In an E-Business Suite 11i application, one can enable Password Expiration for users created locally using the DEFINE USER form. This value is stored in the PASSWORD_LIFESPAN_DAYS column. If the 11i application is integrated with Oracle Single Sign-On (SSO), the 11i SSO login mechanism ignores this column as expected because the password policy is defined in the LDAP Directory. However, this does not seem to be the case for Discoverer 10g SSO Login functionality. The Discoverer login code seems to be explicitly checking for 'PASSWORD_LIFESPAN_DAYS' column in the FND_USER table even though it is SSO enabled. This behavior is consistent in both Discoverer Plus and Viewer components.
For example, if FND_USER.PASSWORD_DATE is 22-NOV-08,FND_USER.PASSWORD_LIFESPAN_DAYS 30 and if SYSDATE is '22-JAN-09' for user JSMITH, the Discoverer Login will fail with the above error (whenever PASSWORD_LIFESPAN_DAYS is less than SYSDATE-PASSWORD_DATE) .
Update the PASSWORD_LIFESPAN_DAYS column to NULL for all rows in the FND_USER table after the 11i application is integrated with SSO.