diff --git a/docs/simplesamlphp-artifact-idp.md b/docs/simplesamlphp-artifact-idp.md
index 6d993fa9e6f374eac9b8599f09d1dca4a236ea0a..bb08461ea4dc9777e08573cc19636a9ee6dfaa38 100644
--- a/docs/simplesamlphp-artifact-idp.md
+++ b/docs/simplesamlphp-artifact-idp.md
@@ -35,7 +35,7 @@ Enabling artifact on the IdP
 
 To enable the IdP to send artifacts, you must add the `saml20.sendartifact` option to the `saml20-idp-hosted` metadata file:
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         [....]
         'auth' => 'example-userpass',
         'saml20.sendartifact' => TRUE,
@@ -89,7 +89,7 @@ You may therefore have to add the webserver certificate to the metadata that you
 To do this, you need to set the `https.certificate` option in the `saml20-idp-hosted` metadata file.
 That option should refer to a file containing the webserver certificate.
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         [....]
         'auth' => 'example-userpass',
         'saml20.sendartifact' => TRUE,
diff --git a/docs/simplesamlphp-authproc.md b/docs/simplesamlphp-authproc.md
index a8ab604b702e70fc4064d528c7ef51eff36bbfc8..3d0bad674c22c1e72ddf4e1e33b4f99f0b9d3190 100644
--- a/docs/simplesamlphp-authproc.md
+++ b/docs/simplesamlphp-authproc.md
@@ -99,7 +99,7 @@ The filters in `authproc.sp` will be executed at the SP side regardless of which
 Filters can be added both in `hosted` and `remote` metadata. Here is an example of a filter added in a metadata file:
 
 ```php
-'urn:x-simplesamlphp:example-idp' => [
+'https://example.org/saml-idp' => [
     'host' => '__DEFAULT_',
     'privatekey' => 'example.org.pem',
     'certificate' => 'example.org.crt',
diff --git a/docs/simplesamlphp-customauth.md b/docs/simplesamlphp-customauth.md
index cb3fe97739167c30ea7f2e80e45c9af937792acf..2e48d002a7bd1dbf87ba2409ef340b2b92fba909 100644
--- a/docs/simplesamlphp-customauth.md
+++ b/docs/simplesamlphp-customauth.md
@@ -120,7 +120,7 @@ In that file you should locate the `auth`-option for your IdP, and change it to
 
     <?php
     /* ... */
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         /* ... */
         /*
          * Authentication source to use. Must be one that is configured in
diff --git a/docs/simplesamlphp-ecp-idp.md b/docs/simplesamlphp-ecp-idp.md
index c61818dcc437672139091ec900ba4bf3b4736bbc..54e291971ad613e7b996967a04343f9f4170f5dc 100644
--- a/docs/simplesamlphp-ecp-idp.md
+++ b/docs/simplesamlphp-ecp-idp.md
@@ -19,7 +19,7 @@ Enabling ECP Profile on the IdP
 
 To enable the IdP to send ECP assertions you must add the `saml20.ecp` option to the `saml20-idp-hosted` metadata file:
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         [....]
         'auth' => 'example-userpass',
         'saml20.ecp' => true,
diff --git a/docs/simplesamlphp-googleapps.md b/docs/simplesamlphp-googleapps.md
index 3058d97b38926a6ec4e98d154d1e6ff237fd7714..1eedd439affe0ab71c651fe0ae208fbdd82512f3 100644
--- a/docs/simplesamlphp-googleapps.md
+++ b/docs/simplesamlphp-googleapps.md
@@ -132,7 +132,7 @@ This is the configuration of the IdP itself. Here is some example config:
 
 ```php
 // The SAML entity ID is the index of this config.
-$metadata['urn:x-simplesamlphp:example-idp'] => [
+$metadata['https://example.org/saml-idp'] => [
 
     // The hostname of the server (VHOST) that this SAML entity will use.
     'host' => '__DEFAULT__',
diff --git a/docs/simplesamlphp-hok-idp.md b/docs/simplesamlphp-hok-idp.md
index 872fc05bfa7b1effb697a926a3226d953279a9f6..ae055188405597feb0c07496368178b586f6c167 100644
--- a/docs/simplesamlphp-hok-idp.md
+++ b/docs/simplesamlphp-hok-idp.md
@@ -29,7 +29,7 @@ Enabling HoK SSO Profile on the IdP
 
