diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java
index d1e6664028..248f4c30eb 100755
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/AbstractInitiateLogin.java
@@ -101,7 +101,9 @@ public abstract class AbstractInitiateLogin implements AuthChallenge {
                 .destination(sso.getRequestBindingUrl())
                 .issuer(issuerURL)
                 .forceAuthn(deployment.isForceAuthentication()).isPassive(deployment.isIsPassive())
-                .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat));
+                .nameIdPolicy(SAML2NameIDPolicyBuilder
+                    .format(nameIDPolicyFormat)
+                    .setAllowCreate(Boolean.TRUE));
         if (sso.getResponseBinding() != null) {
             String protocolBinding = JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get();
             if (sso.getResponseBinding() == SamlDeployment.Binding.POST) {
diff --git a/saml-core/src/main/java/org/keycloak/saml/SAML2NameIDPolicyBuilder.java b/saml-core/src/main/java/org/keycloak/saml/SAML2NameIDPolicyBuilder.java
index 4cd847bec6..00d15518a9 100755
--- a/saml-core/src/main/java/org/keycloak/saml/SAML2NameIDPolicyBuilder.java
+++ b/saml-core/src/main/java/org/keycloak/saml/SAML2NameIDPolicyBuilder.java
@@ -24,8 +24,9 @@ import java.net.URI;
  * @author pedroigor
  */
 public class SAML2NameIDPolicyBuilder {
-
     private final NameIDPolicyType policyType;
+    private Boolean allowCreate;
+    private String spNameQualifier;
 
     private SAML2NameIDPolicyBuilder(String format) {
         this.policyType = new NameIDPolicyType();
@@ -36,8 +37,23 @@ public class SAML2NameIDPolicyBuilder {
         return new SAML2NameIDPolicyBuilder(format);
     }
 
+    public SAML2NameIDPolicyBuilder setAllowCreate(Boolean allowCreate) {
+        this.allowCreate = allowCreate;
+        return this;
+    }
+
+    public SAML2NameIDPolicyBuilder setSPNameQualifier(String spNameQualifier) {
+        this.spNameQualifier = spNameQualifier;
+        return this;
+    }
+
     public NameIDPolicyType build() {
-        this.policyType.setAllowCreate(Boolean.TRUE);
+        if (this.allowCreate != null)
+            this.policyType.setAllowCreate(this.allowCreate);
+
+        if (this.spNameQualifier != null)
+            this.policyType.setSPNameQualifier(this.spNameQualifier);
+
         return this.policyType;
     }
 }
\ No newline at end of file
diff --git a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
index c82b072f3c..f711d987a5 100755
--- a/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -104,8 +104,11 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
                     .issuer(issuerURL)
                     .forceAuthn(getConfig().isForceAuthn())
                     .protocolBinding(protocolBinding)
-                    .nameIdPolicy(SAML2NameIDPolicyBuilder.format(nameIDPolicyFormat))
+                    .nameIdPolicy(SAML2NameIDPolicyBuilder
+                        .format(nameIDPolicyFormat)
+                        .setAllowCreate(Boolean.TRUE))
                     .subject(loginHint);
+
             JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session)
                     .relayState(request.getState().getEncoded());
             boolean postBinding = getConfig().isPostBindingAuthnRequest();