OAuth>
-
-    <MultifactorAuthentication>
-        <XMPPSettings>
-            <XMPPConfig>
-                <XMPPProvider>gtalk</XMPPProvider>
-                <XMPPServer>talk.google.com</XMPPServer>
-                <XMPPPort>5222</XMPPPort>
-                <XMPPExt>gmail.com</XMPPExt>
-                <XMPPUserName>multifactor1@gmail.com</XMPPUserName>
-                <XMPPPassword>wso2carbon</XMPPPassword>
-            </XMPPConfig>
-        </XMPPSettings>
-    </MultifactorAuthentication>
-
-    <SSOService>
-        <EntityId>localhost</EntityId>
-        <IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
-        <SingleLogoutRetryCount>5</SingleLogoutRetryCount>
-        <SingleLogoutRetryInterval>60000</SingleLogoutRetryInterval> <!-- in milli seconds -->
-        <TenantPartitioningEnabled>false</TenantPartitioningEnabled>
-        <PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
-        <SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>
-        <SessionTimeout>36000</SessionTimeout> <!-- remember me session timeout in seconds -->
-        <!-- skips authentication if valid SAML2 Web SSO browser session available -->
-        <AttributeStatementBuilder>org.wso2.carbon.identity.sso.saml.attributes.UserAttributeStatementBuilder</AttributeStatementBuilder>
-        <AttributesClaimDialect>http://wso2.org/claims</AttributesClaimDialect>
-        <AcceptOpenIDLogin>false</AcceptOpenIDLogin>
-        <ClaimsRetrieverImplClass>org.wso2.carbon.identity.sso.saml.builders.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
-        <SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder>
-        <SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
-        <SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
-        <SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
-        <!--SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder-->
-
-        <!-- SAML Token validity period in minutes -->
-        <SAMLResponseValidityPeriod>5</SAMLResponseValidityPeriod>
-        <UseAuthenticatedUserDomainCrypto>false</UseAuthenticatedUserDomainCrypto>
-    </SSOService>
-
-    <EntitlementSettings>
-        <!-- Uncomment this to enable on-demand policy loading -->
-        <!--OnDemandPolicyLoading> <Enable>true</Enable> <MaxInMemoryPolicies>100</MaxInMemoryPolicies>
-            </OnDemandPolicyLoading -->
-        <DecisionCaching>
-            <Enable>true</Enable>
-            <CachingInterval>36000</CachingInterval>
-        </DecisionCaching>
-        <AttributeCaching>
-            <Enable>true</Enable>
-        </AttributeCaching>
-        <ThirftBasedEntitlementConfig>
-            <EnableThriftService>true</EnableThriftService>
-            <ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort>
-            <ClientTimeout>10000</ClientTimeout>
-            <KeyStore>
-                <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
-                <Password>wso2carbon</Password>
-            </KeyStore>
-            <!-- Enable this element to mention the host-name of your IS machine -->
-            <ThriftHostName>localhost</ThriftHostName>
-        </ThirftBasedEntitlementConfig>
-    </EntitlementSettings>
-
-    <SCIMAuthenticators>
-        <Authenticator class="org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler">
-            <Property name="Priority">5</Property>
-        </Authenticator>
-        <Authenticator class="org.wso2.carbon.identity.scim.provider.auth.OAuthHandler">
-            <Property name="Priority">10</Property>
-            <Property name="AuthorizationServer">local://services</Property>
-            <!--Property name="AuthorizationServer">https://localhost:9443/services</Property>
-            <Property name="UserName">admin</Property>
-            <Property name="Password">admin</Property-->
-        </Authenticator>
-    </SCIMAuthenticators>
-    <!--SessionContextCache>
-        <Enable>true</Enable>
-        <Capacity>100000</Capacity>
-    </SessionContextCache-->
-</Server>
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/identity/thrift-authentication.xml b/modules/core/distribution/src/repository/conf/identity/thrift-authentication.xml
deleted file mode 100644
index 646da0b1..00000000
--- a/modules/core/distribution/src/repository/conf/identity/thrift-authentication.xml
+++ /dev/null
@@ -1,44 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
-  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
-  ~
-  ~ WSO2 Inc. licenses this file to you under the Apache License,
-  ~ Version 2.0 (the "License"); you may not use this file except
-  ~ in compliance with the License.