 To enable the IdP to send HoK assertions you must add the `saml20.hok.assertion` option to the `saml20-idp-hosted` metadata file:
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         [....]
         'auth' => 'example-userpass',
         'saml20.hok.assertion' => TRUE,
diff --git a/docs/simplesamlphp-idp.md b/docs/simplesamlphp-idp.md
index 2ba329a11222b7cadfcbd13fcc2e508dc59d6427..b52ea0d5e39df87b4caf81675b596b786c797974 100644
--- a/docs/simplesamlphp-idp.md
+++ b/docs/simplesamlphp-idp.md
@@ -142,7 +142,7 @@ The SAML 2.0 IdP is configured by the metadata stored in
 This is a minimal configuration:
 
     <?php
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         /*
          * The hostname for this IdP. This makes it possible to run multiple
          * IdPs from the same configuration. '__DEFAULT__' means that this one
diff --git a/docs/simplesamlphp-metadata-extensions-attributes.md b/docs/simplesamlphp-metadata-extensions-attributes.md
index e9374011693793bb02d2b47b18db6c0e17d1b113..0eb03e096e2d074131341d669c95b403df8cdf1e 100644
--- a/docs/simplesamlphp-metadata-extensions-attributes.md
+++ b/docs/simplesamlphp-metadata-extensions-attributes.md
@@ -1,12 +1,6 @@
 SAML V2.0 Metadata Attribute Extensions
 =======================================
 
-<!--
-	This file is written in Markdown syntax.
-	For more information about how to use the Markdown syntax, read here:
-	http://daringfireball.net/projects/markdown/syntax
--->
-
 [TOC]
 
 This is a reference for the SimpleSAMLphp implementation of the [SAML
@@ -76,7 +70,7 @@ Examples
 
 If given the following configuration...
 
-    $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = [
+    $metadata['https://example.com/saml-idp'] = [
         'host' => 'www.example.com',
         'certificate' => 'example.com.crt',
         'privatekey' => 'example.com.pem',
@@ -91,7 +85,7 @@ If given the following configuration...
 ... will generate the following XML metadata:
 
 	<?xml version="1.0"?>
-	<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/metadata.php">
+	<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml-idp">
 	  <md:Extensions>
 		<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
 		  <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:simplesamlphp:v1:simplesamlphp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
diff --git a/docs/simplesamlphp-metadata-extensions-rpi.md b/docs/simplesamlphp-metadata-extensions-rpi.md
index 9371cd89c2e71e0352ca8852b128aa58d888ed1e..896105109cea13bdb5234fc90da4ac3f2780591e 100644
--- a/docs/simplesamlphp-metadata-extensions-rpi.md
+++ b/docs/simplesamlphp-metadata-extensions-rpi.md
@@ -72,7 +72,7 @@ Service Provider:
 
 Identity Provider:
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         'host' => '__DEFAULT__',
         ...
         'RegistrationInfo' => [
diff --git a/docs/simplesamlphp-metadata-extensions-ui.md b/docs/simplesamlphp-metadata-extensions-ui.md
index 4791bd730ed12f94b1ebfe755802614131870a18..2d131609e6609bc66cffad096667d0690c2f8817 100644
--- a/docs/simplesamlphp-metadata-extensions-ui.md
+++ b/docs/simplesamlphp-metadata-extensions-ui.md
@@ -1,14 +1,6 @@
 SAML V2.0 Metadata Extensions for Login and Discovery User Interface
 =============================
 
-<!--
-    This file is written in Markdown syntax.
-    For more information about how to use the Markdown syntax, read here:
-    http://daringfireball.net/projects/markdown/syntax
--->
-
-  * Author: Timothy Ace [tace@synacor.com](mailto:tace@synacor.com)
-
 [TOC]
 
 This is a reference for the SimpleSAMLphp implementation of the [SAML
@@ -209,7 +201,7 @@ Generated XML Metadata Examples
 
 If given the following configuration...
 
