Single sign on settings and sandbox refresh

Sandboxes created as a mirror of their production environment will have their SAML settings disabled after a sandbox refresh, due to the recipient URL being updated.

The recipient URL is updated to match your sandbox URL that Salesforce gives when the sandbox is refreshed, for example, http://cs1.salesforce.com. Other than the Recipient URL, all SSO config options, including certificates, will be mirrored in the sandbox SSO configs.

Keep in mind

• If you have SSO enabled in the Production environment with a custom profile with the SSO permission enabled, when the Sandbox refresh occurs, login will be blocked. You'll need to check the permissions.  This won't apply to a user(s) with a standard profile(s). (This is due to a sandbox refresh limitation)
• The org ID of the sandbox environment is changed every time you refresh the sandbox and will negate SSO settings, requiring that they be reconfigured. 
• Once the Recipient URL is updated, download the metadata, provide it to the IDP ( Identity Provider), and have it updated at the IDP end.
• After the Sandbox refresh, one of the system admin users of the Org may need to reach out to Salesforce support for a password reset email to bypass the security question prompt so that they can set up their password to access the Sandbox.

1. Enable SAML in the recently copied sandbox

1. Click on Setup.
2. In Lightning Experience, follow the click path: Setup | Identity | Single Sign-On Settings. In Classic, under "Administer," click Security Controls | then click Single Sign-On Settings. 
3. Click Edit, then check SAML Enabled.
4. Click Save.

 OR

2. Reset the password from the users' list page in the production 

1. Click on Setup.
2. In Lightning Experience, follow the click path: Setup | Users | Users list. 
3. Click the user and click the Reset Password button.

See also
Refresh Your Sandbox