Hmm, I followed your steps and my ui.com account can still log into the device.
I have also created a local account, that I can use to log in alongside my ui.com one, but I cannot disable my ui.com SSO from being able to sign into the device.
Let's make sure we are talking about the same thing.
You have local and SSO account.
You disable remote access in your local cloud key.
You open the local IP for the CK and are able to sign in using the SSO account is what you are saying, so auth token is coming from remote.
Question if I got this correct, can you go to the ui.com portal, the UI cloud based one in a web browser do you see the controller still? Can you login and still manage it through the remote web portal? This is what turning off remote access does. You should not be able to manage the system remotely.
Disabling remote access is for the remote web base ui site portal and that should not work after you disable remote access (my understanding). It is possible that you can connect to the local controller and use SSO to authorize vs web and be passed a valid token to login however that would be local only and not remote. Ie the hacker would have to have your SSO AND be on your local network.
Have you tired / are you able to delete the SSO account in the local CK? I have not tried but will later.
