Hi,
I suppose that your problem occurs because if you are using simplesaml as an authsource, it needs a little more info about the user. You can send it by adding a new policy in privacyIDEA.
Please try to add a policy from scope: “authorization”, and in “Action” check:
setting actions → add_resolver_in_response
setting actions → add_user_in_response
and eventually:
miscellaneous → application_tokentype
I hope it will help!