diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index b80391fbcacb69238857f4c75a02c6a17564056a..734a4067c187e901fb4dbbb82a7caa18d674cffe 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -435,28 +435,37 @@ class sspmod_saml_Message
         $ar = new \SAML2\AuthnRequest();
 
         // get the NameIDPolicy to apply. IdP metadata has precedence.
-        $nameIdPolicy = array();
+        $nameIdPolicy = null;
         if ($idpMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
         } elseif ($spMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
         }
 
-        if (!is_array($nameIdPolicy)) {
+        $policy = null;
+        if (is_string($nameIdPolicy)) {
             // handle old configurations where 'NameIDPolicy' was used to specify just the format
-            $nameIdPolicy = array('Format' => $nameIdPolicy);
+            $policy = array('Format' => $nameIdPolicy);
+        } elseif (is_array($nameIdPolicy)) {
+            // handle current configurations specifying an array in the NameIDPolicy config option
+            $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
+            $policy = array(
+                'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
+                'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
+            );
+            $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
+            if ($spNameQualifier !== false) {
+                $policy['SPNameQualifier'] = $spNameQualifier;
+            }
+        } elseif ($nameIdPolicy === null) {
+            // when NameIDPolicy is unset or set to null, default to transient as before
+            $policy = array('Format' => \SAML2\Constants::NAMEID_TRANSIENT);
         }
 
-        $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
-        $policy = array(
-            'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
-            'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
-        );
-        $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
-        if ($spNameQualifier !== false) {
-            $policy['SPNameQualifier'] = $spNameQualifier;
+        if ($policy !== null) {
+            // either we have a policy set, or we used the transient default
+            $ar->setNameIdPolicy($policy);
         }
-        $ar->setNameIdPolicy($policy);
 
         $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', false));
         $ar->setIsPassive($spMetadata->getBoolean('IsPassive', false));