We have observed that although we are set up to use SSO (single sign on), users can login to Rally (CA Agile Central) by using any password (like ABCD.. anything which is not as per set password).
This compromises the data security for us and is seen as a security vulnerability.
SSO authentication (with or without exceptions)
When a user is logging in to a subscription set to SSO authentication, Rally does not even look at the password being entered if the user does enter username/password from the login screen. This is not due to a security loophole, but rather because Rally is recognizing the username is associated with a subscription set to use SSO, so simply passes the authentication over to the IDP. Rally then gets a SAML token from the customer's IDP (identity provider) that says "this user is OK" and lets the user in to Rally.