When running Policy Server, when user access a specific resource
protected by SDK Custom Authentication Scheme, then the authentication
fails. This happens when user disable state is 16777216.

It's as expected that if the user is asked to change its password, the
Policy Server won't authenticate fully the user as long as it hasn't
changed its password. This is so even if the Custom Authentication
Scheme sends SMAUTH_ACCEPT to the Policy Server.

There was an existing problem fixed in Policy Server 12.7 which
describes this behavior in 12.52 (1).

This issue was present in Policy Server 12.52SP1 too. In that issue
even if the user has disable state set to "16777216", then the Policy
Server overlooks it and logs in the user and grants access which
represents a security problem.

  Policy Server 12.8SP3 on RedHat 7;
   Openjdk 1.8.0_242;
  SDK 12.8SP3 on RedHat 7;
  User Store on Custom LDAP Directory 2.0.3;

Make the Custom Agent to handle the smauthreason 20 code in order to
lead the user browser to the change password page.

(1)

    Defects Fixed in 12.7.02

      00831103 DE315869 

      CA Single Sign-On fails to redirect inactive or disabled users to
      password services URL, and allows the users to access applications.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/release-notes/service-packs/defects-fixed-in-12-7-02.html