diff --git a/modules/aselect/docs/aselect.txt b/modules/aselect/docs/aselect.txt
index c43421920605cf4f7f5ea5812055178f2534fbeb..c411cf245d3afab8e4525f602844daf39a108128 100644
--- a/modules/aselect/docs/aselect.txt
+++ b/modules/aselect/docs/aselect.txt
@@ -21,7 +21,8 @@ named 'aselect':
         'app_id' => 'simplesamlphp',
         'server_id' => 'sso.example.com',
         'server_url' => 'https://test.sso.example.com/server',
-        'private_key' => 'file:///etc/ssl/private/aselect.key'
+        'private_key' => 'file:///etc/ssl/private/aselect.key',
+        'add_default_attributes' => FALSE
     ),
 
 The parameters:
@@ -34,6 +35,10 @@ The parameters:
 - private_key: the key you want to use for signing requests.
   If you're really sure you do not want request signing, you
   can set this option to a null value.
+- add_default_attributes: true to add default attributes
+  (uid and organization) to resulting attributes, false
+  to never do this, and null to do this only when no
+  attributes are returned.
 Options 'serverurl' and 'serverid' (without underscore) are
 supported for backwards compatibility.
 
diff --git a/modules/aselect/lib/Auth/Source/aselect.php b/modules/aselect/lib/Auth/Source/aselect.php
index f4fd0f601b8dcdc015fcc1f62c7afb59b19d9523..b8e115edf36b824d7d861c480cd6024110ca8a0a 100644
--- a/modules/aselect/lib/Auth/Source/aselect.php
+++ b/modules/aselect/lib/Auth/Source/aselect.php
@@ -10,6 +10,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
 	private $server_id;
 	private $server_url;
 	private $private_key;
+	private $add_default_attributes;
 
 	/**
 	 * Constructor for this authentication source.
@@ -37,6 +38,8 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
 		$this->server_url = $cfg->getString('serverurl', null);
 		if($this->server_url === null)
 			$this->server_url = $cfg->getString('server_url');
+
+		$this->add_default_attributes = $cfg->getBoolean('add_default_attributes', null);
 	}
 
 	/**
@@ -46,6 +49,7 @@ class sspmod_aselect_Auth_Source_aselect extends SimpleSAML_Auth_Source {
 	 */
 	public function authenticate(&$state) {
 		$state['aselect::authid'] = $this->authId;
+		$state['aselect::add_default_attributes'] = $this->add_default_attributes;
 		$id = SimpleSAML_Auth_State::saveState($state, 'aselect:login', true);
 
 		try {
diff --git a/modules/aselect/www/credentials.php b/modules/aselect/www/credentials.php
index a1bb0043434e800ff02a2e9b3c65823ba63590f8..6271a48c6a44c44d67cdbb0d5e3683c3f1903237 100644
--- a/modules/aselect/www/credentials.php
+++ b/modules/aselect/www/credentials.php
@@ -38,10 +38,26 @@ try {
     }
     $creds = $aselect->verify_credentials($server_id, $credentials, $rid);
 
-    if (array_key_exists('attributes', $creds)) {
-        $state['Attributes'] = $creds['attributes'];
-    } else {
+    if ($state['aselect::add_default_attributes'] === true) {
+        // Add default attributes
         $state['Attributes'] = array('uid' => array($creds['uid']), 'organization' => array($creds['organization']));
+        if (array_key_exists('attributes', $creds)) {
+            $state['Attributes'] = array_merge($state['Attributes'], $creds['attributes']);
+        }
+    } elseif ($state['aselect::add_default_attributes'] === false) {
+        // Do not add default attributes
+        if (array_key_exists('attributes', $creds)) {
+            $state['Attributes'] = $creds['attributes'];
+        } else {
+            $state['Attributes'] = array();
+        }
+    } else {
+        // Legacy behaviour: add default attributes if no attributes are returned
+        if (array_key_exists('attributes', $creds)) {
+            $state['Attributes'] = $creds['attributes'];
+        } else {
+            $state['Attributes'] = array('uid' => array($creds['uid']), 'organization' => array($creds['organization']));
+        }
     }
 } catch (Exception $e) {
     SimpleSAML_Auth_State::throwException($state, $e);