diff --git a/lib/SimpleSAML/Metadata/Signer.php b/lib/SimpleSAML/Metadata/Signer.php
index 98806d56211f41baa0de73066681e07c8623549b..ecb95441f6479a93f2d0f7cd602eabb45fd4821a 100644
--- a/lib/SimpleSAML/Metadata/Signer.php
+++ b/lib/SimpleSAML/Metadata/Signer.php
@@ -262,6 +262,7 @@ class Signer
 
         // get the EntityDescriptor node we should sign
         $rootNode = $xml->firstChild;
+        $rootNode->setAttribute('ID', '_'.hash('sha256', $metadataString));
 
         // sign the metadata with our private key
         $objXMLSecDSig = new XMLSecurityDSig();
@@ -272,7 +273,7 @@ class Signer
             [$rootNode],
             $signature_cf['digest'],
             ['http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N],
-            ['id_name' => 'ID']
+            ['id_name' => 'ID', 'overwrite' => false]
         );
 
         $objXMLSecDSig->sign($objKey);