diff --git a/config/services.yaml b/config/services.yaml
index 7f782716..ad885408 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -48,3 +48,9 @@ services:
 
   Surfnet\StepupRa\RaBundle\Security\Authentication\AuthenticatedSessionStateHandler:
     alias: ra.security.authentication.session.session_storage
+
+  Surfnet\SamlBundle\Security\Authentication\Handler\FailureHandler:
+    class: Surfnet\StepupRa\RaBundle\Security\Authentication\Handler\FailureHandler
+    public: false
+    arguments:
+      $exceptionController: '@Surfnet\StepupRa\RaBundle\Controller\ExceptionController'
diff --git a/src/Surfnet/StepupRa/RaBundle/Security/Authentication/Handler/FailureHandler.php b/src/Surfnet/StepupRa/RaBundle/Security/Authentication/Handler/FailureHandler.php
new file mode 100644
index 00000000..0765a80d
--- /dev/null
+++ b/src/Surfnet/StepupRa/RaBundle/Security/Authentication/Handler/FailureHandler.php
@@ -0,0 +1,59 @@
+<?php declare(strict_types=1);
+
+/**
+ * Copyright 2023 SURFnet B.V.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+namespace Surfnet\StepupRa\RaBundle\Security\Authentication\Handler;
+
+use Psr\Log\LoggerInterface;
+use Surfnet\StepupRa\RaBundle\Controller\ExceptionController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
+use Symfony\Component\Security\Http\HttpUtils;
+
+class FailureHandler extends DefaultAuthenticationFailureHandler
+{
+    private ExceptionController $exceptionController;
+
+    /**
+     * @param array<string, mixed> $options
+     */
+    public function __construct(
+        HttpKernelInterface $httpKernel,
+        HttpUtils $httpUtils,
+        ExceptionController $exceptionController,
+        array $options = [],
+        ?LoggerInterface $logger = null,
+    ) {
+        parent::__construct($httpKernel, $httpUtils, $options, $logger);
+        $this->exceptionController = $exceptionController;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
+    {
+        $message = sprintf(
+            'Authentication failure: %s: "%s"',
+            $exception->getMessageKey(),
+            $exception->getMessage(),
+        );
+        $this->logger->notice($message);
+        // The exception controller is used to show the failed authentication
+        return $this->exceptionController->show($request, $exception);
+    }
+}