No... something is not right. Even without local accounts, we would still have the ability to bypass SAML in a perfect world scenario (like Master accounts or whatever deemed necessary by you). The Okta article above is telling people to set "Reply to URL" to Kaseya (AuthAnvil) and then sync Okta to Active Directory. I am assuming the missing piece to this scenario is having accounts provisioned by Domain Watch. I suppose it could work... but that is not how we used to do it.
I really wish Kaseya would formally support other SSO solutions. Basically every modern product/service supports any SSO because it is the right thing to do.
Chris Amori We have it enabled and it (kinda) works. However, you can't change the 'Reply To URL' to a different provider. So like others are saying, you can technically use SSO with a third party vendor but it doesn't work as it should. You can still reach the VSA login page directly. It's a bummer.