diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 000000000..be53d99d1
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.18.0
+  hooks:
+  - id: terraform_fmt
\ No newline at end of file
diff --git a/build.gradle b/build.gradle
index 361ba7cea..494b770a8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,9 +4,9 @@ plugins {
   id 'java'
   id 'jacoco'
   id 'io.spring.dependency-management' version '1.0.9.RELEASE' apply false
-  id 'org.owasp.dependencycheck' version '5.1.1'
+  id 'org.owasp.dependencycheck' version '5.3.2.1'
   id 'org.sonarqube' version '2.6.2'
-  id 'org.springframework.boot' version '2.2.8.RELEASE' apply false
+  id 'org.springframework.boot' version '2.2.10.RELEASE' apply false
   id 'com.gorylenko.gradle-git-properties' version '1.4.21'
   id "info.solidsoft.pitest" version "1.4.6"
   id 'pmd'
@@ -35,6 +35,7 @@ allprojects {
   //TODO: Remove once spring boot have updated versions to match
   ext['tomcat.version'] = '9.0.37'
   ext['log4j2.version'] = '2.13.3'
+  ext['spring.boot.version'] = '2.2.10.RELEASE'
 
   dependencyManagement {
     imports {
@@ -59,6 +60,10 @@ allprojects {
     analyzers {
       // Disable scanning of .NET related binaries
       assemblyEnabled = false
+      nodeEnabled = false
+      nodeAudit {
+        enabled = false
+      }
     }
   }
 
@@ -74,12 +79,12 @@ allprojects {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-resource-server'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis-reactive'
-    implementation group: 'org.springframework.session', name: 'spring-session-data-redis', version: '2.2.3.RELEASE'
+    implementation group: 'org.springframework.session', name: 'spring-session-data-redis', version: '2.2.4.RELEASE'
 
     implementation group: 'io.github.openfeign', name: 'feign-jackson', version: '10.11'
     implementation group: 'io.github.openfeign', name: 'feign-okhttp', version: '10.11'
-    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.2.3.RELEASE'
-    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.3.RELEASE') {
+    implementation group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.2.5.RELEASE'
+    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.5.RELEASE') {
       exclude(module: 'rxnetty-contexts')
       exclude(module: 'rxnetty-servo')
       exclude(module: 'rxnetty')
diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml
index 958c22806..cf57f11f5 100644
--- a/dependency-check-suppressions.xml
+++ b/dependency-check-suppressions.xml
@@ -193,7 +193,7 @@
         <cve>CVE-2014-0119</cve>
         <cve>CVE-2016-5388</cve>
     </suppress>
-    
+
     <!--
     This vulnerability can only be exploited if polymorphic typing is enabled on the default
     object mapper, hence not relevant to us.
@@ -214,7 +214,7 @@
     ONLY UNTIL 2019-10-01. No invulnerable package currently
     -->
     <suppress>
-        <notes> 
+        <notes>
         https://www.cvedetails.com/cve/CVE-2019-12384/
         FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
         </notes>
@@ -280,6 +280,60 @@
         <cve>CVE-2019-16370</cve>
     </suppress>
 
