diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index e0b9a21bb3583af473f2d0b91c2a9c27997a1769..b2d14bab0a3f78b8fe2ce6740e386503e6ed8139 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -165,6 +165,11 @@ The following SAML 2.0 options are available:
 
 :   (This option was previously named `AttributeNameFormat`.)
 
+`encryption.blacklisted-algorithms`
+:   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+:   Note that this option can be set for each SP in the [SP-remote metadata](./simplesamlphp-reference-sp-remote).
+
 `https.certificate`
 :   The certificate used by the webserver when handling connections.
     This certificate will be added to the generated metadata of the IdP,
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index d39812cce1023f855d93c71634c442896f30d741..e8af4109a7246f7ea12e72955062c9480f0f82eb 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -98,6 +98,13 @@ SAML 2.0 options
 
 The following SAML 2.0 options are available:
 
+`encryption.blacklisted-algorithms`
+:   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+:   Note that this option also exists in the SP configuration. This
+    entry in the IdP-remote metadata overrides the option in the
+    [SP configuration](./saml:sp).
+
 `nameid.encryption`
 :   Whether NameIDs sent to this IdP should be encrypted. The default
     value is `FALSE`.
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index 16b54b3583d664f89f764e15e8f6dcb13242518f..73eca20c8bd7ec699dd3ba16caa65392bad8a756 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -155,6 +155,13 @@ The following SAML 2.0 options are available:
 
 :   (This option was previously named `AttributeNameFormat`.)
 
+`encryption.blacklisted-algorithms`
+:   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+:   Note that this option also exists in the IdP-hosted metadata. This
+    entry in the SP-remote metadata overrides the option in the
+    [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
+
 `ForceAuthn`
 :   Set this `TRUE` to force the user to reauthenticate when the IdP
     receives authentication requests from this SP. The default is
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 673d69ca9e021dce7d9418e768b4974e66efc093..e536aac293aaf15200e0b020b51c5033f2d66818 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -227,6 +227,12 @@ Options
     If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.
     If that one is also unset, the builtin default discovery service will be used.
 
+`encryption.blacklisted-algorithms`
+:   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
+
+:   Note that this option can be set for each IdP in the [IdP-remote metadata](./simplesamlphp-reference-idp-remote).
+
+:   *Note*: SAML 2 specific.
 
 `entityID`
 :   The entity ID this SP should use.
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index c5ad1b5b1991eb6c678ff9c7f7365a66a8fc8ae2..02eca94cc62ce328e0976a9ac38078b686d5155d 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -287,6 +287,26 @@ class sspmod_saml_Message {
 	}
 
 
+	/**
+	 * Retrieve blacklisted algorithms.
+	 *
+	 * Remote configuration overrides local configuration.
+	 *
+	 * @param SimpleSAML_Configuration $srcMetadata  The metadata of the sender.
+	 * @param SimpleSAML_Configuration $dstMetadata  The metadata of the recipient.
+	 * @return array  Array of blacklisted algorithms.
+	 */
+	public static function getBlacklistedAlgorithms(SimpleSAML_Configuration $srcMetadata,
+		SimpleSAML_Configuration $dstMetadata) {
+
+		$blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', NULL);
+		if ($blacklist === NULL) {
+			$blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array());
+		}
+		return $blacklist;
+	}
+
+
 	/**
 	 * Decrypt an assertion.
 	 *
@@ -322,10 +342,12 @@ class sspmod_saml_Message {
 			throw new SimpleSAML_Error_Exception('Error decrypting assertion: ' . $e->getMessage());
 		}
 
+		$blacklist = self::getBlacklistedAlgorithms($srcMetadata, $dstMetadata);
+
 		$lastException = NULL;
 		foreach ($keys as $i => $key) {
 			try {
-				$ret = $assertion->getAssertion($key);
+				$ret = $assertion->getAssertion($key, $blacklist);
 				SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
 				return $ret;
 			} catch (Exception $e) {
@@ -695,10 +717,12 @@ class sspmod_saml_Message {
 				throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
 			}
 
+			$blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
+
 			$lastException = NULL;
 			foreach ($keys as $i => $key) {
 				try {
-					$assertion->decryptNameId($key);
+					$assertion->decryptNameId($key, $blacklist);
 					SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
 					$lastException = NULL;
 					break;
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index c2e17b0f9cc4e1f49adb6f9080702fc38fd15d7c..caf09b046fa5fabeab4badbf143841b714dd698e 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -70,10 +70,12 @@ if ($message instanceof SAML2_LogoutResponse) {
 			throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
 		}
 
+		$blacklist = sspmod_saml_Message::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
+
 		$lastException = NULL;
 		foreach ($keys as $i => $key) {
 			try {
-				$message->decryptNameId($key);
+				$message->decryptNameId($key, $blacklist);
 				SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
 				$lastException = NULL;
 				break;