So yes! When SSO is enabled, all existing users are switched to a ‘pending’ state. They can’t log in at that point until they verify themselves via an email NR sends at the time SSO is enabled.
When SSO is enabled, the owner does need to also authenticate via SSO.
There are 3 steps to enabling SSO:
Configure > Test > Enable
The test phase allows the owner to validate that they can authenticate to the account via SSO. They cannot enable SSO if this fails.
So you are safeguarded from there being an issue, at least with the owner, after enablement.