If you enable SSO for your domain with Infoblox Portal it will apply to Infoblox Portal and SSO Portal and Support Portal. So long as it is configured correctly, you will not need to create local users on the Infoblox Portal as they can be created automatically if the correct group mapping is done.

If SSO fails, it is possible to send an email to an admin account with a OTP for access.

https://docs.infoblox.com/space/BloxOneCloud/35397677/One+Time+Passcode+(OTP)+Access

It is possible to enable SSO for a single test user. However, that test user must be created locally on CSP and you can't test the group mapping/auto create function with that test user. Group mapping only works when the full domain is enabled for SSO.

https://docs.infoblox.com/space/BloxOneCloud/35367251/Testing+3rd+Party+IdP+Authentication

Group mapping only works on Infoblox Portal (formally CSP Portal) and does not work on Support Portal nor on SSO Portal.

If users are mapped to “td.admin” group, they will have admin access in both Production and in child Sandboxes.