-    $metadata['https://www.example.com/saml/saml2/idp/metadata.php'] = [
+    $metadata['https://example.com/saml-idp'] = [
         'host' => 'www.example.com',
         'certificate' => 'example.com.crt',
         'privatekey' => 'example.com.pem',
@@ -259,7 +251,7 @@ If given the following configuration...
 ... will generate the following XML metadata:
 
     <?xml version="1.0"?>
-    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://www.example.com/saml/saml2/idp/metadata.php">
+    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com/saml-idp">
       <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
         <md:Extensions>
           <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
diff --git a/docs/simplesamlphp-modules.md b/docs/simplesamlphp-modules.md
index 15fcdf08dd12ba7280c7c126a5818b99f3f3d185..3b38eb0fc072f1fd194aa161c607e006d09c6748 100644
--- a/docs/simplesamlphp-modules.md
+++ b/docs/simplesamlphp-modules.md
@@ -154,7 +154,7 @@ this:
 To use this authentication source in a SAML 2.0 IdP, set the
 `auth`-option of the IdP to `'example-static'`:
 
-    'urn:x-simplesamlphp:example-idp' => [
+    'https://example.org/saml-idp' => [
       'host' => '__DEFAULT__',
       'privatekey' => 'example.org.pem',
       'certificate' => 'example.org.crt',
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index 7b7740961a1830d7834dcbb86c4ae577b444f860..6a3f11ef752cfc52d838c4b393b2b879e80ceb77 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -18,7 +18,17 @@ Both files have the following format:
     ];
     /* ... */
 
-The entity ID must be a URI.
+The entity ID must be a URI, that is unlikely to change for technical or
+political reasons. We recommend it to be a domain name you own.
+The URL does not have to resolve to actual content, it's
+just an identifier. If your organization's domain is `example.org`:
+
+    https://example.org/saml-idp
+
+For guidance in picking an entityID, see
+[InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+on the matter.
+
 
 The `host` option is the hostname of the IdP, and will be used to
 select the correct configuration. One entry in the metadata-list can
@@ -391,7 +401,7 @@ These are some examples of IdP metadata
 
     <?php
 
-    $metadata['urn:x-simplesamlphp:example-idp'] = [
+    $metadata['https://example.org/saml-idp'] = [
         /*
          * We use '__DEFAULT__' as the hostname so we won't have to
          * enter a hostname.
@@ -420,7 +430,7 @@ $republishTarget = $dom->createElementNS('http://eduid.cz/schema/metadata/1.0',
 $republishRequest->appendChild($republishTarget);
 $ext = [new \SAML2\XML\Chunk($republishRequest)];
 
-$metadata['urn:x-simplesamlphp:example-idp'] = [
+$metadata['https://example.org/saml-idp'] = [
     'host' => '__DEFAULT__',
     'certificate' => 'example.org.crt',
     'privatekey' => 'example.org.pem',
diff --git a/docs/simplesamlphp-sp.md b/docs/simplesamlphp-sp.md
index 6aade7b6350ee66c99b1c7f39166af6e3d41a521..5df29f4a3b27fb7607732710448c2fb49fca4079 100644
--- a/docs/simplesamlphp-sp.md
+++ b/docs/simplesamlphp-sp.md
@@ -22,10 +22,20 @@ $config = [
     /* This is the name of this authentication source, and will be used to access it later. */
     'default-sp' => [
         'saml:SP',
-        'entityID' => 'https://sp1.example.org/',
+        'entityID' => 'https://myapp.example.org/',
     ],
 ];
 ```
+The entity ID must be a URI, that is unlikely to change for technical or
+political reasons. We recommend it to be a domain name that you own.
+Like above, if your organization's main domain is `example.org` and this SP is
+for the application `myapp`.  The URL does not have to resolve to actual
+content, it's just an identifier. Hence you don't need to and should not change
+it if the actual domain of your application changes.
+
+For guidance in picking an entityID, see
+[InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+on the matter.
 
 For more information about additional options available for the SP,
 see the [`saml:SP` reference](./saml:sp).
@@ -37,11 +47,11 @@ remember to set the EntityID explicitly. Here is an example:
 ```php
     'sp1' => [
         'saml:SP',
-        'entityID' => 'https://sp1.example.org/',
+        'entityID' => 'https://myapp.example.org/',
     ],
     'sp2' => [
         'saml:SP',
-        'entityID' => 'https://sp2.example.org/',
+        'entityID' => 'https://myotherapp.example.org/',
     ],
 ```
 
@@ -64,6 +74,7 @@ Then edit your `authsources.php` entry, and add references to your certificate:
 ```php
     'default-sp' => [
         'saml:SP',
+        'entityID' => 'https://myapp.example.org/',
         'privatekey' => 'saml.pem',
         'certificate' => 'saml.crt',
     ],
@@ -81,9 +92,9 @@ metadata file:
 
 ```php
 <?php
-$metadata['https://example.com'] = [
-    'SingleSignOnService'  => 'https://example.com/simplesaml/saml2/idp/SSOService.php',
-    'SingleLogoutService'  => 'https://example.com/simplesaml/saml2/idp/SingleLogoutService.php',
+$metadata['https://example.org/saml-idp'] = [
+    'SingleSignOnService'  => 'https://example.org/simplesaml/saml2/idp/SSOService.php',
+    'SingleLogoutService'  => 'https://example.org/simplesaml/saml2/idp/SingleLogoutService.php',
     'certificate'          => 'example.pem',
 ];
 ```
@@ -120,7 +131,7 @@ $config = [
          * The entity ID of the IdP this should SP should contact.
          * Can be NULL/unset, in which case the user will be shown a list of available IdPs.
          */
-        'idp' => 'https://idp.example.com',
+        'idp' => 'https://example.org/saml-idp',
     ],
 ];
 ```
@@ -217,7 +228,7 @@ We can also request authentication with a specific IdP:
 
