Our gateways are set up to use Active Directory for the IdP.
I'd like to get our gateways set up to use SAML but can't risk locking users out if there's no internet connection. Is there a way to set an IdP failover from a SAML user source (Entra SSO) to AD?
There is no failover in IdPs themselves. Ignition's native IdP can point at a user source that can have failover.
am I able to make a SAML user source that fails over to AD?
No. SAML is a type of IdP, not a user source.
How could one use a SAML IdP, like Azure Active Directory, but have a backup plan for if the on-prem gateway lost internet connection? How would the users log in?
I think the best you can do is have two projects, with the different login types. You'd want to make the "real" project inheritable, and only have the usable leaf projects set the login type and source.
You simply cannot point at an IdP outside your site and have it work when the internet is down. Don't make critical operations rely on the internet. 