diff --git a/APPL/Shared/loginTry.asp b/APPL/Shared/loginTry.asp
index 38efaa17a7..d4ed86723e 100644
--- a/APPL/Shared/loginTry.asp
+++ b/APPL/Shared/loginTry.asp
@@ -220,7 +220,7 @@ if (user_key < 0 && sso && sso != "0") // "0" is een hardcoded special case
 {
     var sql = "SELECT *"
             + "  FROM fac_idp"
-            + " WHERE fac_idp_code = " + safe.quoted_sql(sso);
+            + " WHERE fac_idp_code = " + safe.quoted_sql_upper(sso); // een trigger zorg dat fac_idp_code uppercase is
     var oRs = Oracle.Execute(sql);
     if (oRs.Eof)
         shared.internal_error("Identity provider '{0}' is not configured for {1}".format(sso, customerId));
@@ -247,7 +247,7 @@ if (user_key < 0 && sso && sso != "0") // "0" is een hardcoded special case
     if (!ip_ok)
         shared.internal_error("IP {0} not allowed for this IDP".format(ip)); // TODO of 400 code forbidden?
 
-    if (oRs("fac_idp_type").Value == 3) // die doet het verder zelf
+    if (oRs("fac_idp_type").Value == 3) // Oldstyle SecureSSO, die doet het verder zelf
     {
         SecureSSO({ strSharedKey: oRs("fac_idp_secret").Value,
                     Timeout: oRs("fac_idp_clockskew").Value,