Thanks again, both ways work like a charm now!
But when would I choose which way? I probably haven’t understood the difference in total…
In privacyIDEA as authproc filter in simpleSAMLphp Micha writes authproc filter is “much more flexible”. So I take that for example the enrollment of a new token during login is only possible with the authproc filter variant. Is it that in the authproc filter way the plugin in SimpleSAMLphp “works on its own” whereas in the authsource way the credentials are “only” sent to PrivacyIDEA which then can only respond with “correct” or “incorrect”?