I am thinking of implementing Single Sign-On for a whole company.
PROBLEM: Some employees of that company need to be able to work offline, without having to switch user/environment.
Is there any trick to make both compatible?
While normally using SSO, is there any magic trick to continue working offline, at least for a few days or so?
If there is absolutely no way to ever achieve this, please post an answer saying so, thank you!
Allowing such employees to stay away from SSO is risky: They won't be able to use some company services, or alternatively some hard-to-maintain tricks will have to be implemented to allow both SSO and non-SSO.
Technologies: Latest Active Directory (others can be considered), Windows, Mac.
By default, Active Directory will allow users to sign into their Windows machines while the Domain Controller cannot be reached, with the last password known to the computer in question. Once the domain controller is contactable, the client machine will check to see if any passwords for its users have changed.
The only problem with this is that the client computer will only keep the passwords of users which have previously logged into the computer while the domain controller is available. It will not hold all passwords for the entire domain, just those users which it knows exist.
See Disable Logon to Windows Computers When Not Connected to a Domain for more info on how to disable this setting (it is enabled by default).