We set up OSP 4.51 HF2 with SSPR 3.2.03 (Latest patch I could find)
doing SAML via Shibboleth.

Have the Helpdesk set to use the proxy account.

When I go to change a password, it works, but reports a 699 bad
password, and then proceeds to Intruder lock my account.

It looks like the password change failed, but it works.

My theory is that when in proxy mode it is connecting as me first, I
find the user, then go to change its password, it connects as the Proxy
user. Then when complete tries to reconnect to as me again, but however
it is connecting via SSO via SAML, it is trying username/password this
time, probably with a null password. (Though that should really succeed
as a anon bind in hindsight).

Anyone else seen this?

I can work around it by setting the needed permissions on the Helpdesk
group object. I would prefer to use the proxy here.