Currently there is only one web server and one web console. A split web server is under development to allow running the administrator web console from a different port then the web console used for single sign-on.
You can use Nginx to restrict access to different paths. The configuration below should work for single sign-on.
location ~ /
location ~ ^\/sso\/[a-z0-9\/]+$
location ~ ^\/k\/[a-z0-9\/]+$
location ~ ^\/ku\/[a-z0-9\/]+$
location ~ ^\/key\/[a-z0-9\/]+$