Limiting SSO based on Applications / Roles or Navigation

I had a question regarding SSO authentication in the Portal. Is it possible to have the Portal use SSO, but to force an authentication later when the user tries to open up a certain link or application.

For example, all users will have SSO, but when they select "ESS/MSS" in the top-level navigation bar in the portal they get a login window before they can proceed.

Is this possible and what would be the best way of implementing it?