This usually means one of the following:
USERS.IS_ACTIVE = 0 for that user USRO.IS_ACTIVE = 0 for all the user's USROs ROLE.IS_ACTIVE = 0 for the roles referenced by the user's USROs
If none of these are true, it could be something related to failed replication from PLT to SSO.
Another reason for this can be that the email extension is not supported. For example, there may be a setting that only allows ".org" email addresses, but this particular user's email address ends in ".com". This would show up in the server log similar to the following error message:
<Message>"DeactivatedUser@email.com" is not a supported email extension. Allowed email extensions are: ".org,.us"</Message>