-  ~ You may obtain a copy of the License at
-  ~
-  ~ http://www.apache.org/licenses/LICENSE-2.0
-  ~
-  ~ Unless required by applicable law or agreed to in writing,
-  ~ software distributed under the License is distributed on an
-  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-  ~ KIND, either express or implied. See the License for the
-  ~ specific language governing permissions and limitations
-  ~ under the License.
-  -->
-
-<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
-
-
-	<JDBCPersistenceManager>
-		<DataSource>
-			<!-- Include a data source name (jndiConfigName) from the set of data sources defined in master-datasources.xml -->
-			<Name>jdbc/WSO2AM_DB</Name>
-		</DataSource>
-		<!-- If the identity database is created from another place and if it is required to skip schema initialization during the server start up, set the following
-		   property to "true". -->
-		<!--<SkipDBSchemaCreation>true</SkipDBSchemaCreation>-->
-	</JDBCPersistenceManager>
-
-	<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.DBThriftSessionDAO</ThriftSessionDAO>
-	<!--<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.InMemoryThriftSessionDAO</ThriftSessionDAO>-->
-
-	<ClientTimeout>30000</ClientTimeout>
-
-	<!--<Hostname>localhost</Hostname>-->
-	<Port>10711</Port>
-
-	<!--30 min-->
-	<ThriftSessionTimeout>1800000</ThriftSessionTimeout>
-
-</Server>
diff --git a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
index 2b65f620..1dc9d20e 100644
--- a/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
+++ b/modules/core/distribution/src/repository/conf/security/Owasp.CsrfGuard.Carbon.properties
@@ -461,4 +461,12 @@ org.owasp.csrfguard.unprotected.publisherRestApi=%servletContext%/api/appm/publi
 org.owasp.csrfguard.unprotected.storeRestApi=%servletContext%/api/appm/store/*
 org.owasp.csrfguard.unprotected.certificateMgtRestApi=%servletContext%/api/certificate-mgt/*
 org.owasp.csrfguard.unprotected.deviceMgtRestApi=%servletContext%/api/device-mgt/*
-org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/*
\ No newline at end of file
+org.owasp.csrfguard.unprotected.dcrRestApi=%servletContext%/dynamic-client-web/*
+
+#carbon
+org.owasp.csrfguard.unprotected.Services=%servletContext%/services/*
+
+#identity
+org.owasp.csrfguard.unprotected.acs=%servletContext%/acs/*
+org.owasp.csrfguard.unprotected.iwa=%servletContext%/iwa/*
+org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/*
\ No newline at end of file
diff --git a/modules/core/distribution/src/repository/conf/user-mgt.xml b/modules/core/distribution/src/repository/conf/user-mgt.xml
new file mode 100644
index 00000000..8a9afc53
--- /dev/null
+++ b/modules/core/distribution/src/repository/conf/user-mgt.xml
@@ -0,0 +1,260 @@
+<!--
+  ~ Copyright WSO2, Inc. (http://wso2.com)
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<UserManager>
+	<Realm>
+		<Configuration>
+			<AddAdmin>true</AddAdmin>
+			<AdminRole>admin</AdminRole>
+			<AdminUser>
+				<UserName>admin</UserName>
+				<Password>admin</Password>
+			</AdminUser>
+			<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
+			<Property name="isCascadeDeleteEnabled">true</Property>
+			<Property name="initializeNewClaimManager">true</Property>
+			<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
+		</Configuration>
+
+		<!-- Following is the configuration for internal JDBC user store. This user store manager is based on JDBC.
