diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 48e1b2459984f0e2d3dff320128462e9419b7d84..605b3c426b77e1a6d83b0eb82c76275a3f7e9a08 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -384,6 +384,12 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		$source->addLogoutCallback($idp, $state);
 
 		$state['Attributes'] = $authProcState['Attributes'];
+
+		if (isset($state['saml:sp:isUnsoliced']) && (bool)$state['saml:sp:isUnsoliced']) {
+			$redirectTo = $source->getMetadata()->getString('RelayState', '/');
+			SimpleSAML_Auth_Default::handleUnsolicedAuth($sourceId, $state, $redirectTo);
+		}
+
 		SimpleSAML_Auth_Source::completeAuth($state);
 	}
 
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 3c9ae269d911640a24a85fbf95b6b2e7d0f65ec0..8b28d504c0d2cfe5702531d5a256b8ddc07b027f 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -14,16 +14,21 @@ if (!($response instanceof SAML2_Response)) {
 }
 
 $relayState = $response->getRelayState();
-if (empty($relayState)) {
-	throw new SimpleSAML_Error_BadRequest('Missing relaystate in message received on AssertionConsumerService endpoint.');
-}
-
-$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
+if (!empty($relayState)) {
+	/* This is a response to a request we sent earlier. */
+	$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
 
-/* Check that the authentication source is correct. */
-assert('array_key_exists("saml:sp:AuthId", $state)');
-if ($state['saml:sp:AuthId'] !== $sourceId) {
-	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	/* Check that the authentication source is correct. */
+	assert('array_key_exists("saml:sp:AuthId", $state)');
+	if ($state['saml:sp:AuthId'] !== $sourceId) {
+		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	}
+} else {
+	/* This is an unsoliced response. */
+	$state = array(
+		'saml:sp:isUnsoliced' => TRUE,
+		'saml:sp:AuthId' => $sourceId,
+	);
 }