You have define a login/* parameter - for example login/password_change_for_SSO = <desired value> in the DEFAULT profile. The parameter effect is not happening.
You possibly make use of Security Policies (or would like to know if you are using it).
The transaction RZ11 shows that the current value is the expected for such parameter, and the source is shown either as a Dynamic Switching or the Default/Instance Profiles.
On transaction SECPOL, security policies may be found.
Users showing such symptoms, on SU01 "Logon Data" tab have their "Security Policy" field not empty - it points to one of the Security Policies defined in SECPOL.
SECPOL, Security Policy, PASSWORD_CHANGE_FOR_SSO, login/*, login, profile parameter, login parameter, login profile parameter, login restrictions, profile groups, password policies , KBA , BC-SEC-POL , Security Policies for ABAP , BC-SEC-LGN , Authentication , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.