Please check if the agent who is logging in is using their email address which is part of the AD. Also, if they are a user on the AD, you would have to make sure if their user profile on the AD has permissions to use SSO. The email address from AD profile is the parameter that freshservice checks while authenticating, to locate their profile on freshservice. If there’s no email address they would not be able to login to the system.