im curious... what is your business need for the "backdoor" account? Sounds like you would like 2 identity providers... the saml one for your corporate users and the 'built in' for non-corporate users. For that model, I think you are going to need to retain the sign in button.
we have a similar setup and have 2 major challenges with trying to run saml only:
- automating tasks through custom tools/scripts
- Offline field collection with collector
our corporate saml service requires a client certificate on a smart card for authentication, but also supports single sign on using Microsoft integrated windows authentication (ms negotiate - Kerberos).
For #1 - we have developed python requests authentication handlers that technically work with our SAML service and Kerberos... you may find this useful - GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and P... ... we use this to authenticate to the portal/AGOL site using a 'headless windows AD service account"... the tool (or windows service) runs as that account and does a single sign on to the saml service.
for #2 - we are working through providing that capability by using a 3rd party service to provide "2 factor authentication". This is the biggest reason we still have it enabled, that process is not fully flushed out.