Prevent direct login for SSO-provisioned users

Has anyone used the SAML module to allow both manual and SSO login, but prevent SSO provisioned users from using manual login? We have 2 types of users.  SSO and non-SSO. For SSO users, we would like the ability to rely on the IDP to set which users are allowed to access the app through SSO.  The thing is, any SSO provisioned user, if they manage to reset their password, could log in manually.  Even if blocked by the IDP.  We can restrict provisioned users from accessing any password-reset flow, but as extra security, we're looking at how to disallow them from using manual login altogether. At the same time, we still have non-SSO users.  So we can't completely remove that option from the login page. One potential solution is a scheduled task that "resets" SSO user passwords to a random string every so often, but this feels like a hacky workaround. Is there some sort of “before-login” or even “after-login” flow we can hook into, run a check, and reject login? I expected to see a microflow within the Administration or System modules, but no such luck.
1 answers

I still not see the point on why you want to do this because if you never hand out the password they can never log in to the system through that way. But for the sake of argument I would use the option to use the after signin microflow to attach the SAML request (based on the user principle to the user session with a non persistent object. Then make your home a microflow instead of a page if you have not already done so to check if the user is a SSO or NonSSO user. That boolean must be stored somewhere so you can divede the two. For SSO users you then only have to check if the current session has that NP object because that is only there if the user has succesfully loged in with SSO. And for the NonSSO user you can skip that check.