+    <suppress>
+        <notes>
+            TODO: fix these: suppress some netflix CVEs to deploy a hotfix
+        </notes>
+        <gav regex="true">^com\.netflix\.servo:servo-core:0\.10\.1$</gav>
+        <cve>CVE-2014-0047</cve>
+        <cve>CVE-2014-0048</cve>
+        <cve>CVE-2014-5277</cve>
+        <cve>CVE-2014-5278</cve>
+        <cve>CVE-2014-5282</cve>
+        <cve>CVE-2014-6407</cve>
+        <cve>CVE-2014-8178</cve>
+        <cve>CVE-2014-8179</cve>
+        <cve>CVE-2014-9356</cve>
+        <cve>CVE-2014-9358</cve>
+        <cve>CVE-2015-3627</cve>
+        <cve>CVE-2015-3630</cve>
+        <cve>CVE-2015-3631</cve>
+        <cve>CVE-2016-3697</cve>
+        <cve>CVE-2017-14992</cve>
+        <cve>CVE-2019-13139</cve>
+        <cve>CVE-2019-13509</cve>
+        <cve>CVE-2019-15752</cve>
+        <cve>CVE-2019-16884</cve>
+        <cve>CVE-2019-5736</cve>
+    </suppress>
+
+    <suppress>
+        <notes>
+            TODO: fix these: suppress some netflix CVEs to deploy a hotfix
+        </notes>
+        <gav regex="true">^com\.netflix\.servo:servo-internal:0\.10\.1$</gav>
+        <cve>CVE-2014-0047</cve>
+        <cve>CVE-2014-0048</cve>
+        <cve>CVE-2014-5277</cve>
+        <cve>CVE-2014-5278</cve>
+        <cve>CVE-2014-5282</cve>
+        <cve>CVE-2014-6407</cve>
+        <cve>CVE-2014-8178</cve>
+        <cve>CVE-2014-8179</cve>
+        <cve>CVE-2014-9356</cve>
+        <cve>CVE-2014-9358</cve>
+        <cve>CVE-2015-3627</cve>
+        <cve>CVE-2015-3630</cve>
+        <cve>CVE-2015-3631</cve>
+        <cve>CVE-2016-3697</cve>
+        <cve>CVE-2017-14992</cve>
+        <cve>CVE-2019-13139</cve>
+        <cve>CVE-2019-13509</cve>
+        <cve>CVE-2019-15752</cve>
+        <cve>CVE-2019-16884</cve>
+        <cve>CVE-2019-5736</cve>
+    </suppress>
+
     <!--
     This dependency is a transitional dependency of spring-security-oauth2-client,
     as such could only be exploited by developers.
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/AppController.java b/src/main/java/uk/gov/hmcts/reform/idam/web/AppController.java
index 05f0efee1..3e4a56793 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/AppController.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/AppController.java
@@ -29,7 +29,6 @@
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.HttpServerErrorException;
 import org.springframework.web.servlet.ModelAndView;
-import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import org.springframework.web.servlet.view.RedirectView;
 import uk.gov.hmcts.reform.idam.api.internal.model.ErrorResponse;
 import uk.gov.hmcts.reform.idam.api.internal.model.Service;
@@ -74,6 +73,12 @@
 @Controller
 public class AppController {
 
+    private static final String REDIRECT_RESET_INACTIVE_USER = "redirect:/reset/inactive-user";
+    public static final String LOGIN_FAILURE_ERROR_CODE = "Login failure";
+    public static final String REDIRECT_PREFIX = "redirect:";
+    public static final String IDAM_AUTH_ID_COOKIE_PREFIX = "Idam.AuthId=";
+    public static final String ERROR_TITLE = "Error";
+
     @Autowired
     private SPIService spiService;
 
@@ -204,7 +209,7 @@ public ModelAndView upliftRegister(@ModelAttribute("registerUserCommand") @Valid
                     model.put("client_id", request.getClient_id());
                     model.put("redirect_uri", request.getRedirect_uri());
                     model.put("state", request.getState());
-                    return new ModelAndView("redirect:/reset/inactive-user", model);
+                    return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, model);
                 }
 
                 msg = "PIN user not longer valid";
@@ -318,6 +323,8 @@ public String loginView(@ModelAttribute("authorizeCommand") AuthorizeRequest req
 
         model.addAttribute(RESPONSE_TYPE, request.getResponse_type());
         model.addAttribute(STATE, request.getState());
+        model.addAttribute(NONCE, request.getNonce());
+        model.addAttribute(PROMPT, request.getPrompt());
         model.addAttribute(CLIENT_ID, request.getClient_id());
         model.addAttribute(REDIRECT_URI, request.getRedirect_uri());
         model.addAttribute(SCOPE, request.getScope());
@@ -387,7 +394,7 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                 if (cookies == null) {
                     log.info("/login: Authenticate returned no cookies for user - {}", obfuscateEmailAddress(request.getUsername()));
                     model.addAttribute(HAS_LOGIN_FAILED, true);
-                    bindingResult.reject("Login failure");
+                    bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                     return new ModelAndView(LOGIN_VIEW, model.asMap());
                 }
 
