Hi guys, our keycloak uses currently AD as the main user storage provider for passwords. We need to bind a legacy User Storage Provider and locally import the users in Keycloak. I have used the strategy described at Import Implementation Strategy section <https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/...;, and were able to either: 1. keep the password and username in legacy system and take care of synchronizations 2. remove the federation and update the password in Keycloak DB in the overridden *CredentialInputValidator.isValid* method with code stolen from Keycloak own's *PasswordCredentialProvider* For now I am in favour of the second option, but than it means there are still *two* user password storages (AD and Keycloak DB)... My question is whether the second approach sounds reasonable, or is there a *third* way to "migrate" the password to Active Directory when the validation is checked? Cheers, Adrian