I have completed Mydomain set up and Single Sign-On set up in one of our Sandboxes and waiting for the IDP to complete their setup.
Questions:
Meanwhile how do I make sure the users are authenticated using their salesforce Username/Password rather than relying on the directory.
Once the setup is complete on both ends how do I make specific profile/users to bypass authentication via the directory. I want them (for example, API only User) to logon with their Salesforce User Name/Password.
I'm happy to say that this feature is now fully accessible to administrators. It has been possible to prevent users from using their Salesforce credentials when they were SSO-enabled but it required contacting Salesforce support.
As of Summer '20 (release notes), you can configure SSO in a way that it prevents users from using their internal credentials.
You can pass a session ID as an attribute in the SAML Assertion. In the Connected App configuration for your SP, set $Api.Session_ID as a Custom Attribute value. The recipient will be able to use the session ID with the REST API.
Best Answer
You can use both SAML SSO and normal SF username/password authentication at the same time, enabling SSO does not disable the usual authentication.
If you want to disable normal username/password login I believe you have to setup delegated authentication for a profile and point it's authentication url at a non existant url or one that always returns no.
Also, to answer a question in the comments, preventing login from login.salesforce.com won't help, this can be overridden with a url parameter.