This is almost always due to a user being part of multiple user groups within their internal Active Directory.

The platform IDP configuration is very basic and does not have any form of hierarchy structure in place.  This means that whichever group our IDP sees first in the passed assertion is the group that that user will be logged in as.  For example, an assertion with multiple groups will look like this:

  {
    "sessionIndex": "id123456789",
    "name": "Cloudhealth User",
    "email": "[email protected]",
    "roles": [
        "cloudhealth-standard",
        "cloudhealth-administrator"
    ]

The user will be signed in as a standard user (Listed first) even though they also belong to the administrator group. To fix this, you will need to make sure the user is only assigned ONE role group within your Active Directory.