Users can log in with all 3. CloudExtend Applications use NetSuite's native login API to create connections with NetSuite. This API will sense if SAML is enabled in the account and if so, will log the user in via their IDP as long as they have the User Access Tokens permission enabled for their role.
In all cases, CloudExtend will attempt to create a token and secret upon the first login taking the load off of the NetSuite Administrator. This will be used for future interactions between the App and NetSuite. If this connection fails non-SSO end users will then be prompted to enter their basic credentials again. Typical reasons for failure are the end user's role not having User Access Tokens permission.