@@ -416,11 +423,11 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                         log.info("/login: Successful login - {}", obfuscateEmailAddress(request.getUsername()));
                         List<String> secureCookies = authHelper.makeCookiesSecure(cookies);
                         secureCookies.forEach(cookie -> response.addHeader(HttpHeaders.SET_COOKIE, cookie));
-                        return new ModelAndView("redirect:" + responseUrl);
+                        return new ModelAndView(REDIRECT_PREFIX + responseUrl);
                     } else {
                         log.info("/login: There is a problem while logging in  user - {}", obfuscateEmailAddress(request.getUsername()));
                         model.addAttribute(HAS_LOGIN_FAILED, true);
-                        bindingResult.reject("Login failure");
+                        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                         return new ModelAndView(LOGIN_VIEW, model.asMap());
                     }
                 }
@@ -430,9 +437,11 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                     case ACCOUNT_LOCKED:
                         model.addAttribute(IS_ACCOUNT_LOCKED, true);
                         bindingResult.reject("Account locked");
+                        return new ModelAndView(LOGIN_VIEW, model.asMap());
                     case ACCOUNT_SUSPENDED:
                         model.addAttribute(IS_ACCOUNT_SUSPENDED, true);
                         bindingResult.reject("Account suspended");
+                        return new ModelAndView(LOGIN_VIEW, model.asMap());
                     case POLICIES_FAIL:
                         log.info("/login: User failed policy checks - {}", obfuscateEmailAddress(request.getUsername()));
                         model.addAttribute(HAS_POLICY_CHECK_FAILED, true);
@@ -443,19 +452,19 @@ public ModelAndView login(@ModelAttribute("authorizeCommand") @Validated Authori
                         staleUserResetPasswordParams.remove(USERNAME);
                         staleUserResetPasswordParams.remove(PASSWORD);
                         staleUserResetPasswordParams.remove(SELF_REGISTRATION_ENABLED);
-                        return new ModelAndView("redirect:/reset/inactive-user", staleUserResetPasswordParams);
+                        return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, staleUserResetPasswordParams);
                     default:
                         model.addAttribute(HAS_LOGIN_FAILED, true);
-                        bindingResult.reject("Login failure");
+                        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
                 }
             } else {
                 model.addAttribute(HAS_LOGIN_FAILED, true);
-                bindingResult.reject("Login failure");
+                bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
             }
         } catch (HttpClientErrorException | HttpServerErrorException | JsonProcessingException he) {
             log.info("/login: Login failed for user - {}", obfuscateEmailAddress(request.getUsername()));
             model.addAttribute(HAS_LOGIN_FAILED, true);
-            bindingResult.reject("Login failure");
+            bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
         }
         return new ModelAndView(LOGIN_VIEW, model.asMap());
     }
@@ -555,10 +564,10 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
         try {
             final String authId = StringUtils.substringAfter(
                 cookies.stream()
-                    .filter(cookie -> cookie.startsWith("Idam.AuthId="))
+                    .filter(cookie -> cookie.startsWith(IDAM_AUTH_ID_COOKIE_PREFIX))
                     .findFirst()
                     .orElseThrow(),
-                "Idam.AuthId=");
+                IDAM_AUTH_ID_COOKIE_PREFIX);
             final List<String> responseCookies = spiService.submitOtpeAuthentication(authId, ipAddress, request.getCode());
             log.info("/verification: Successful OTP submission request");
 
@@ -568,7 +577,7 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
                 log.info("/verification: Successful login");
                 List<String> secureCookies = authHelper.makeCookiesSecure(responseCookies);
                 secureCookies.forEach(cookie -> response.addHeader(HttpHeaders.SET_COOKIE, cookie));
-                return new ModelAndView("redirect:" + responseUrl);
+                return new ModelAndView(REDIRECT_PREFIX + responseUrl);
             } else {
                 log.info("/verification: There is a problem while logging in user");
                 return redirectToLoginOnFailedOtpVerification(request, bindingResult, model);
@@ -594,8 +603,8 @@ public ModelAndView verification(@ModelAttribute("authorizeCommand") @Validated
                             .get(HttpHeaders.SET_COOKIE))
                         .orElse(new ArrayList<>())
                         .stream()
-                        .filter(cookie -> cookie.startsWith("Idam.AuthId="))
-                        .map(cookie -> StringUtils.substringAfter(cookie, "Idam.AuthId="))
+                        .filter(cookie -> cookie.startsWith(IDAM_AUTH_ID_COOKIE_PREFIX))
+                        .map(cookie -> StringUtils.substringAfter(cookie, IDAM_AUTH_ID_COOKIE_PREFIX))
                         .findFirst()
                         .ifPresent(authId -> response.addCookie(new Cookie("Idam.AuthId", authId)));
                     return new ModelAndView(VERIFICATION_VIEW, model.asMap());
@@ -620,7 +629,7 @@ private ModelAndView redirectToLoginOnFailedOtpVerification(VerificationRequest
                                                                 BindingResult bindingResult,
                                                                 Model model) {
         model.addAttribute("hasOtpCheckFailed", true);
-        bindingResult.reject("Login failure");
+        bindingResult.reject(LOGIN_FAILURE_ERROR_CODE);
         model.addAttribute("authorizeCommand", request);
         model.addAttribute(USERNAME, null);
         return new ModelAndView("redirect:/" + LOGIN_VIEW, model.asMap());
@@ -651,7 +660,7 @@ public ModelAndView upliftLogin(@Validated UpliftRequest request, BindingResult
             return new ModelAndView(UPLIFT_LOGIN_VIEW, modelMap);
         }
 