 ```php
 $as->login([
-    'saml:idp' => 'https://idp.example.org/',
+    'saml:idp' => 'https://example.org/saml-idp',
 ]);
 ```
 
diff --git a/modules/multiauth/docs/multiauth.md b/modules/multiauth/docs/multiauth.md
index bd08dc8b6f67c5ec72bc11a95ec9fa38bf8a427d..4b68bdecbebce2e910c146e28be0c7d002271f56 100644
--- a/modules/multiauth/docs/multiauth.md
+++ b/modules/multiauth/docs/multiauth.md
@@ -50,7 +50,7 @@ authentication source:
 
     'example-saml' => [
         'saml:SP',
-        'entityId' => 'my-entity-id',
+        'entityId' => 'https://myapp.example.org',
         'idp' => 'my-idp',
     ],
 
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
index 26f6c8b1270ae8fb23bce2048c338c2941c0e6be..ed133bc69cebaf731865e49084c94425fafdbbb7 100644
--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -239,8 +239,16 @@ Options
 `entityID`
 :   The entity ID this SP should use.
 
-:   If this option is unset, a default entity ID will be generated.
-    The generated entity ID will be a URL where the metadata of this SP can be downloaded.
+:   The entity ID must be a URI, that is unlikely to change for technical or political
+    reasons. We recommend it to be a domain name, like above, if your organization's main
+    domain is `example.org` and this SP is for the application `myapp`.
+    The URL does not have to resolve to actual content, it's
+    just an identifier. Hence you don't need to and should not change it if the actual domain
+    of your application changes.
+
+:   For guidance in picking an entityID, see
+    [InCommon's best practice](https://spaces.at.internet2.edu/display/federation/saml-metadata-entityid)
+    on the matter.
 
 `ForceAuthn`
 :   Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
@@ -420,20 +428,15 @@ Here we will list some examples for this authentication source.
 
     'example-minimal' => [
         'saml:SP',
+        'entityID' => 'https://myapp.example.org',
     ],
 
 ### Connecting to a specific IdP
 
     'example' => [
         'saml:SP',
-        'idp' => 'https://idp.example.net/',
-    ],
-
-### Using a specific entity ID
-
-    'example' => [
-        'saml:SP',
-        'entityID' => 'https://sp.example.net',
+        'entityID' => 'https://myapp.example.org',
+        'idp' => 'https://example.net/saml-idp',
     ],
 
 ### Encryption and signing
@@ -442,6 +445,7 @@ Here we will list some examples for this authentication source.
 
     'example-enc' => [
         'saml:SP',
+        'entityID' => 'https://myapp.example.org',
 
         'certificate' => 'example.crt',
         'privatekey' => 'example.key',
@@ -457,6 +461,7 @@ Here we will list some examples for this authentication source.
 
     'example-attributes => [
         'saml:SP',
+        'entityID' => 'https://myapp.example.org',
         'name' => [ // Name required for AttributeConsumingService-element.
             'en' => 'Example service',
             'no' => 'Eksempeltjeneste',
@@ -479,6 +484,7 @@ Here we will list some examples for this authentication source.
 
     'example-acs-limit' => [
         'saml:SP',
+        'entityID' => 'https://myapp.example.org',
         'acs.Bindings' => [
             'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
         ],