Because of the nature of the way iViews are displayed in the Portal, the ITS server is directly visible to the client for ITS enabled transactions (ESS trasnsactons). The authentication to the ITS server is done via SAP SSO Ticket.
If the user knows his/her ITS credentials, he can then go directly to the ITS server (logon screen), bypassing the Portal completely. This bypasses the role based authentication that the Portal performs.
We want to force the users to go through the Portal to get to any and all ITS transactions. One thought is to potentially configure the ITS server to only accept logons via SSO Ticket, and not via the logon page. If there are better suggestions, I welcome them.
The ITS is only forwarding the information - to an ABAP server. You can configure that ABAP system to accept only SAP logon tickets for user authentication; as of release 4.6C an ABAP system allows to "deactivate" a user's password (see transaction SU01 - the symbol looks like a burnt-out match, not very intuitive).
You might also deactivate the ability of password-based user authentication by a general switch: setting profile parameter login/disable_password_logon = 1 (see SAP note 379081).