Why doesn't https://mydomain.my.salesforce.com/?login work when single sign on is enabled?
The Best Practices and Tips for Implementing Single Sign-On
System admins must always be able to log in to Salesforce, even if SSO is enabled for their accounts. For example, you need a fallback in case your third-party authentication provider has an outage. You can always log in to Salesforce using the standard login page, which prompts for username and password. Access the standard login page by modifying the Salesforce URL. You can add login as a query string parameter, for example, https://northerntrailoutfitters-dev-ed.my.salesforce.com/?login. Or you can append login=true to the URL, for example, https://northerntrailoutfitters-dev-ed.my.salesforce.com/?login=true.
Yet when I use https://mydomain.my.salesforce.com/?login
The standard SFDC login form appears
Entering username/pw results in error: We can't log you in because you're only allowed to use single sign-on. For help, contact your Salesforce administrator.
My SAML identity provider is down. I can't login. Help!
There can be two answers for SDFC login:
While attempting https://mydomain.my.salesforce.com/?login, the user's profile (or permission set) has Is Single Sign On Enabled = true
If you have somehow done this to Profile System Administrator and
no other profile/user has Customize Application privileges or no other user w/ Customize Application privileges is logged in to undo (in Setup) the Is Single Sign On Enabled=true
and your IdP is offline
You'll be making a phone call to SFDC Support!
The doc also states...
We recommend that you don’t enable SSO for Salesforce admins. If your Salesforce admins are SSO users and your SSO server has an outage, they have no way to log in to Salesforce. Ensure that the Salesforce admins can log in to Salesforce so that they can disable SSO if problems occur.
This is a bit misleading. You should not enable the Is Single Signon = true for Sysads but you certainly can enable a SAML SSO for system admins by configuring My Domain as shown below
If you enter https://mydomain.my.salesforce.com/?login=true in the browser, you will see:
and, assuming you remember your password, you can login and bypass the IdP.
So - you can:
Set Is Single Sign On Enabled = true for all users except Sysads (this prevents them from using the ?login=true URL param)
Disable the Login Form in My Domain so no one worries about the username/pw anymore (the whole point of SSO/IdP)
Still allow Sysads to login with http://mydomain.my.salesforce.com/?login=true` to provide access to Setup in case an IdP is down or misconfigured.
Hope this helps!!