Hi Sumana,

As per my understanding Type 1 and Type 2 together is difficult but you can test the following:

Considering users use the following similar URL to access ServiceNow:

https://<instance>.service-now.com/<custom_service_portal_page>

1) Set your <custom_service_portal_page> (eg. $sp ) to "true" under the sys_public table.

2) Empty the value of glide.authenticate.sso.redirect.idp sys_property if already exist. (DO NOT DELETE THE PROPERTY)

---- This will help Type 3 users to land on the ServiceNow local login page and not automatically get redirected to the ADFS login page thus getting authenticated via ServiceNow and not AD

3) For the Type 1 users to login without entering SSO login credentials you will need to set up Windows-based authentication for SSO and your IDP should also support the same.

Please see the Doc for setting up the same: (Workaround) Support Kerberos authentication

NOTE: These users will still need to successfully login atleast for the FIRST time via landing on the local login landing page and click "Use external login" for SOO authentication, this will save the sys_id of the identity provider records as a cookie (glide_sso_id cookie) in their browser. Once they have successfully logged in for the first time and then try to access the instance again from the time on then they will be successfully logged in via SSO without entering credentials for authentication.

4) Similarly with Type 2 users once they have successfully logged in for the first time then the cookie will be set on their browser and from then on they will be start getting redirected to the ADFS login page.

Please let us know if these steps help in achieving what you are looking for.

Best Regards,

Mukul Gupta