Netskope steering configurations were designed for this exact purpose.  If you only want to steer NPA traffic for a subset of users, create a new steering configuration and assign that to a new AD group, something like "NPA Users".  Make sure that new steering configuration is above the default tenant group and any other non-NPA steering group which those users might be a member of.  Steering configuration assignment happens from top down, so the user will be put in the config it matches first.  To me, it sounds like you want to both groups to have the same SWG experience.  I'd clone the configuration you're currently using for the new NPA config.  That way all users will have a similar SWG experience but only users in the "NPA users" group will have NPA.  We have a similar design, below is what we did. 

• Steering Configs:
  • NPA Users - Assigned to "NPA Users" AD Group.
    • This group was a copy of the default tenant group.  So it has all of the same exceptions and steering options. 
    • Options Set
      • Steering all traffic - we also use CFW
      • Steer private apps
  • Default Tenant - Assigned to All users, steers only web traffic, no private apps.

As for the SSO question, I think that's something that you would want to ask your Idp.  Netskope Supports SAML SSO as you've stated, you want to make sure your users are licensed for that within their IDP platform.