Redirect to AccessManager password management service URL does not occur if grace login count > 0

Users with expired passwords but with a grace login count above 0 are not being redirected to the configured password management service URL. The redirect is only happening when the grace count has decremented to 0. However, once at 0 the user is then unable to login to the password management service and so is unable to reset the expired password. What should happen is that the redirect would occur when a password is detected to be in an expired state regardless of the number of grace logins remaining.

Import the trusted root certificate for the IDP and password managament servlet servers into the IE7 browser certificate store.

Turns out that the issue only occurs with IE7 and not with any other browser version, including earlier versions of IE. It appears that IE7 behaves differently than earlier versions of IE and any firefox version when a certificate error is encountered: with IE7, if the user chooses to ignore the error it can send a request to a previous URL again. This seemed the likely cause of this problem because my browsers do not have the CA cert's for either the IDP or for the password management service.

Importing the CA cert of just the pwd mgt service into IE7's trusted root store so that no cert errors occur when browsing directly to it. Now, the expired password redirect works as expected for IE7 (and of course continues to work for the other browsers even w/o the CA cert in the browser's root store).