I have been scouring the docs and community and think I know the answers to these questions, but could use some verification:
1) Am I understanding this correctly.... if you have both a production and sandbox instance of Marketo, Assuming you setup SSO on both production and sandbox, SSO will only allow the user login to the instance where the email address in the authentication directory and the email of the user in the Marketo instance match.
2) Am I correct in understanding that a user can still login to Marketo directly without going through SSO (assuming of course that the user has a valid Marketo account).
This all makes sense to me, however, Marketo should confirm that as I did not see anything specific to these questions in the docs.
Below are answer to you questions -
1. Yes you are understanding is right. The username (email address) should match.
2. All users with 'Admin Role' can bypass SSO. Which means those users can also login to Marketo directly.
Is point #2 correct in that only users with an Admin role can bypass SSO by using login.marketo.com directly? I've been testing this out and what I'm seeing is that any user in Marketo can login directly even though single sign-on has been enabled.
This is an optional restriction that you need to enable in the Admin section. I believe either in Login Settings or Single Sign-on but I'm not sure off the top of my head.