diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index 2beffb6d4175021aecc322efd2bde27e858fb086..e324e09af0b36d2403ac8e2faa2281703df5bc6f 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -329,6 +329,7 @@ class SimpleSAML_IdP {
 		$auth = $this->config->getString('auth');
 		$authSource = SimpleSAML_Auth_Source::getById($auth);
 		if ($authSource === NULL) {
+			$session = SimpleSAML_Session::getInstance();
 			$config = SimpleSAML_Configuration::getInstance();
 			$authurl = '/' . $config->getBaseURL() . $auth;
 
@@ -336,6 +337,7 @@ class SimpleSAML_IdP {
 				'IsPassive' => isset($state['isPassive']) ? $state['isPassive'] : FALSE,
 				'ForceAuthn' => isset($state['ForceAuthn']) ? $state['ForceAuthn'] : FALSE,
 				'State' => $state,
+				'core:prevSession' => $session->getAuthnInstant(),
 			);
 
 			if (isset($state['saml:RequestId'])) {
@@ -352,7 +354,6 @@ class SimpleSAML_IdP {
 			}
 
 			$authId = SimpleSAML_Utilities::generateID();
-			$session = SimpleSAML_Session::getInstance();
 			$session->setAuthnRequest('saml2', $authId, $authnRequest);
 
 			$relayState = SimpleSAML_Module::getModuleURL('core/idp/resumeauth.php', array('RequestID' => $authId));
diff --git a/modules/core/www/idp/resumeauth.php b/modules/core/www/idp/resumeauth.php
index ba2803e4e0dab07ddaea3b6affcfb561c6ad9dc0..e33bb99acfa7cef17cb86355cf5ee20dfba1117d 100644
--- a/modules/core/www/idp/resumeauth.php
+++ b/modules/core/www/idp/resumeauth.php
@@ -10,5 +10,10 @@ $requestcache = $session->getAuthnRequest('saml2', (string)$_REQUEST['RequestID'
 if (!$requestcache) {
 	throw new Exception('Could not retrieve cached RequestID = ' . $authId);
 }
+
+if ($requestcache['ForceAuthn'] && $requestcache['core:prevSession'] === $session->getAuthnInstant()) {
+	throw new Exception('ForceAuthn set, but timestamp not updated.');
+}
+
 $state = $requestcache['State'];
 SimpleSAML_IdP::postAuth($state);