-        String redirectUrl = "redirect:";
+        String redirectUrl = REDIRECT_PREFIX;
         try {
             final String jsonResponse = spiService.uplift(request.getUsername(), request.getPassword(), request.getJwt(),
                 request.getRedirect_uri(), request.getClient_id(), request.getState(), request.getScope());
@@ -666,7 +675,7 @@ public ModelAndView upliftLogin(@Validated UpliftRequest request, BindingResult
                 model.put("redirect_uri", request.getRedirect_uri());
                 model.put("state", request.getState());
                 model.put("scope", request.getScope());
-                return new ModelAndView("redirect:/reset/inactive-user", model);
+                return new ModelAndView(REDIRECT_RESET_INACTIVE_USER, model);
             } else {
                 log.error("Uplift process exception: {}", ex.getMessage(), ex);
 
@@ -709,7 +718,7 @@ public String loginWithPin(@RequestParam(value = "pin", required = false) String
 
         try {
 
-            return "redirect:" + spiService.loginWithPin(pin, redirectUri, state, clientId); //NOSONAR
+            return REDIRECT_PREFIX + spiService.loginWithPin(pin, redirectUri, state, clientId); //NOSONAR
 
         } catch (HttpClientErrorException | BadCredentialsException e) {
             log.error("Problem with pin: {}", e.getMessage());
@@ -797,14 +806,14 @@ public String resetPassword(final String action, final String password1, final S
         } catch (HttpClientErrorException e) {
             log.error("Error resetting password: {}", e.getResponseBodyAsString(), e);
             if (e.getStatusCode() == HttpStatus.PRECONDITION_FAILED) {
-                ErrorHelper.showError("Error", "public.common.error.invalid.password", "public.common.error.invalid.password", "", model);
+                ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password", "public.common.error.invalid.password", "", model);
             } else if (e.getStatusCode() == HttpStatus.BAD_REQUEST) {
                 if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.PASSWORD_BLACKLISTED)) {
-                    ErrorHelper.showError("Error", "public.common.error.blacklisted.password", "public.common.error.blacklisted.password", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.blacklisted.password", "public.common.error.blacklisted.password", "public.common.error.enter.password", model);
                 } else if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.PASSWORD_CONTAINS_PERSONAL_INFO)) {
-                    ErrorHelper.showError("Error", "public.common.error.containspersonalinfo.password", "public.common.error.containspersonalinfo.password", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.containspersonalinfo.password", "public.common.error.containspersonalinfo.password", "public.common.error.enter.password", model);
                 } else if (validationService.isErrorInResponse(e.getResponseBodyAsString(), ErrorResponse.CodeEnum.ACCOUNT_LOCKED)) {
-                    ErrorHelper.showError("Error", "public.common.error.previously.used.password", "public.common.error.password.details", "public.common.error.enter.password", model);
+                    ErrorHelper.showError(ERROR_TITLE, "public.common.error.previously.used.password", "public.common.error.password.details", "public.common.error.enter.password", model);
                 }
             } else if (e.getStatusCode() == HttpStatus.NOT_FOUND) {
                 return "redirect:expiredtoken";
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/config/AppConfiguration.java b/src/main/java/uk/gov/hmcts/reform/idam/web/config/AppConfiguration.java
index 02e66e4fe..9dbcc6827 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/config/AppConfiguration.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/config/AppConfiguration.java
@@ -29,4 +29,4 @@ protected void configure(HttpSecurity http) throws Exception {
         // @formatter:on
     }
 
-}
\ No newline at end of file
+}
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/config/FeignConfiguration.java b/src/main/java/uk/gov/hmcts/reform/idam/web/config/FeignConfiguration.java
index cac2bdb15..6cde71f4b 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/config/FeignConfiguration.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/config/FeignConfiguration.java
@@ -84,13 +84,13 @@ public Client client() {
         Dispatcher dispatcher = new Dispatcher();
         dispatcher.setMaxRequests(200);
         dispatcher.setMaxRequestsPerHost(200);
-        OkHttpClient httpClient = new OkHttpClient.Builder()
+        OkHttpClient newHttpClient = new OkHttpClient.Builder()
             .dispatcher(dispatcher)
             .readTimeout(20000, TimeUnit.MILLISECONDS)
             .followRedirects(false)
             .followSslRedirects(false)
             .build();
-        return new feign.okhttp.OkHttpClient(httpClient);
+        return new feign.okhttp.OkHttpClient(newHttpClient);
     }
 
