Yes, Vitally supports SAML just-in-time provisioning. When a user logs in for the first time using SAML, a user will created for them in Vitally. If you've added the vitallyRole attribute, that will determine the user's permission level in Vitally. Otherwise, they will default to being a 'restricted' user.
No, password login is disabled as soon as SAML 2.0 login is enabled.
Existing user sessions will be valid for up to 7 days. Ask each of your users to log out and log back into Vitally to force them to immediately start using SAML login.