diff --git a/iam-common/src/main/java/it/infn/mw/iam/service/aup/AUPSignatureCheckService.java b/iam-common/src/main/java/it/infn/mw/iam/service/aup/AUPSignatureCheckService.java
index ea0766fe3..e4a79ebcb 100644
--- a/iam-common/src/main/java/it/infn/mw/iam/service/aup/AUPSignatureCheckService.java
+++ b/iam-common/src/main/java/it/infn/mw/iam/service/aup/AUPSignatureCheckService.java
@@ -20,5 +20,5 @@
 @FunctionalInterface
 public interface AUPSignatureCheckService {
 
-  boolean needsAupSignature(IamAccount account);
+  int getRemainingDaysSignatureExpiration(IamAccount account);
 }
diff --git a/iam-common/src/main/java/it/infn/mw/iam/service/aup/DefaultAupSignatureCheckService.java b/iam-common/src/main/java/it/infn/mw/iam/service/aup/DefaultAupSignatureCheckService.java
index b36360d77..2beaa5f8a 100644
--- a/iam-common/src/main/java/it/infn/mw/iam/service/aup/DefaultAupSignatureCheckService.java
+++ b/iam-common/src/main/java/it/infn/mw/iam/service/aup/DefaultAupSignatureCheckService.java
@@ -29,6 +29,7 @@
 import it.infn.mw.iam.core.time.TimeProvider;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.model.IamAup;
+import it.infn.mw.iam.persistence.model.IamAupSignature;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
 import it.infn.mw.iam.persistence.repository.IamAupSignatureRepository;
 
@@ -50,28 +51,28 @@ public DefaultAupSignatureCheckService(IamAupRepository aupRepo,
   }
 
   @Override
-  public boolean needsAupSignature(IamAccount account) {
+  public int getRemainingDaysSignatureExpiration(IamAccount account) {
     Optional<IamAup> aup = aupRepo.findDefaultAup();
 
-    Date now = new Date(timeProvider.currentTimeMillis());
-
     if (!aup.isPresent()) {
       LOG.debug("AUP signature not needed for account '{}': AUP is not defined",
           account.getUsername());
-      return false;
+      return Integer.MAX_VALUE;
     }
 
     if (isNull(account.getAupSignature())) {
       LOG.debug("AUP signature needed for account '{}': no signature record found for user",
           account.getUsername());
-      return true;
+      return -Integer.MAX_VALUE;
     }
 
     Date signatureTime = account.getAupSignature().getSignatureTime();
     Date aupLastModifiedTime = aup.get().getLastUpdateTime();
     Long signatureValidityInDays = aup.get().getSignatureValidityInDays();
 
-    if (signatureTime.compareTo(aupLastModifiedTime) > 0) {
+    int daysLeftBeforeSignAup = calculateDaysLeft(aup.get(), account);
+
+    if (daysLeftBeforeSignAup > 0) {
 
       if (signatureValidityInDays > 0) {
 
@@ -79,23 +80,33 @@ public boolean needsAupSignature(IamAccount account) {
             new Date(signatureTime.getTime() + TimeUnit.DAYS.toMillis(signatureValidityInDays));
 
         // The signature was on the last version of the AUP
+        Date now = new Date(timeProvider.currentTimeMillis());
         boolean signatureNeeded = now.compareTo(signatureValidTime) > 0;
         String signatureNeededString = (signatureNeeded ? "needed" : "not needed");
         LOG.debug(
             "AUP signature {} for account '{}': Now '{}' AUP signature time '{}', AUP signature end of validity '{}'",
             signatureNeededString, account.getUsername(), now, signatureTime, signatureValidTime);
-        return signatureNeeded;
       }
 
-      return false;
-    }
-
-    // The signature is needed anyway since it was done before the last changes to the AUP
-    LOG.debug(
+      return daysLeftBeforeSignAup;
+    } else {
+      LOG.debug(
         "AUP signature needed for account '{}': AUP signature time '{}', AUP last modified time '{}'",
         account.getUsername(), signatureTime, aupLastModifiedTime);
 