     public Encoder feignFormEncoder() {
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/config/IdamWebMvcConfiguration.java b/src/main/java/uk/gov/hmcts/reform/idam/web/config/IdamWebMvcConfiguration.java
index e2bc8f847..289179b5a 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/config/IdamWebMvcConfiguration.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/config/IdamWebMvcConfiguration.java
@@ -5,7 +5,6 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.CacheControl;
 import org.springframework.http.MediaType;
-import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/config/SessionConfiguration.java b/src/main/java/uk/gov/hmcts/reform/idam/web/config/SessionConfiguration.java
index 200fcbef8..97be91bf1 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/config/SessionConfiguration.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/config/SessionConfiguration.java
@@ -24,7 +24,7 @@ public CookieSerializer cookieSerializer() {
         DefaultCookieSerializer serializer = new DefaultCookieSerializer();
         serializer.setCookieName("Idam.SSOSession");
         serializer.setCookiePath("/");
-        serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
+        // serializer.setDomainNamePattern("^.+?\\.(\\w+\\.[a-z]+)$");
         serializer.setCookieMaxAge(FIVE_DAYS_IN_SECONDS);
         serializer.setUseSecureCookie(useSecureCookie);
         return serializer;
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java b/src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java
index 8cb4579af..62032c4d0 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/helper/ErrorHelper.java
@@ -1,5 +1,6 @@
 package uk.gov.hmcts.reform.idam.web.helper;
 
+import lombok.experimental.UtilityClass;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.client.HttpClientErrorException;
@@ -11,6 +12,7 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+@UtilityClass
 public class ErrorHelper {
 
     private static final String ERROR = "error";
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java b/src/main/java/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java
index e19aa3830..b6931b659 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java
@@ -24,6 +24,8 @@ public class MvcKeys {
     public static final String REDIRECT_URI = "redirect_uri";
     public static final String RESPONSE_TYPE = "response_type";
     public static final String STATE = "state";
+    public static final String NONCE = "nonce";
+    public static final String PROMPT = "prompt";
     public static final String SCOPE = "scope";
     public static final String USERNAME = "username";
     public static final String CODE = "code";
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/model/AuthorizeRequest.java b/src/main/java/uk/gov/hmcts/reform/idam/web/model/AuthorizeRequest.java
index 331398b0b..a1f97f88d 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/model/AuthorizeRequest.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/model/AuthorizeRequest.java
@@ -15,6 +15,10 @@ public class AuthorizeRequest {
     @NotEmpty
     private String password;
 
+    private String nonce;
+
+    private String prompt;
+
     private String redirect_uri;
 
     private String state;
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/sso/SSOAuthenticationSuccessHandler.java b/src/main/java/uk/gov/hmcts/reform/idam/web/sso/SSOAuthenticationSuccessHandler.java
index f45d39ef6..502acf074 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/sso/SSOAuthenticationSuccessHandler.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/sso/SSOAuthenticationSuccessHandler.java
@@ -148,6 +148,8 @@ private String authoriseUser(List<String> cookies, Map<String, String[]> paramMa
         );
 
         params.remove("login_hint");
+        // ignore prompt as we don't want a federated user that is successfully authenticated to land on the login page
+        params.remove("prompt");
 
         Response response = oidcApi.oauth2AuthorizePost(
             StringUtils.join(cookies, ";"),
@@ -163,4 +165,4 @@ private String authoriseUser(List<String> cookies, Map<String, String[]> paramMa
             .stream().findAny().orElseThrow(() -> restException(null, HttpStatus.FORBIDDEN, new HttpHeaders(),
             HttpStatus.FORBIDDEN.getReasonPhrase(), "Location header was empty."));
     }
-}
\ No newline at end of file
+}
diff --git a/src/main/java/uk/gov/hmcts/reform/idam/web/strategic/ValidationService.java b/src/main/java/uk/gov/hmcts/reform/idam/web/strategic/ValidationService.java
index 62148f2a6..a9f95431d 100644
--- a/src/main/java/uk/gov/hmcts/reform/idam/web/strategic/ValidationService.java
+++ b/src/main/java/uk/gov/hmcts/reform/idam/web/strategic/ValidationService.java
@@ -17,6 +17,7 @@
 @Component
 public class ValidationService {
 
+    public static final String ERROR_TITLE = "Error";
 
     private final ObjectMapper mapper;
 
