Hi Michael, SAML is a single sign-on protocol, not an identity management one. These notions are normally clearly separated in the IAM world. So SAML definitely won't let you change passwords and manipulate other identity data, since it wasn't designed for this. SCIM [1] would be a perfect solution; unfortunately, it isn't implemented in Keycloak OOTB (however, there's an ongoing effort for that [2], so stay tuned). Currently, the recommended way to manipulate identity data (including changing passwords) is to use Keycloak Admin REST API [3]. [1] http://www.simplecloud.info/ [2] http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011178.html [3] https://www.keycloak.org/docs-api/4.5/rest-api/ Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Wed, 2018-10-10 at 09:59 -0500, Michael Meier wrote: