@C Behan .... ya know, sometimes folks learn best the 'hard way'.
Help an entity that uses SAML2 authentication and it's been a hoot to watch. Sad really.
So let's say OP chooses suggested Number 1 ... direct link somewhere.
Does the server to which all would authenticate *know* if the moodle is in the maintenace mode or down for some other reason? Don't think that condition/senario is checked by the remote authentication system.
Number 2 .... hide everything with css .... is that done via Moodle setup via Moodle Admin? If that's true, then one has to edit a table in the DB. How about hacking code (never a good idea)? Then to get back the manual/admin login one has to access the server in some other fashion and comment out the code? Hmmmm having to 'work to work' there!
Besides that .... a changed file (hacked for css) must be documented ... depending upon how the OP does updates to Moodle and upgrades and how often the OP makes sure the Moodle is 'secure' and 'up to date', hacked files might be lost .... you then have to hack them again or re-create the alt login pages.
Number 3 ... same thing as #2 when OP updates or upgrades site.
Changing the Language is done by changing what's default in the DB. Not dependent upon any particular theme or file.
When one updates or upgrades, one backs up the DB .... hmmmm ... even if I had to 'rollback the site' (restore the site for some reason) this login situation hasn't changed. Don't have to do or remember to do anything special.
Left column title clearly says 'Admin Logins Only'. Right column title clearly says 'Students/Faculty - Your Login Below' - and the verbage of what's there in the right column might include who to contact and how if they can't login - or get a CloudFlare error, like what happens with these forums from time to time .... etc. If students/faculty get confused about that ... well, what can I tell ya. :|
2 cent advice ...
'spirit of sharing', Ken