@@ -45,34 +46,34 @@ public ValidationService(
     public boolean validatePassword(final String password1, final String password2, Map<String, Object> model) {
 
         if (StringUtils.isEmpty(password1) && StringUtils.isEmpty(password2)) {
-            ErrorHelper.showError("Error", "public.common.error.password.not.empty", "public.common.error.enter.password", "public.common.error.enter.password", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "public.common.error.enter.password", "public.common.error.enter.password", model);
             return false;
         }
         if (StringUtils.isEmpty(password1)) {
-            ErrorHelper.showError("Error", "public.common.error.password.not.empty", "public.common.error.enter.password", "", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "public.common.error.enter.password", "", model);
             model.put("password2", password2);
             return false;
         }
         if (StringUtils.isEmpty(password2)) {
-            ErrorHelper.showError("Error", "public.common.error.password.not.empty", "", "public.common.error.enter.password", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.empty", "", "public.common.error.enter.password", model);
             model.put("password1", password1);
             return false;
         }
 
         if (!password1.equals(password2)) {
-            ErrorHelper.showError("Error", "public.common.error.password.not.same", "", "public.common.error.password.should.match", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.password.not.same", "", "public.common.error.password.should.match", model);
             model.put("password1", password1);
             return false;
         }
 
         if (password1.length() < passwordMinLength || password1.length() > passwordMaxLength) {
-            ErrorHelper.showError("Error", "public.common.error.invalid.password", "public.common.error.password.details", "", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password", "public.common.error.password.details", "", model);
             model.put("password1", password1);
             return false;
         }
 
         if (containsIllegalCharacters(password1)) {
-            ErrorHelper.showError("Error", "public.common.error.invalid.password.illegal-characters", "public.common.error.password.details", "", model);
+            ErrorHelper.showError(ERROR_TITLE, "public.common.error.invalid.password.illegal-characters", "public.common.error.password.details", "", model);
             model.put("password1", password1);
             return false;
         }
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
index cd82cac5d..371c9d62e 100644
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -126,4 +126,6 @@ features:
   federated-s-s-o: ${federated.sso:true}
 
 ssoEmailDomains:
-  ejudiciary.net: ejudiciary-aad
+  dummy: dummy
+# re-enable only when SSO feature is enabled for everyone
+#  ejudiciary.net: ejudiciary-aad
diff --git a/src/main/webapp/WEB-INF/jsp/login.jsp b/src/main/webapp/WEB-INF/jsp/login.jsp
index e6fe9b49f..edaac3885 100644
--- a/src/main/webapp/WEB-INF/jsp/login.jsp
+++ b/src/main/webapp/WEB-INF/jsp/login.jsp
@@ -35,6 +35,8 @@
                     <spring:param name="redirect_uri" value="${redirect_uri}"/>
                     <spring:param name="client_id" value="${client_id}"/>
                     <spring:param name="state" value="${state}"/>
+                    <spring:param name="nonce" value="${nonce}"/>
+                    <spring:param name="prompt" value="${prompt}"/>
                     <spring:param name="scope" value="${scope}"/>
                     <spring:param name="response_type" value="code"/>
                     <spring:param name="login_hint" value="ejudiciary-aad"/>
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/AppControllerTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/AppControllerTest.java
index 47fb35be4..6595a538e 100644
--- a/src/test/java/uk/gov/hmcts/reform/idam/web/AppControllerTest.java
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/AppControllerTest.java
@@ -283,7 +283,7 @@ public void loginView_shouldSetSelfRegistrationToFalseIfTheClientIdIsInvalid() t
      * @see AppController#loginView(AuthorizeRequest, BindingResult, Model)
      */
     @Test
-    public void loginView_shouldPutCorrectDataInModelAndReturnLoginView2() throws Exception {
+    public void loginView_shouldPutCorrectDataInModelAndReturnLoginViewWithAzureLoginEnabled() throws Exception {
 
         Service service = new Service();
         service.selfRegistrationAllowed(true);
@@ -440,6 +440,33 @@ public void upliftRegister_shouldPutRightErrorDataInModelIfRegisterUserServiceTh
 
     }
 
+
+    /**
+     * @verifies redirects to "reset/inactive-user" on registration 404 with STALE_USER_REGISTRATION_SENT error
+     * @see #upliftRegister(RegisterUserRequest, BindingResult, Map
+     */
+    @Test
+    public void upliftRegister_redirectToResetInactiveUserOnRegistration404WithStaleUserRegistrationSentError() throws Exception {
+        byte[] staleUserErrorBytes = ErrorResponse.CodeEnum.STALE_USER_REGISTRATION_SENT.toString().getBytes(StandardCharsets.UTF_8);
+
+        given(spiService.registerUser(eq(aRegisterUserRequest())))
+            .willThrow(new HttpClientErrorException(HttpStatus.NOT_FOUND,
+                HttpStatus.NOT_FOUND.getReasonPhrase(), staleUserErrorBytes, StandardCharsets.UTF_8));
+
+        mockMvc.perform(post(UPLIFT_REGISTER_ENDPOINT).with(csrf())
+            .param(JWT_PARAMETER, JWT)
+            .param(REDIRECT_URI, REDIRECT_URI)
+            .param(STATE_PARAMETER, STATE)
+            .param(CLIENT_ID_PARAMETER, CLIENT_ID)
+            .param(USERNAME_PARAMETER, USER_EMAIL)
+            .param(USER_FIRST_NAME_PARAMETER, USER_FIRST_NAME)
+            .param(USER_LAST_NAME_PARAMETER, USER_LAST_NAME)
+            .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED))
+            .andExpect(status().is3xxRedirection())
+            .andExpect(redirectedUrl("/reset/inactive-user?client_id=clientId&redirect_uri=redirect_uri&state=state+test"));
+
+    }
+
     /**
      * @verifies put generic error data in model if register user service throws HttpClientErrorException an http status code different from 404
      * @see #upliftRegister(RegisterUserRequest, BindingResult, Map
@@ -1504,6 +1531,13 @@ public void login_shouldPutInModelTheCorrectErrorDetailInCaseAuthorizeServiceThr
             .policiesAction(EvaluatePoliciesAction.ALLOW)
             .build();
 
