if you enable the generic SSO in PPM by using an external web server and configuring the sso.conf file and server.conf, is it still possible to connect to PPM directly by using the URL of the app server?
Is there a possibility to disable/enable the SSO for specific users like switching the authentication mode between PPM and LDAP for any user?
the official answer from HP support is no, a mixed-mode with SSO and non-SSO users is not support. Nevertheless it is possible to exclude cluster nodes from SSO.
PPM reads the server.conf sequential, so a node that is accessible for users defined before the SINGLE_SIGN_ON_PLUGIN-parameter will not be affected by it. We are running such a setup because we have external resources who are not in our directory (AD in that case).
We use a hardware switch to direct users to a cluster instance and validation is done within PPM. Most users are configured to use their AD id and password via LDAP while some users not in AD are configured to use PPM authentication. I have not tried doing this with a web server as the front end. The tradeoffs may make a similar solution unacceptable in your environment.
that's right, one front end IIS for the SSO-enabled nodes with one DNS-alias and another DNS-alias for the single non-SSO-enabled node. There is only one node without SSO because SSO is the preferred way by both the users and us.