[vladvasiliu]

I'm not sure always presenting the password field avoids that.

If you type in bob@sso.com for your SSO account, the password field will clearly be a throwaway, and you'll be redirected to your IDP.

Being presented with a "wrong password" error would mean the account is local.

[labcomputer]

Weeellll… you’d hope so, but some users may try to autofill a password with the right username, which will inadvertently fill the password too. And now your vendor (Quip or whomever) can potentially see your employee’s passwords. You have to trust them to throw away any password they see for someone from your org.

[vladvasiliu]

Oh yeah, I'm pretty sure Atlassian used to that, too. So I can understand the reason of "making it easier for users" invoked by people implementing this "two step" login.

But I'd argue this is a different issue than the one of giving out what kind of authentication a given login has.