Hi David,
the answer depends on the system (ABAP/Java) to log on to, the release of that system and the requirements you have.
Let's assume you are talking about ABAP and password logon shall be disabled for users using SSO. For release before 7.31, you can only set the profile parameter mentioned by Julio already. This profile parameter is then valid for all users. Details and side effects can be found in the docs. This way you can not disable password logon for users except by deleting their password in the system.
Starting with 7.31, the ABAP system allows to define security policies for users. This way, you can also create different policies for the different user types. For instance it would be possible to have one policy for users with SSO, where you can disable the logon via password completly and a second one for non-SSO users. Please see the docs on security policies in ABAP for more details.
Kind regards,
Patrick