CloudExtend Applications use NetSuite's API to create connections with Netsuite. This API will sense if SAML is enabled in the account and, if so, will log the user in via their IDP as long as they have the 'User Access Tokens' permission enabled for their role.
In all cases CloudExtend will attempt to create a token and secret upon first login. This will be used for future interactions between the App and NetSuite. If this connection fails non SSO end users will then be prompted to enter their basic credentials again.