diff --git a/modules/saml2/lib/Auth/Source/SP.php b/modules/saml2/lib/Auth/Source/SP.php
index 6d711c42922cda55332ea5bd59b235b990e732fd..5b0d8f6f4a3fc4413b3fdce3c9d39c75de787cc4 100644
--- a/modules/saml2/lib/Auth/Source/SP.php
+++ b/modules/saml2/lib/Auth/Source/SP.php
@@ -104,6 +104,28 @@ class sspmod_saml2_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		return $this->entityId;
 	}
 
+
+	/**
+	 * Check if the IdP entity id is allowed to authenticate users for this authentication source.
+	 *
+	 * @param string $idpEntityId  The entity id of the IdP.
+	 * @return boolean  TRUE if it is valid, FALSE if not.
+	 */
+	public function isIdPValid($idpEntityId) {
+		assert('is_string($idpEntityId)');
+
+		if ($this->idp === NULL) {
+			/* No IdP configured - all are allowed. */
+			return TRUE;
+		}
+
+		if ($this->idp === $idpEntityId) {
+			return TRUE;
+		}
+
+		return FALSE;
+	}
+
 }
 
 ?>
\ No newline at end of file
diff --git a/modules/saml2/www/sp/acs.php b/modules/saml2/www/sp/acs.php
index 8cf9f622e5600d42ae11dd015b4059e308f67d21..6c0ba0e0c268c5b47d15623ff0ebaf3e250f71cd 100644
--- a/modules/saml2/www/sp/acs.php
+++ b/modules/saml2/www/sp/acs.php
@@ -41,7 +41,11 @@ if($result === FALSE) {
 /* The response should include the entity id of the IdP. */
 $idp = $authnResponse->getIssuer();
 
-/* TODO: Check that IdP is the correct IdP. */
+/* Check if the IdP is allowed to authenticate users for this authentication source. */
+if (!$source->isIdPValid($idp)) {
+	throw new Exception('Invalid IdP responded for authentication source with id ' . $sourceId .
+		'. The IdP was ' . var_export($idp, TRUE));
+}
 
 /* TODO: Save NameID & SessionIndex for logout. */