Has anyone else experienced an issue where only administrators can login to sandbox after refresh? I made sure the setting was checked to "All Users" having access after refresh. This was also a refresh that changed the sandbox to the new architecture. Client uses SSO but have the same result when logging in directly.

You have to change the SSO setting of the sandbox because after refresh it inherits the SSO setting of the production, that is why SSO breaks for sandbox after refresh. Note that Administrator can not use SSO.

Shouldn't the user still be able to log in directly from Netsuite.com , even if SSO is broken? We're still working on fixing the SSO settings. The strange thing is that if I remove the "SAML Single Sign On" permission entry under Permissions --> Setup in the role, they are then able to see the role; even if "Single Sign-On Only" isn't checked.

it is due to the setup permission on the ROLE - SAML/SSO works only if the role is configured for it ie. setup permission "SAML Single Sign-on" is set to full. When this permission is active that role cannot login directly, only SSO. I hope this make sense.