It should be possible offload the authentication of users to a web server acting as a reverse proxy in front of OpenNMS. In this configuration, the user name of the logged in user will be provided as some HTTP header, which the OpenNMS should trust.
In this configuration, it should also be possible to perform LDAP lookups to determine the roles associated with the particular user.
This should function similarly to what's described here:
The name of the header in which to retrieve the username must be configurable.