+        ApiAuthResult authResultNullError = ApiAuthResult.builder()
+            .cookies(cookieList)
+            .httpStatus(HttpStatus.UNAUTHORIZED)
+            .errorCode(null)
+            .policiesAction(EvaluatePoliciesAction.ALLOW)
+            .build();
+
         given(spiService.authenticate(eq(USER_EMAIL), eq(USER_PASSWORD), eq(REDIRECT_URI), eq(USER_IP_ADDRESS)))
             .willReturn(authResult);
 
@@ -1616,6 +1650,23 @@ public void login_shouldPutInModelTheCorrectErrorDetailInCaseAuthorizeServiceThr
             .andExpect(model().attribute(IS_ACCOUNT_SUSPENDED, true))
             .andExpect(status().isOk())
 
+            .andExpect(view().name(LOGIN_VIEW));
+
+        given(spiService.authenticate(eq(USER_EMAIL), eq(USER_PASSWORD), eq(REDIRECT_URI), eq(USER_IP_ADDRESS)))
+            .willReturn(authResultNullError);
+
+        mockMvc.perform(post(LOGIN_ENDPOINT).with(csrf())
+            .header(X_FORWARDED_FOR, USER_IP_ADDRESS)
+            .param(USERNAME_PARAMETER, USER_EMAIL)
+            .param(PASSWORD_PARAMETER, USER_PASSWORD)
+            .param(REDIRECT_URI, REDIRECT_URI)
+            .param(STATE_PARAMETER, STATE)
+            .param(RESPONSE_TYPE_PARAMETER, RESPONSE_TYPE)
+            .param(CLIENT_ID_PARAMETER, CLIENT_ID)
+            .param(SCOPE_PARAMETER, CUSTOM_SCOPE))
+            .andExpect(model().attribute(HAS_LOGIN_FAILED, true))
+            .andExpect(status().isOk())
+
             .andExpect(view().name(LOGIN_VIEW));
     }
 
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/ApplicationIntegrationTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/ApplicationIntegrationTest.java
index 1e8b2f17e..e748e139f 100644
--- a/src/test/java/uk/gov/hmcts/reform/idam/web/ApplicationIntegrationTest.java
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/ApplicationIntegrationTest.java
@@ -1,5 +1,6 @@
 package uk.gov.hmcts.reform.idam.web;
 
+import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -12,6 +13,7 @@ public class ApplicationIntegrationTest {
 
     @Test
     public void applicationContext_shouldLoad() {
+        Assert.assertTrue(true);
     }
 
