Yes you can. In the case of the LDAP module, it has a setting to choose specific user roles that will not be part of LDAP authentication, and instead will authenticate locally. In this case, both types of users will use the same login page.
If you decide to use SAML for true SSO, you can have a default sign-on page for your external users with a link at the bottom to the SSO process for internal users.
Thanks Eric.
Since during login we dont know the role yet, so it will actually check LDAP first then local?
Shannon