Sometime, in a special scenario, you might get some SSO issue, and find it is related to the user locking.
That is when the user is locked, the SSO could not work as usual, user get a logon page.
The main point of troubleshotting such issue is, find out the complete scearion of this issue.
Make clear who is the SSO enter, who is SSO credencial issuer, which SSO type between.
Here finially, the scenario is this:
1. The enter is the corporation Portal for all business.
2. There has a link point to a iView of another Portal (second Portal).
And these 2 portals are Federat Portals. So the SSO type between them is Logon Ticket.
3. The second Portal use a ABAP (BW) system as its UME data source.
The whole issue is, when user password gets locked in ABAP system (by many invalid password logon), the user will not SSO from enter portal to second portal.
Even if, the ABAP parameter login/failed_user_auto_unlock=1 has been set. The user still could not logon on next day.
Then from the logon page properties, find it belongs second Portal, So confirm the issue is on Portal/Java side, not the ABAP side.
Finially, found the reason is when user get locked (from ABAP side), the Portal/Java system will not let user logon via SSO.
And there has a UME property could control this: ume.logon.allow_password_locked_users_sso_login.
More information is in these Notes:
#1708850 – User is authenticated even though change password fails
#1900890 – Allow login of users whose password Is locked via SSO
After set this property, the user could logon via SSO when user password is locked.
(No matter the user is in Java own data source or other ABAP data source.)
(Others, the user lock status will not be changed when logon via SSO,
only the correct password logon could change it automatically.)
Hope this blog could help you on troubleshooting of similar issue.