+			 In case if application needs to manage passwords externally set property
+			 <Property name="PasswordsExternallyManaged">true</Property>.
+			 In case if user core cache domain is needed to identify uniquely set property
+			 <Property name="UserCoreCacheIdentifier">domain</Property>.
+			 Furthermore properties, IsEmailUserName and DomainCalculation are readonly properties.
+			 Note: Do not comment within UserStoreManager tags. Cause, specific tag names are used as tokens
+			 when building configurations for products.
+		-->
+		<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
+			<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
+			<Property name="ReadOnly">false</Property>
+			<Property name="ReadGroups">true</Property>
+			<Property name="WriteGroups">true</Property>
+			<Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
+			<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
+			<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
+			<Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
+			<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="CaseInsensitiveUsername">true</Property>
+			<Property name="SCIMEnabled">false</Property>
+			<Property name="IsBulkImportSupported">true</Property>
+			<Property name="PasswordDigest">SHA-256</Property>
+			<Property name="StoreSaltedPassword">true</Property>
+			<Property name="MultiAttributeSeparator">,</Property>
+			<Property name="MaxUserNameListLength">100</Property>
+			<Property name="MaxRoleNameListLength">100</Property>
+			<Property name="UserRolesCacheEnabled">true</Property>
+			<Property name="UserNameUniqueAcrossTenants">false</Property>
+		</UserStoreManager>
+
+		<!-- If product is using an external LDAP as the user store in READ ONLY mode, use following user manager.
+			 In case if user core cache domain is needed to identify uniquely set property
+			 <Property name="UserCoreCacheIdentifier">domain</Property>
+		 -->
+		<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
+			<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
+			<Property name="ConnectionURL">ldap://localhost:10389</Property>
+			<Property name="ConnectionName">uid=admin,ou=system</Property>
+			<Property name="ConnectionPassword">admin</Property>
+			<Property name="AnonymousBind">false</Property>
+			<Property name="UserSearchBase">ou=system</Property>
+			<Property name="UserNameAttribute">uid</Property>
+			<Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
+			<Property name="UserNameListFilter">(objectClass=person)</Property>
+			<Property name="DisplayNameAttribute"/>
+			<Property name="ReadGroups">true</Property>
+			<Property name="GroupSearchBase">ou=system</Property>
+			<Property name="GroupNameAttribute">cn</Property>
+			<Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
+			<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
+			<Property name="MembershipAttribute">member</Property>
+			<Property name="BackLinksEnabled">false</Property>
+			<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
+			<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="SCIMEnabled">false</Property>
+			<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
+			<Property name="MultiAttributeSeparator">,</Property>
+			<Property name="MaxUserNameListLength">100</Property>
+			<Property name="MaxRoleNameListLength">100</Property>
+			<Property name="UserRolesCacheEnabled">true</Property>
+			<Property name="ConnectionPoolingEnabled">true</Property>
+			<Property name="LDAPConnectionTimeout">5000</Property>
+			<Property name="ReadTimeout"/>
+			<Property name="RetryAttempts"/>
+			<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
+		</UserStoreManager-->
+
+		<!-- Active directory configuration is as follows.
+			 In case if user core cache domain is needed to identify uniquely set property
+			 <Property name="UserCoreCacheIdentifier">domain</Property>
+			 There are few special properties for "Active Directory".
+			 They are :
+			 1.Referral - (comment out this property if this feature is not reuired) This enables LDAP referral support.
+			 2.BackLinksEnabled - (Do not comment, set to true or false) In some cases LDAP works with BackLinksEnabled.
+			 In which role is stored at user level. Depending on this value we need to change the Search Base within code.
+			 isADLDSRole - (Do not comment) Set to true if connecting to an AD LDS instance else set to false.
