That is, is it possible for some users to authenticate against the user directory and others directly against Athento itself?
Authentication in Athento works through authentication chains. This means that the authentication mechanisms are consulted one after the other. The authentication against the platform is always the last authentication mechanism except for project particularities.
The answer is therefore that it is possible to use different authentication mechanisms at the same time.