diff --git a/src/Surfnet/StepupMiddleware/ManagementBundle/Controller/ConfigurationController.php b/src/Surfnet/StepupMiddleware/ManagementBundle/Controller/ConfigurationController.php
index 1b65368b7..21f34bc25 100644
--- a/src/Surfnet/StepupMiddleware/ManagementBundle/Controller/ConfigurationController.php
+++ b/src/Surfnet/StepupMiddleware/ManagementBundle/Controller/ConfigurationController.php
@@ -20,17 +20,22 @@
 
 use DateTime;
 use Ramsey\Uuid\Uuid;
+use Surfnet\Stepup\Helper\JsonHelper;
+use Surfnet\StepupMiddleware\ApiBundle\Exception\BadCommandRequestException;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\AbstractCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Configuration\Command\UpdateConfigurationCommand;
 use Surfnet\StepupMiddleware\CommandHandlingBundle\Pipeline\TransactionAwarePipeline;
+use Surfnet\StepupMiddleware\ManagementBundle\Validator\Constraints\HasValidConfigurationStructure;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Validator\Validator\ValidatorInterface;
 
 class ConfigurationController extends AbstractController
 {
     public function __construct(
         private readonly TransactionAwarePipeline $pipeline,
+        private readonly ValidatorInterface $validator,
     ) {
     }
 
@@ -38,6 +43,11 @@ public function update(Request $request): JsonResponse
     {
         $this->denyAccessUnlessGranted('ROLE_MANAGEMENT');
 
+        $violations = $this->validator->validate($request->getContent(), new HasValidConfigurationStructure());
+        if ($violations->count() > 0) {
+            throw BadCommandRequestException::withViolations('Invalid configure institutions request', $violations);
+        }
+
         $command = new UpdateConfigurationCommand();
         $command->configuration = $request->getContent();
         $command->UUID = (string)Uuid::uuid4();
diff --git a/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_configuration/invalid_sps.php b/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_configuration/invalid_sps.php
deleted file mode 100644
index ac2423f78..000000000
--- a/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_configuration/invalid_sps.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php
-
-/**
- * Copyright 2014 SURFnet bv
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-return [
-    'expectedPropertyPath' => 'gateway.service_providers',
-    'configuration' => [
-        'gateway' => [
-            'identity_providers' => [],
-            'service_providers' => 9,
-        ],
-        'sraa' => ['20394-4320423-439248324'],
-        'email_templates' => [
-            'confirm_email' => ['en_GB' => 'Verify {{ commonName }}'],
-            'registration_code_with_ras' => ['en_GB' => 'Code {{ commonName }}'],
-            'registration_code_with_ra_locations' => ['en_GB' => 'Code {{ commonName }}'],
-            'vetted' => ['en_GB' => 'Vetted {{ commonName }}'],
-            'second_factor_revoked' => ['en_GB' => 'Revoked token for {{ commonName }}'],
-            'second_factor_verification_reminder_with_ras' => ['en_GB' => 'Code {{ commonName }}'],
-            'second_factor_verification_reminder_with_ra_locations' => ['en_GB' => 'Code {{ commonName }}'],
-        ],
-    ],
-];
diff --git a/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_reconfigure_institution_request/not_whitelisted_institution_use_raa.php b/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_reconfigure_institution_request/not_whitelisted_institution_use_raa.php
index 4b13a20a9..641843703 100644
--- a/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_reconfigure_institution_request/not_whitelisted_institution_use_raa.php
+++ b/src/Surfnet/StepupMiddleware/ManagementBundle/Tests/Validator/Fixtures/invalid_reconfigure_institution_request/not_whitelisted_institution_use_raa.php
@@ -18,7 +18,7 @@
 
 return [
     'expectedPropertyPath' => 'Institution(surfnet.nl)',
-    'expectErrorMessageToContain' => 'All values of option "use_raa" should be known institutions.',
+    'expectErrorMessageToContain' => 'All values of option "use_raa" for "surfnet.nl" should be known institutions.',
     'reconfigureInstitutionRequest' => [
         'surfnet.nl' => [
             "use_ra_locations" => true,