+		-->
+		<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
+			<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
+			<Property name="ConnectionURL">ldaps://10.100.1.100:636</Property>
+			<Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property>
+			<Property name="ConnectionPassword">A1b2c3d4</Property>
+			<Property name="AnonymousBind">false</Property>
+			<Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
+			<Property name="UserEntryObjectClass">user</Property>
+			<Property name="UserNameAttribute">cn</Property>
+			<Property name="UserNameSearchFilter">(&amp;(objectClass=user)(cn=?))</Property>
+			<Property name="UserNameListFilter">(objectClass=user)</Property>
+			<Property name="DisplayNameAttribute"/>
+			<Property name="ReadGroups">true</Property>
+			<Property name="WriteGroups">true</Property>
+			<Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
+			<Property name="GroupEntryObjectClass">group</Property>
+			<Property name="GroupNameAttribute">cn</Property>
+			<Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
+			<Property name="GroupNameListFilter">(objectcategory=group)</Property>
+			<Property name="MembershipAttribute">member</Property>
+			<Property name="MemberOfAttribute">memberOf</Property>
+			<Property name="BackLinksEnabled">true</Property>
+			<Property name="Referral">follow</Property>
+			<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
+			<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
+			<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="SCIMEnabled">false</Property>
+			<Property name="IsBulkImportSupported">true</Property>
+			<Property name="EmptyRolesAllowed">true</Property>
+			<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
+			<Property name="MultiAttributeSeparator">,</Property>
+			<Property name="isADLDSRole">false</Property>
+			<Property name="userAccountControl">512</Property>
+			<Property name="MaxUserNameListLength">100</Property>
+			<Property name="MaxRoleNameListLength">100</Property>
+			<Property name="kdcEnabled">false</Property>
+			<Property name="defaultRealmName">WSO2.ORG</Property>
+			<Property name="UserRolesCacheEnabled">true</Property>
+			<Property name="ConnectionPoolingEnabled">false</Property>
+			<Property name="LDAPConnectionTimeout">5000</Property>
+			<Property name="ReadTimeout"/>
+			<Property name="RetryAttempts"/>
+		</UserStoreManager-->
+
+		<!-- Following user manager is used by Identity Server (IS) as its default user manager.
+			 IS will do token replacement when building the product. Therefore do not change the syntax.
+			 If "kdcEnabled" parameter is true, IS will allow service principle management.
+			 Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name format and
+			 service password formats. In case if user core cache domain is needed to identify uniquely set property
+			 <Property name="UserCoreCacheIdentifier">domain</Property>
+		-->
+		<!--ISUserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
+			<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
+			<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
+			<Property name="ConnectionName">uid=admin,ou=system</Property>
+			<Property name="ConnectionPassword">admin</Property>
+			<Property name="AnonymousBind">false</Property>
+			<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
+			<Property name="UserEntryObjectClass">identityPerson</Property>
+			<Property name="UserNameAttribute">uid</Property>
+			<Property name="UserNameSearchFilter">(&amp;(objectClass=person)(uid=?))</Property>
+			<Property name="UserNameListFilter">(objectClass=person)</Property>
+			<Property name="DisplayNameAttribute"/>
+			<Property name="ReadGroups">true</Property>
+			<Property name="WriteGroups">true</Property>
+			<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
+			<Property name="GroupEntryObjectClass">groupOfNames</Property>
+			<Property name="GroupNameAttribute">cn</Property>
+			<Property name="GroupNameSearchFilter">(&amp;(objectClass=groupOfNames)(cn=?))</Property>
+			<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
+			<Property name="MembershipAttribute">member</Property>
+			<Property name="BackLinksEnabled">false</Property>
+			<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
+			<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
+			<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
+			<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
+			<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
+			<Property name="SCIMEnabled">true</Property>
+			<Property name="IsBulkImportSupported">true</Property>
+			<Property name="EmptyRolesAllowed">true</Property>
+			<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
+			<Property name="MultiAttributeSeparator">,</Property>
+			<Property name="MaxUserNameListLength">100</Property>
+			<Property name="MaxRoleNameListLength">100</Property>
+			<Property name="kdcEnabled">false</Property>
+			<Property name="defaultRealmName">WSO2.ORG</Property>
+			<Property name="UserRolesCacheEnabled">true</Property>
+			<Property name="ConnectionPoolingEnabled">false</Property>
+			<Property name="LDAPConnectionTimeout">5000</Property>
+			<Property name="ReadTimeout"/>
+			<Property name="RetryAttempts"/>
+		</ISUserStoreManager-->
+
+		<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
+			<Property name="AdminRoleManagementPermissions">/permission</Property>
+			<Property name="AuthorizationCacheEnabled">true</Property>
+			<Property name="GetAllRolesOfUserEnabled">false</Property>
+		</AuthorizationManager>
+	</Realm>
+</UserManager>
+
+		<!--
+
+		************* Description of some of the configuration properties used in user-mgt.xml *********************************
+
+		DomainName -
+			This property must be used by all secondary user store managers in multiple user store configuration.
