diff --git a/main/auth/openid/login.php b/main/auth/openid/login.php
index 2f0af0ac423..3fa13593796 100755
--- a/main/auth/openid/login.php
+++ b/main/auth/openid/login.php
@@ -461,3 +461,30 @@ function openid_http_request($url, $headers = array(), $method = 'GET', $data =
     $result->code = $code;
     return $result;
 }
+
+function openid_is_allowed_provider($identityUrl): bool
+{
+    $allowedProviders = api_get_configuration_value('auth_openid_allowed_providers');
+
+    if (false === $allowedProviders) {
+        return true;
+    }
+
+    $host = parse_url($identityUrl, PHP_URL_HOST) ?: $identityUrl;
+
+    foreach ($allowedProviders as $provider) {
+        if (strpos($provider, '*') !== false) {
+            $regex = '/^' . str_replace('\*', '.*', preg_quote($provider, '/')) . '$/';
+
+            if (preg_match($regex, $host)) {
+                return true;
+            }
+        } else {
+            if ($host === $provider) {
+                return true;
+            }
+        }
+    }
+
+    return false;
+}
diff --git a/main/inc/local.inc.php b/main/inc/local.inc.php
index dd24e183d67..9119fee0e91 100755
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@@ -975,9 +975,14 @@
         $openidForm = openid_form();
         if ($openidForm->validate() && $openidForm->isSubmitted()) {
             $openidUrl = $openidForm->exportValue('openid_url');
-            openid_begin($openidUrl, api_get_path(WEB_PATH).'index.php');
-            //this last function should trigger a redirect, so we can die here safely
-            exit('Openid login redirection should be in progress');
+
+            if (openid_is_allowed_provider($openidUrl)) {
+                openid_begin($openidUrl, api_get_path(WEB_PATH).'index.php');
+                //this last function should trigger a redirect, so we can die here safely
+                exit('Openid login redirection should be in progress');
+            } else {
+                $loginFailed = true;
+            }
         } elseif (!empty($_GET['openid_identity'])) { //it's usual for PHP to replace '.' (dot) by '_' (underscore) in URL parameters
             $res = openid_complete($_GET);
             if ($res['status'] == 'success') {
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 767d99f1687..87a4409f4cc 100644
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -2260,6 +2260,12 @@
 // Salt to use for admin ldap password decryption
 //$_configuration['ldap_admin_password_salt'] = 'salt';
 
+// Limit providers for OpenID (classic) authentication
+/*$_configuration['auth_openid_allowed_providers'] = [
+    'example.com',
+    '*.example.com',
+];*/
+
 // Option to hide the teachers info on courses about info page.
 //$_configuration['course_about_teacher_name_hide'] = false;