diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 20b8e486c742bfc41dce99553e30486e12b408be..ebeea693de0a71aa39c79688448244d1e73bce64 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -252,6 +252,9 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$ar->setExtensions($state['saml:Extensions']);
 		}
 
+		// save IdP entity ID as part of the state
+		$state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
+
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
 		$ar->setId($id);
 
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index b3e73cf5c26acfa8dee9d8b989381d33d9f89ffe..4dccbf489828b17bff480802d71859a4b444d040 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -58,6 +58,12 @@ if (!empty($stateId)) {
 	if ($state['saml:sp:AuthId'] !== $sourceId) {
 		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 	}
+
+	/* Check that the issuer is the one we are expecting. */
+	assert('array_key_exists("ExpectedIssuer", $state)');
+	if ($state['ExpectedIssuer'] !== $idp) {
+		throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+	}
 } else {
 	/* This is an unsolicited response. */
 	$state = array(