I'm working on setting up SAML single sign on with Azure AD. We've been able to successfully set it up with a few roles in prod but can't switch between sandbox/prod. Do I need to also have my IT systems admin set up the sandbox as a separate piece? Basically replicate all the prod setup but for the sandbox?

Probably. Our SAML roles only work in production. You can remove the SAML SSO permission, which is what I do for testing. We don't share direct login roles.

Sorry - just noticed this was over a week ago - have to keep up with the Slack 😞 Anytime we refresh sandbox, I have to delete the IDP metadata file from prod & sandbox, and then re-import the IDP file. Once I do that, users can switch between Sandbox and prod from role selection when the have logged in via SAML (provided they have been granted access to both). NS uses the same IDP file for both