-    return true;
+      return daysLeftBeforeSignAup;
+    }
   }
 
+  private int calculateDaysLeft(IamAup aup, IamAccount account) {
+    Long signatureValidityInDays = aup.getSignatureValidityInDays();
+    Optional<IamAupSignature> signature = signatureRepo.findByAupAndAccount(aup, account);
+
+    Date expirationDateSignature = new Date(signature.get().getSignatureTime().getTime() + TimeUnit.DAYS.toMillis(signatureValidityInDays));
+    Date now = new Date(timeProvider.currentTimeMillis());
+    Long delta = expirationDateSignature.getTime() - now.getTime();
+    int resultDaysLeft = Long.valueOf(TimeUnit.DAYS.convert(delta, TimeUnit.MILLISECONDS)).intValue();
+
+    return resultDaysLeft;
+  }
 }
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java b/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java
index a8a5257ed..69fa5fa79 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/authn/EnforceAupSignatureSuccessHandler.java
@@ -100,7 +100,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
     Optional<IamAccount> authenticatedAccount = lookupAuthenticatedUser(auth);
 
     if (!authenticatedAccount.isPresent()
-        || !service.needsAupSignature(authenticatedAccount.get())) {
+        || !(service.getRemainingDaysSignatureExpiration(authenticatedAccount.get()) <= 0)) {
       delegate.onAuthenticationSuccess(request, response, auth);
 
     } else {
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamRefreshTokenGranter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamRefreshTokenGranter.java
index e529a42b2..64fc4ed71 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamRefreshTokenGranter.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamRefreshTokenGranter.java
@@ -59,7 +59,7 @@ protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest to
       throw new DisabledException(format("User %s is not active.", user.get().getUsername()));
     }
 
-    if (user.isPresent() && signatureCheckService.needsAupSignature(user.get())) {
+    if (user.isPresent() && (signatureCheckService.getRemainingDaysSignatureExpiration(user.get()) <= 0)) {
       throw new InvalidGrantException(
           format("User %s needs to sign AUP for this organization in order to proceed.",
               user.get().getUsername()));
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamResourceOwnerPasswordTokenGranter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamResourceOwnerPasswordTokenGranter.java
index c5abed00c..23af78a47 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamResourceOwnerPasswordTokenGranter.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/IamResourceOwnerPasswordTokenGranter.java
@@ -58,7 +58,7 @@ protected OAuth2Authentication getOAuth2Authentication(ClientDetails client,
     OAuth2Authentication auth = super.getOAuth2Authentication(client, tokenRequest);
     Optional<IamAccount> user = accountUtils.getAuthenticatedUserAccount(auth);
 
-    if (user.isPresent() && signatureCheckService.needsAupSignature(user.get())) {
+    if (user.isPresent() && (signatureCheckService.getRemainingDaysSignatureExpiration(user.get()) <= 0)) {
       throw new InvalidGrantException(
           format("User %s needs to sign AUP for this organization in order to proceed.",
               user.get().getUsername()));
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/TokenExchangeTokenGranter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/TokenExchangeTokenGranter.java
index dc32a6b9b..beb42ee6c 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/TokenExchangeTokenGranter.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/granters/TokenExchangeTokenGranter.java
@@ -159,7 +159,7 @@ protected OAuth2Authentication getOAuth2Authentication(final ClientDetails actor
       Optional<IamAccount> account = accountUtils
         .getAuthenticatedUserAccount(subjectToken.getAuthenticationHolder().getUserAuth());
 
-      if (account.isPresent() && signatureCheckService.needsAupSignature(account.get())) {
+      if (account.isPresent() && (signatureCheckService.getRemainingDaysSignatureExpiration(account.get()) <= 0)) {
         throw new InvalidGrantException(
             format("User %s needs to sign AUP for this organization " + "in order to proceed.",
                 account.get().getUsername()));
diff --git a/iam-voms-aa/src/main/java/it/infn/mw/voms/api/VOMSController.java b/iam-voms-aa/src/main/java/it/infn/mw/voms/api/VOMSController.java
index 6ab5a5354..5cd019221 100644
--- a/iam-voms-aa/src/main/java/it/infn/mw/voms/api/VOMSController.java
+++ b/iam-voms-aa/src/main/java/it/infn/mw/voms/api/VOMSController.java
@@ -114,7 +114,7 @@ public String generateAC(@RequestHeader(name = "User-Agent", required = false) S
       }
     } else {
       IamAccount user = context.getIamAccount();
-      if (signatureCheckService.needsAupSignature(user)) {
+      if (signatureCheckService.getRemainingDays(user) <= 0) {
         VOMSErrorMessage em = VOMSErrorMessage.faildToSignAup(user.getUsername());
         return responseBuilder.createErrorResponse(em);
       }