diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index 5c1c8d00ee17b36313a86b12b682c30ba0dad15d..c33e3ad15ff793741c1de0d9b29ba954e71bff39 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -16,7 +16,7 @@ See the upgrade notes for specific information about upgrading.
     to comply with SAML2INT
   * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
     Use 'scopeAttribute' instead to identify the attribute holding the scope.
-  * Unsolicited responses can denied by disabling it by setting `disable_unsolicited` to `true` in the SP authsource.
+  * Unsolicited responses can denied by disabling it by setting `enable_unsolicited` to `true` in the SP authsource.
 
 ## Version 1.19.1
 
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
index 1e3c864ff8b0de660a5319a3865f714c6f6e9bfe..8d21c409f2617f5d071a2abae274280549278cb3 100644
--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -219,8 +219,8 @@ Options
     in the IdP-remote metadata overrides this the option in the SP
     configuration.
 
-`disable_unsolicited`
-:    Whether this SP will refuse to process unsolicited responses. The default value is `false`.
+`enable_unsolicited`
+:    Whether this SP is willing to process unsolicited responses. The default value is `true`.
 
 `discoURL`
 :   Set which IdP discovery service this SP should use.
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index a0b3829aed8232494a2296026097f7d049a3dbd6..263c4bd3bae1943150b376973e57d655729f5d58 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -1139,10 +1139,6 @@ class SP extends \SimpleSAML\Auth\Source
 
         if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) {
             $spMetadata = $source->getMetadata();
-            $disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false);
-            if ($disableUnsolicited === true) {
-                throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
-            }
 
             if (!empty($state['saml:sp:RelayState'])) {
                 $redirectTo = $state['saml:sp:RelayState'];
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 7b943c988e2d8bfd2cde9e9be33cb5337f5bd608..3da83aa49567b33b6132e80e5e222e61f68a53ce 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -101,8 +101,8 @@ if (!empty($stateId)) {
     }
 }
 
-$disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false);
-if ($state === null && $disableUnsolicited === true) {
+$enableUnsolicited = $spMetadata->getBoolean('enable_unsolicited', true);
+if ($state === null && $enableUnsolicited === false) {
     throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
 }
 
@@ -158,13 +158,13 @@ $expire = null;
 $attributes = [];
 $foundAuthnStatement = false;
 
-// check for duplicate assertion (replay attack)
 $config = Configuration::getInstance();
 $storeType = $config->getString('store.type', 'phpsession');
 
 $store = StoreFactory::getInstance($storeType);
 
 foreach ($assertions as $assertion) {
+    // check for duplicate assertion (replay attack)
     if ($store !== false) {
         $aID = $assertion->getId();
         if ($store->get('saml.AssertionReceived', $aID) !== null) {