Sometimes we face the problem, that after putting a service user into a new rights group, this is not updated after the user tries to log in via API. If someone logs in via the GUI, the user rights are updated.
If for example, we check the behaviour with our own service user to be sure, how the Artifactory behaves in the case.
This indicates to me that this is the desired behaviour at the moment. If I understand correctly, sometimes the new SSO users are able get their associate permissions and sometimes they are not getting permission. If this is your issue, what I could think of is, For SSO users after getting integrated with Artifactory, in order to get their associate permission, they need to login to WebUI at least once. If SAML users want to use REST API calls, they can make use of API token. This JIRA seems to be more relevant. If this is your issue, ask the new user to login to Artifactory and check the permissions. If this is not your query, elaborate more on your query.