For the past couple months our team has been working to enforce SSO only authentication via OKTA. We've played around with a couple ideas ranging from delegated authentication, federated authentication, etc.
We set up okta via federated authentication but want to disable direct login via user name and password. We would be doing this by removing the 'Login Form' from the 'Authentication Service' via Setup > My Domain. However, upon testing I realized that removing 'Login Form' prevents a user from going to the custom domain login screen unless you append /?login to the URL. I was under the assumption that it would just remove the username and password fields, forcing the user to select a different authentication service (OKTA button). See screenshot:
We want to give users the ability to see the custom 'OKTA' button, but not be able to use their user name and password, so would the next best option be re-adding 'Login Form to 'Authentication Service', then check the 'Prevent login from https://login.salesforce.com'?
Best Answer
You can control this scenario by leveraging the Okta auth provider that you've already configured as well as enabling (but not needing to set up) Delegated Authentication.
Per the help article on the topic: https://help.salesforce.com/articleView?id=sso_tips.htm&type=5
Related past question: https://salesforce.stackexchange.com/a/2002/660