After enabling SSO, existing users can bypass SAML authentication and keep logging in with their password locally.
Since version 2.1.0, this can be disabled (see Disable password login with nosso-parameter v2.1.0), but this still does not disable password authentication completely.

In order to accomplish this, some configuration in Jira, Confluence or Bamboo is required.

Bitbucket Server

In Bitbucket Server, just enable deny password login on the plugin configuration page.
After that, only users with System Administrator privileges or members of a group named allow-password-login can use a password for authentication.
You need to create that group, if it is not existing yet.

Passwords will work again as soon as the SAML SSO app is disabled or uninstalled.

Jira, Confluence and Bamboo

In Jira, Confluence and Bamboo, password authentication can be blocked by installing a special authenticator in the system:
Download the authenticator from http://builds.resolution.de/denypasswordauthenticator-1.0.2.jar

Copy denypasswordauthenticator-<version>.jar into the applications lib folder, e.g.
Jira         /opt/atlassian/jira/jira/WEB-INF/lib
Confluence   /opt/atlassian/confluence/confluence/WEB-INF/lib
Bamboo       /opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/lib

Please ensure that only one version of the file is in that directory.

Jira

Edit seraph-config.xml in the classes-folder, e.g.
/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml 
Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.JiraDenyPasswordAuthenticator" />

Confluence

Edit seraph-config.xml in the classes-folder, e.g. 
/opt/atlassian/confluence/confluence/WEB-INF/classes/seraph-config.xml
Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.ConfluenceDenyPasswordAuthenticator" />

If you install a custom authenticator in Confluence, some functionality that relies on password authentication is automatically disabled:

  • web sudo
  • captcha
  • password confirmation on email change

To overwrite this behaviour use the password.confirmation.disabled flag.
Please refer to this ticket for more information.

Bamboo

Edit seraph-config.xml in the classes-folder, e.g. 
/opt/atlassian/bamboo/atlassian-bamboo/WEB-INF/classes/seraph-config.xml
Comment out the existing authenticator definition and replace it with de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator

<!-- <authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>  -->
<authenticator class="de.resolution.samlsso.authenticator.BambooDenyPasswordAuthenticator" />


Restart Jira, Confluence or Bamboo after changing the seraph configuration file.
After that, only users with System Administrator privileges or members of the group named allow-password-login 
can bypass SSO and use a local password for authentication. You need to create that group, if it is not existing yet.