diff --git a/simplesamlphp_auth.admin.inc b/simplesamlphp_auth.admin.inc
index 3694716..a12b881 100644
--- a/simplesamlphp_auth.admin.inc
+++ b/simplesamlphp_auth.admin.inc
@@ -129,6 +129,15 @@ function simplesamlphp_auth_settings_local() {
     '#default_value' => variable_get('simplesamlphp_auth_logoutgotourl', ''),
     '#description' => t('Example: @base_url', array('@base_url' => $GLOBALS['base_url'])),
   );
+  $form['simplesamlphp_auth_grp_auth']['simplesamlphp_auth_keeproles'] = array(
+    '#type' => 'select',
+    '#size' => 3,
+    '#options' => $roles,
+    '#multiple' => TRUE,
+    '#title' => t('Which ROLES should be kept after logging in with SAML?'),
+    '#default_value' => variable_get('simplesamlphp_auth_keeproles', array()),
+    '#description' => t('Roles that should be remain assigned to the users that login with simpleSAMLphp even if those roles are not in the SAML response.'),
+  );  
 
   return system_settings_form($form);
 }
diff --git a/simplesamlphp_auth.inc b/simplesamlphp_auth.inc
index 9a27796..97dc785 100644
--- a/simplesamlphp_auth.inc
+++ b/simplesamlphp_auth.inc
@@ -207,6 +207,16 @@ function _simplesaml_auth_user_login($ext_user) {
       watchdog('simplesamlphp_auth', 'User already registered [%authname] updating roles.', array('%authname' => $ext_user->name), WATCHDOG_DEBUG);
     }
     $roles = _simplesamlphp_auth_rolepopulation(variable_get('simplesamlphp_auth_rolepopulation', ''));
+
+    // If we have configured some roles to keep when the user logs in, re add them to the roles array.
+    if ($roles_to_keep = variable_get('simplesamlphp_auth_keeproles', array())) {
+      // Get unique identifier from saml attributes.
+      $authname = _simplesamlphp_auth_get_authname();
+      if ($local_user = user_load_by_name($authname)) {
+        $roles += array_intersect_key($local_user->roles, $roles_to_keep);
+      }
+    }
+
     $userinfo = array('roles' => $roles);
 
     // Save the updated roles and populate the user object.
diff --git a/simplesamlphp_auth.install b/simplesamlphp_auth.install
index 19c8832..a96fe4e 100644
--- a/simplesamlphp_auth.install
+++ b/simplesamlphp_auth.install
@@ -47,6 +47,7 @@ function simplesamlphp_auth_uninstall() {
   variable_del('simplesamlphp_auth_login_link_display_name');
   variable_del('simplesamlphp_auth_logoutgotourl');
   variable_del('simplesamlphp_auth_autoenablesaml');
+  variable_del('simplesamlphp_auth_keeproles');
 }
 
 /**