+			DomainName is a unique identifier given to the user store. Users must provide both the domain name and
+			username at log-in as "DomainName\Username"
+
+		UserRolesCacheEnabled -
+			This is to indicate whether to cache role list of a user. By default it is set to true.
+			You may need to disable it if user-roles are changed by external means and need to reflect
+			those changes in the carbon product immediately.
+
+		ReplaceEscapeCharactersAtUserLogin -
+			This is to configure whether escape characters in user name needs to be replaced at user login.
+			Currently the identified escape characters that needs to be replaced are '\' & '\\'
+
+		UserDNPattern -
+			This property will be used when authenticating users. During authentication we do a bind. But if the user is login
+			with email address or some other property we need to first lookup LDAP and retrieve DN for the user.
+			This involves an additional step.  If UserDNPattern is specified the DN will be constructed using the pattern
+			specified in this property. Performance of this is much better than looking up DN and binding user.
+
+		RoleDNPattern -
+			This property will be used when checking whether user has been assigned to a given role.
+			Rather than searching the role in search base, by using this property direct search can be done.
+
+		PasswordHashMethod -
+			This says how the password should be stored. Allowed values are as follows,
+				SHA - Uses SHA digest method
+				MD5 - Uses MD 5 digest method
+				PLAIN_TEXT - Plain text passwords
+				In addition to above this supports all digest methods supported by http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html.
+
+		DisplayNameAttribute -
+			This is to have a dedicated LDAP attribute to display an entity(User/Role) in UI, in addition to the UserNameAttribute which is used for IS-UserStore interactions.
+		-->
diff --git a/modules/core/distribution/user_mgt_config_change.xml b/modules/core/distribution/user_mgt_config_change.xml
new file mode 100644
index 00000000..ededb309
--- /dev/null
+++ b/modules/core/distribution/user_mgt_config_change.xml
@@ -0,0 +1,9 @@
+<processor>
+	<remove>
+		<name>//UserManager/Realm/Configuration/Property[@name='initializeNewClaimManager']</name>
+	</remove>
+	<add>
+		<after>//UserManager/Realm/Configuration/Property[@name='isCascadeDeleteEnabled']</after>
+		<value><![CDATA[<Property name="initializeNewClaimManager">true</Property>]]></value>
+	</add>
+</processor>
\ No newline at end of file
diff --git a/modules/core/p2-profile-gen/pom.xml b/modules/core/p2-profile-gen/pom.xml
index 73c5c237..271da5d0 100644
--- a/modules/core/p2-profile-gen/pom.xml
+++ b/modules/core/p2-profile-gen/pom.xml
@@ -221,6 +221,9 @@
                                 <featureArtifactDef>
                                     org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.gateway.feature:${carbon.api.mgt.version}
                                 </featureArtifactDef>
+								<featureArtifactDef>
+									org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.keymanager.feature:${carbon.api.mgt.version}
+								</featureArtifactDef>
                                 <featureArtifactDef>
                                     org.wso2.carbon.apimgt:org.wso2.carbon.forum.server.feature:${carbon.api.mgt.version}
                                 </featureArtifactDef>
@@ -1017,6 +1020,11 @@
                                 <!-- End of Dashboard Features -->
 
                                 <!-- API Management Features -->
+
+								<feature>
+									<id>org.wso2.carbon.apimgt.keymanager.feature.group</id>
+									<version>${carbon.api.mgt.version}</version>
+								</feature>
                                 <feature>
                                     <id>org.wso2.carbon.apimgt.core.feature.group</id>
                                     <version>${carbon.api.mgt.version}</version>
@@ -1614,6 +1622,11 @@
                                     <id>org.wso2.carbon.mediation.configadmin.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
