diff --git a/bin/probe_saml_idp.sh b/bin/probe_saml_idp.sh
index 53e0916..ce21f23 100755
--- a/bin/probe_saml_idp.sh
+++ b/bin/probe_saml_idp.sh
@@ -357,6 +357,12 @@ if [ "$exit_status" -ne 0 ]; then
 	exit 3
 fi
 
+# short-circuit if this is not an IdP
+if ! echo "$entityDescriptor" | $_GREP -Fq 'IDPSSODescriptor '; then
+	echo "ERROR: $script_name: entity is not an IdP: $entityID" >&2
+	exit 3
+fi
+
 # extract the registrar ID from the entity descriptor
 registrarID=$( echo "$entityDescriptor" \
 	| $_GREP -F -m 1 ' registrationAuthority=' \