diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 0f023943e4dbd77df13a24885ef4671901b8d08f..c8bfaf5251a0eabffccabe692c3b9162b0d98355 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -141,6 +141,8 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 
 		$idpEntityId = $idpMetadata->getString('entityid');
 
+		$state['saml:idp'] = $idpEntityId;
+
 		$ar = new SimpleSAML_XML_Shib13_AuthnRequest();
 		$ar->setIssuer($this->entityId);
 
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index 84cabd711c14fadebb97836f363b7e4fdd86e0f0..06cdf4ee2a5aca2ceebf0f381c2fa97e75058dc1 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -23,6 +23,8 @@ if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
 	throw new SimpleSAML_Error_Exception('Source type changed?');
 }
 
+$idpEntityId = $state['saml:idp'];
+$idpMetadata = $source->getIdPMetadata($idpEntityId);
 
 $responseXML = $_REQUEST['SAMLResponse'];
 $responseXML = base64_decode($responseXML);
@@ -32,15 +34,19 @@ $response->setXML($responseXML);
 
 $response->validate();
 
-$idp = $response->getIssuer();
+$responseIssuer = $response->getIssuer();
 $attributes = $response->getAttributes();
 
+if ($responseIssuer !== $idpEntityId) {
+	throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.');
+}
+
 $logoutState = array(
 	'saml:logout:Type' => 'saml1'
 	);
 $state['LogoutState'] = $logoutState;
 
-$source->handleResponse($state, $idp, $attributes);
+$source->handleResponse($state, $idpEntityId, $attributes);
 assert('FALSE');
 
 ?>
\ No newline at end of file