Hi Esther,
If the end users access SAP backend with SSO, you can disable the [change password] popup by add a parameter (login/password_change_for_SSO=0).
==============
then he arrives at IDM authentication page. Now, he needs to change his password (expiration after n days). then he changes he password in IDM homepage.
================
For this scenario, you can connect IDM AS JAVA as a repository of IDM itself. So the end user changes the password via password self-service also changes his UME password. You can setup a periodical job to warning the user that the password is going to expire.
Cheers,
Chenyang Xiong