diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py
index a713d76..d73e34b 100644
--- a/powerdnsadmin/models/setting.py
+++ b/powerdnsadmin/models/setting.py
@@ -111,7 +111,7 @@ class Setting(db.Model):
         'oidc_oauth_account_name_property': '',
         'oidc_oauth_account_description_property': '',
         'saml_autoprovisioning': False,
-        'saml_urn_value': '',
+        'saml_urn_prefix': '',
         'saml_autoprovisioning_attribute': '',
         'saml_purge': False,
         'forward_records_allow_edit': {
diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py
index 2fb3b4b..9586966 100644
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@@ -1035,9 +1035,9 @@ def saml_authorized():
                                     created_by='SAML Assertion')
                     history.add()
         elif Setting().get('saml_autoprovisioning'):
-            urn_value = Setting().get('saml_urn_value')  # urn_value for
-            key = Setting().get('saml_autoprovisioning_attribute')
-            Entitlements = read_saml_entitlements(urn_value, session['samlUserdata'])
+            urn_prefix = Setting().get('saml_urn_prefix') 
+            autoprovisioning_attribute = Setting().get('saml_autoprovisioning_attribute')
+            Entitlements = read_saml_entitlements(urn_prefix, autoprovisioning_attribute, session['samlUserdata'])
             if len(Entitlements)==0 and Setting().get('saml_purge'):
                 if user.role.name != 'User':
                     user.role_id = Role.query.filter_by(name='User').first().id
@@ -1046,8 +1046,8 @@ def saml_authorized():
                                     created_by='SAML Autoprovision')
                     history.add()
             elif len(Entitlements)!=0:
-                if checkForPDAEntries(Entitlements, urn_value):
-                    user.updateUser(Entitlements, urn_value)
+                if checkForPDAEntries(Entitlements, autoprovisioning_attribute):
+                    user.updateUser(Entitlements, autoprovisioning_attribute)
                 else:
                     current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
                     if Setting().get('saml_purge'):
@@ -1068,11 +1068,13 @@ def saml_authorized():
     else:
         return render_template('errors/SAML.html', errors=errors)
 
-def read_saml_entitlements(urn_value, saml_userdata):
+def read_saml_entitlements(urn_prefix, autoprovisioning_attribute, saml_userdata):
     Entitlements = []
-    if urn_value in saml_userdata:
-        for k in saml_userdata[urn_value]:
-            Entitlements.append(k)
+    if autoprovisioning_attribute in saml_userdata:
+        for k in saml_userdata[autoprovisioning_attribute]:
+            pref = k.split(":powerdns-admin:")[0]
+            if pref == urn_prefix:
+                Entitlements.append(k)
     return Entitlements
 
 def create_group_to_account_mapping():