 }
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/config/AppConfigurationTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/config/AppConfigurationTest.java
new file mode 100644
index 000000000..07b9dc1af
--- /dev/null
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/config/AppConfigurationTest.java
@@ -0,0 +1,42 @@
+package uk.gov.hmcts.reform.idam.web.config;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.http.MediaType;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import uk.gov.hmcts.reform.idam.web.AppController;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@WebMvcTest(AppController.class)
+@RunWith(SpringRunner.class)
+@TestPropertySource(properties = {"testing=true", "features.federated-s-s-o=false"})
+public class AppConfigurationTest {
+    @Autowired
+    private MockMvc mvc;
+
+    @Test
+    @WithMockUser(value = "spring")
+    public void assets_shouldNotThrow401() throws Exception {
+        MockHttpServletRequestBuilder req = MockMvcRequestBuilders.get("/assets/test")
+            .contentType(MediaType.APPLICATION_JSON);
+        mvc.perform(req)
+            .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @WithMockUser(value = "spring")
+    public void register_shouldRequireCsrf() throws Exception {
+        MockHttpServletRequestBuilder req = MockMvcRequestBuilders.get("/users/register")
+            .contentType(MediaType.APPLICATION_JSON);
+        mvc.perform(req)
+            .andExpect(status().isBadRequest());
+    }
+}
\ No newline at end of file
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/config/OIDCLocaleChangeInterceptorTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/config/OIDCLocaleChangeInterceptorTest.java
index a782445ef..e63fdd9c2 100644
--- a/src/test/java/uk/gov/hmcts/reform/idam/web/config/OIDCLocaleChangeInterceptorTest.java
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/config/OIDCLocaleChangeInterceptorTest.java
@@ -123,7 +123,7 @@ public void handleException_shouldThrowIfIgnoreInvalidLocaleIsTrue() {
      * @verifies not throw if ignore invalid locale is false
      * @see OIDCLocaleChangeInterceptor#handleException(String, IllegalArgumentException)
      */
-    @Test
+    @Test(expected = Test.None.class /* no exception expected */)
     public void handleException_shouldNotThrowIfIgnoreInvalidLocaleIsFalse() {
         final OIDCLocaleChangeInterceptor interceptor = new OIDCLocaleChangeInterceptor(AVAILABLE_LOCALES);
         interceptor.setIgnoreInvalidLocale(true);
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/sso/SSOZuulFilterTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/sso/SSOZuulFilterTest.java
index 07da61072..ab7149d33 100644
--- a/src/test/java/uk/gov/hmcts/reform/idam/web/sso/SSOZuulFilterTest.java
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/sso/SSOZuulFilterTest.java
@@ -70,12 +70,12 @@ public void increment(String name) {
 
     @Test
     public void filterType() {
-        assertEquals(underTest.filterType(), PRE_TYPE);
+        assertEquals(PRE_TYPE, underTest.filterType());
     }
 
     @Test
     public void filterOrder() {
-        assertEquals(underTest.filterOrder(), 0);
+        assertEquals(0, underTest.filterOrder());
     }
 
     @Test
diff --git a/src/test/java/uk/gov/hmcts/reform/idam/web/strategic/SPIServiceTest.java b/src/test/java/uk/gov/hmcts/reform/idam/web/strategic/SPIServiceTest.java
index 04e56bcab..9068b57b1 100644
--- a/src/test/java/uk/gov/hmcts/reform/idam/web/strategic/SPIServiceTest.java
+++ b/src/test/java/uk/gov/hmcts/reform/idam/web/strategic/SPIServiceTest.java
@@ -19,7 +19,6 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
@@ -39,14 +38,11 @@
 import java.util.Map;
 import java.util.Optional;
 
-import static com.google.common.net.HttpHeaders.X_FORWARDED_FOR;
-import static java.util.Collections.singletonList;
 import static junit.framework.TestCase.assertTrue;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.nullValue;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
@@ -208,8 +204,8 @@ public void validateActivationToken_shouldCallIDMWithTheRightBody() throws Excep
 
         HttpEntity<ValidateRequest> entity = (HttpEntity<ValidateRequest>) captor.getAllValues().get(0);
 
-        Assert.assertEquals(entity.getBody().getToken(), USER_ACTIVATION_TOKEN);
-        Assert.assertEquals(entity.getBody().getCode(), USER_ACTIVATION_CODE);
+        Assert.assertEquals(USER_ACTIVATION_TOKEN,entity.getBody().getToken() );
+        Assert.assertEquals(USER_ACTIVATION_CODE,entity.getBody().getCode() );
     }
 
     /**
@@ -288,7 +284,8 @@ public void resetPassword_shouldReturnWhatAPICallReturns() throws Exception {
     @Test
     public void forgetPassword_shouldCallApiWithTheCorrectParameters() throws Exception {
         spiService.forgetPassword(USER_EMAIL, SERVICE_OAUTH2_REDIRECT_URI, CLIENT_ID);
-        Thread.sleep(1000); // hack to get around CompletableFuture.supplyAsync()
+        // hack to get around CompletableFuture.supplyAsync()
+        Thread.sleep(1000);//NOSONAR
 
         ArgumentCaptor<HttpEntity<ForgotPasswordDetails>> captor = ArgumentCaptor.forClass(HttpEntity.class);
         verify(restTemplate).exchange(eq(FORGOT_PASSWORD_URI), eq(HttpMethod.POST), captor.capture(), eq(String.class));
diff --git a/src/test/js/uplift_user_test.js b/src/test/js/uplift_user_test.js
index bd9afb707..01f36746f 100644
--- a/src/test/js/uplift_user_test.js
+++ b/src/test/js/uplift_user_test.js
@@ -287,4 +287,4 @@ Scenario('@functional @uplift @staleUserUpliftLogin Send stale user registration
     expect(oidcUserInfo.family_name).to.equal('User');
 
     I.resetRequestInterception();
-});
\ No newline at end of file
+});