                                 </feature>
+
+								<feature>
+									<id>org.wso2.carbon.mediator.cache.feature.group</id>
+									<version>${carbon.mediation.version}</version>
+								</feature>
                                 <!--feature>
                                     <id>org.wso2.carbon.mediation.tracer.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
@@ -1878,6 +1891,10 @@
                                     <id>org.wso2.carbon.device.mgt.analytics.dashboard.feature.group</id>
                                     <version>${carbon.device.mgt.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.identity.jwt.client.extension.feature.group</id>
+									<version>${carbon.device.mgt.version}</version>
+								</feature>
                             </features>
                         </configuration>
                     </execution>
@@ -1953,6 +1970,10 @@
                                     <id>org.wso2.carbon.identity.thrift.authentication.feature.group</id>
                                     <version>${carbon.identity.framework.version.iotcore}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.identity.oauth2.grant.jwt.feature.group</id>
+									<version>${identity.jwt.extension.version}</version>
+								</feature>
                                 <feature>
                                     <id>org.wso2.carbon.tenant.common.feature.group</id>
                                     <version>${carbon.multitenancy.version}</version>
@@ -1990,6 +2011,11 @@
                                     <id>org.wso2.carbon.core.common.feature.group</id>
                                     <version>${carbon.kernel.version}</version>
                                 </feature>
+
+								<feature>
+									<id>org.wso2.carbon.um.ws.service.server.feature.group</id>
+									<version>${identity.user.ws.version}</version>
+								</feature>
                                 <feature>
                                     <id>org.wso2.carbon.identity.application.mgt.server.feature.group</id>
                                     <version>${carbon.identity.framework.version.iotcore}</version>
@@ -2042,6 +2068,10 @@
                                     <id>org.wso2.carbon.mediation.configadmin.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.mediator.cache.feature.group</id>
+									<version>${carbon.mediation.version}</version>
+								</feature>
                                 <!--feature>
                                     <id>org.wso2.carbon.mediation.statistics.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
@@ -2205,6 +2235,10 @@
                                     <id>org.wso2.carbon.apimgt.gateway.feature.group</id>
                                     <version>${carbon.api.mgt.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.apimgt.keymanager.feature.group</id>
+									<version>${carbon.api.mgt.version}</version>
+								</feature>
                                 <feature>
                                     <id>org.wso2.carbon.registry.extensions.feature.group</id>
                                     <version>${carbon.governance.version}</version>
@@ -2324,6 +2358,10 @@
                                     <id>org.wso2.carbon.device.mgt.analytics.dashboard.feature.group</id>
                                     <version>${carbon.device.mgt.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.identity.jwt.client.extension.feature.group</id>
+									<version>${carbon.device.mgt.version}</version>
+								</feature>
                             </features>
                         </configuration>
                     </execution>
@@ -2377,6 +2415,25 @@
                                 </feature>
                                 <!-- End of app management features-->
 
+								<!-- Dashboard Features -->
+								<feature>
+									<id>org.wso2.carbon.dashboards.shindig.feature.group</id>
+									<version>${carbon.dashboard.version}</version>
+								</feature>
+								<feature>
