Groups missing, and get lowest permission

We have plugin v0.9.4 on our WP 4.7.2, under Apache 2.4
We also have ADFS 2.0 server on Windows 2012
We are configured according to Keith’s post in https://www.ads-software.com/support/topic/use-with-adfs, and our users can login!

We have a few challenges
– some users don’t have their group attributes sent through to simplesaml. Our Claim rules include Token-Groups – Unqualified Names as Group. All AD users have primary Group of Domain Users, in one domain. Some users only see “groups” in their attributes, containing users and members. My account also has my Windows groups with attribute https://schemas.xmlsoap.org/claims/Group
What about AD user accounts might be different?

– the permissions are being applied to the lowest level, instead of highest. If in Service Providers I set plugin to have my group as Administrator (leave other roles empty), and login, then I am a WP Admin. If I put a second group as Subscribers that I am also part of, then my account is demoted to Subscriber on next login.

– Seems related, but if we check the box in Service Provider to “allow unlisted as Subscriber”, unlisted users will be added with “None” permission, not Subscriber.

Anyone else observe, and hopefully fix this? As I recall, in plugin v0.9.2, the permissions hierarchy was working for us.