Hey,

Since, you are in Quebec, and soon you will be upgrading to Rome.

One interesting finding for Rome release regarding local login:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0997746

Feel free to mark correct, If I answered your query.

Will be helpful for future visitors looking for similar questions 🙂

I have a scenario where there is a mix of username and password with SAML SSO on different URLS. Clearing the users password stops them from logging in but causes issues with the SSO source for the users and/or locks accounts. This could be because we have not setup ACR for legacy reasons and we are on San Diego. 

@Joel21  I have tested Adaptive Authentication on San Diego which looks to be the best solution to this issue. The module was already activated in our instances. In my case I have configured a Deny Post Authentication Policy Context for those groups that were migrated from local username and password to SSO. This looks to prevent the users logging in and/or locking their accounts. I used "DEMO POLICY - Restrict Username and Password based Authentication for specific users" as a guide for setting the conditions.

There is some configuration required and recommend thorough testing on a Test instance. See ServiceNow docs and tutorial for more information:

Activate adaptive authentication (servicenow.com)

Tutorial: Configure adaptive authentication (servicenow.com)

Hi @Joel21 , as @ConradJ  suggested, you can leverage the adaptive authentication feature to deny local logins for all users or a specific set of users.

You can add a deny policy in the post-authentication context record. In the deny policy you can use authentication scheme filter criteria.