diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index b633c2e0dd3ff64095d896f9d3f48f9a68070b85..03357c4e128556ba0f678c48eb15f43305968563 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -486,15 +486,50 @@ class SimpleSAML_Utilities {
 	static function ipCIDRcheck($cidr, $ip = null) {
 		if ($ip == null) $ip = $_SERVER['REMOTE_ADDR'];
 		list ($net, $mask) = explode('/', $cidr);
-		
-		$ip_net = ip2long ($net);
-		$ip_mask = ~((1 << (32 - $mask)) - 1);
-		
-		$ip_ip = ip2long ($ip);
-		
-		$ip_ip_net = $ip_ip & $ip_mask;
-		
-		return ($ip_ip_net == $ip_net);
+
+		if (strstr($ip, ':') || strstr($net, ':')) {
+			// Validate IPv6 with inet_pton, convert to hex with bin2hex
+			// then store as a long with hexdec
+
+			$ip_pack = inet_pton($ip);
+			$net_pack = inet_pton($net);
+
+			if ($ip_pack === false || $net_pack === false) {
+				// not valid IPv6 address (warning already issued)
+				return false;
+			}
+
+			$ip_ip = str_split(bin2hex($ip_pack),8);
+			foreach ($ip_ip as &$value) {
+				$value = hexdec($value);
+			}
+
+			$ip_net = str_split(bin2hex($net_pack),8);
+			foreach ($ip_net as &$value) {
+				$value = hexdec($value);
+			}
+		} else {
+			$ip_ip[0] = ip2long ($ip);
+			$ip_net[0] = ip2long ($net);
+		}
+
+		for($i = 0; $mask > 0 && $i < sizeof($ip_ip); $i++) {
+			if ($mask > 32) {
+				$iteration_mask = 32;
+			} else {
+				$iteration_mask = $mask;
+			}
+			$mask -= 32;
+
+			$ip_mask = ~((1 << (32 - $iteration_mask)) - 1);
+
+			$ip_net_mask = $ip_net[$i] & $ip_mask;
+			$ip_ip_mask = $ip_ip[$i] & $ip_mask;
+
+			if ($ip_ip_mask != $ip_net_mask)
+				return false;
+		}
+		return true;
 	}