+									<id>org.wso2.carbon.dashboards.portal.feature.group</id>
+									<version>${carbon.dashboard.version}</version>
+								</feature>
+								<feature>
+									<id>org.wso2.carbon.dashboard.deployment.feature.group</id>
+									<version>${carbon.dashboard.version}</version>
+								</feature>
+								<feature>
+									<id>org.wso2.carbon.iot.device.statistics.dashboard.feature.group</id>
+									<version>${carbon.device.mgt.plugin.version}</version>
+								</feature>
+								<!-- End of Dashboard Features -->
+
 
                                 <!-- Device Management Features -->
                                 <feature>
@@ -2573,6 +2630,10 @@
                                     <id>org.wso2.carbon.mediation.configadmin.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.mediator.cache.feature.group</id>
+									<version>${carbon.mediation.version}</version>
+								</feature>
                                 <!--feature>
                                     <id>org.wso2.carbon.mediation.statistics.feature.group</id>
                                     <version>${carbon.mediation.version}</version>
@@ -2928,6 +2989,17 @@
                                     <id>org.wso2.carbon.analytics.api.client.feature.group</id>
                                     <version>${carbon.analytics.version}</version>
                                 </feature>
+								<!-- SSO Features -->
+
+								<feature>
+									<id>org.wso2.carbon.identity.authenticator.saml2.sso.feature.group</id>
+									<version>${identity.carbon.auth.saml2.version.iotcore}</version>
+								</feature>
+								<feature>
+									<id>org.wso2.carbon.identity.sso.saml.feature.group</id>
+									<version>${identity.inbound.auth.saml.version.iotcore}</version>
+								</feature>
+								<!-- SSO Fix-->
                             </features>
                         </configuration>
                     </execution>
@@ -3499,6 +3571,21 @@
                                     <id>org.wso2.carbon.analytics.api.client.feature.group</id>
                                     <version>${carbon.analytics.version}</version>
                                 </feature>
+								<feature>
+									<id>org.wso2.carbon.mediator.cache.feature.group</id>
+									<version>${carbon.mediation.version}</version>
+								</feature>
+								<!-- SSO Features -->
+
+								<feature>
+									<id>org.wso2.carbon.identity.authenticator.saml2.sso.feature.group</id>
+									<version>${identity.carbon.auth.saml2.version.iotcore}</version>
+								</feature>
+								<feature>
+									<id>org.wso2.carbon.identity.sso.saml.feature.group</id>
+									<version>${identity.inbound.auth.saml.version.iotcore}</version>
+								</feature>
+								<!-- SSO Fix-->
                             </features>
                         </configuration>
                     </execution>
diff --git a/pom.xml b/pom.xml
index e4f73bf2..1be2a1e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1507,9 +1507,9 @@
         <identity.carbon.auth.saml2.version>5.1.3</identity.carbon.auth.saml2.version>
         <identity.carbon.auth.saml2.version.iotcore>5.1.6</identity.carbon.auth.saml2.version.iotcore>
         <identity.inbound.auth.oauth.version>5.1.2</identity.inbound.auth.oauth.version>
-        <identity.inbound.auth.oauth.version.iotcore>5.3.1</identity.inbound.auth.oauth.version.iotcore>
+        <identity.inbound.auth.oauth.version.iotcore>5.3.4</identity.inbound.auth.oauth.version.iotcore>
         <identity.carbon.auth.mutual.ssl.version>5.1.1</identity.carbon.auth.mutual.ssl.version>
-        <identity.user.ws.version>5.1.3</identity.user.ws.version>
+        <identity.user.ws.version>5.1.4</identity.user.ws.version>
         <identity.outbound.auth.requestpath.basicauth.version>5.1.1</identity.outbound.auth.requestpath.basicauth.version>
         <identity.outbound.auth.requestpath.oauth.version>5.1.1</identity.outbound.auth.requestpath.oauth.version>
         <identity.outbound.auth.samlsso.version>5.1.4</identity.outbound.auth.samlsso.version>