diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthWebID.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthWebID.pm
index 2776c8de6..4a4cdef0d 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthWebID.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthWebID.pm
@@ -12,15 +12,19 @@ package Lemonldap::NG::Portal::AuthWebID;
 use strict;
 use Lemonldap::NG::Portal::Simple;
 use Lemonldap::NG::Portal::AuthSSL;
+use Lemonldap::NG::Common::Regexp;
+use Regexp::Assemble;
 
 our $VERSION = '1.3.0';
 our @ISA     = qw(Lemonldap::NG::Portal::AuthSSL);
 our $initDone;
+our $reWebIDWhitelist;
 
 BEGIN {
     eval {
         require threads::shared;
         threads::shared::share($initDone);
+        threads::shared::share($reWebIDWhitelist);
     };
 }
 
@@ -34,19 +38,53 @@ sub authInit {
         eval "use Web::ID";
         $self->abort( 'Unable to load Web::ID', $@ ) if ($@);
         $initDone++;
+
+        # Now examine white list and compile it
+        my @hosts = split /\s+/, $self->{webIDWhitelist};
+        $self->abort( 'WebID white list is empty',
+            'Set it in manager, use * to accept all FOAF providers' )
+          unless (@hosts);
+        my $re = Regexp::Assemble->new();
+        foreach my $h (@hosts) {
+            $self->lmLog( "Add $h in WebID whitelist", 'debug' );
+            $h = quotemeta($h);
+            $h =~ s/\\\*/\.\*\?/g;
+            $re->add($h);
+        }
+        $reWebIDWhitelist = '^https?://' . $re->as_string . '(?:/.*|)$';
+
     }
     PE_OK;
 }
 
 sub extractFormInfo {
     my $self = shift;
-    my $tmp  = $self->SUPER::extractFormInfo(@_);
+
+    # 1. Verify SSL exchange using AuthSSL::extractFormInfo()
+    my $tmp = $self->SUPER::extractFormInfo(@_);
     return $tmp unless ( $tmp eq PE_OK );
-    return PE_CERTIFICATEREQUIRED
-      unless ( $ENV{SSL_CLIENT_CERT}
-        and $self->{webid} =
+
+    # 2. Return an error if SSL_CLIENT_CERT is not set
+    $self->abort( 'SSL configuration error',
+        'Unable to get client certificate, SSL_CLIENT_CERT is not set' )
+      unless ( $ENV{SSL_CLIENT_CERT} );
+
+    # 3. Verify that certificate is WebID compliant
+    return PE_BADCREDENTIALS
+      unless ( $self->{webid} =
         Web::ID->new( certificate => $ENV{SSL_CLIENT_CERT} ) );
-    return ( $self->{webid}->valid() ? PE_OK : PE_BADCREDENTIALS );
+
+    # WebID URI is used as user field
+    $self->{user} = $self->{webid}->uri;
+
+    # 4. Verify that FOAF host is in white list
+    return PE_BADPARTNER unless ( $self->{user} =~ $reWebIDWhitelist );
+
+    # 5. Verify FOAF document
+    return PE_BADCREDENTIALS unless ( $self->{webid}->valid() );
+
+    # 6. OK, access granted
+    return PE_OK;
 }
 1;
 __END__