It's a bit convoluted, but setting OIDC_IGNORE_ROLES=true in the /app/data/env at least lets you persist role changes across restarts/re-auths when using SSO. Otherwise each SSO-login will reset the roles based on their OIDC groups based role assignment.
That way you could:
a) login via SSO
b) logout and re-login with the default admin
c) make your SSO logged in user an admin
d) deactivate the default admin
And have a usable system through Cloudron SSO. 