diff --git a/auth_saml/models/auth_saml_provider.py b/auth_saml/models/auth_saml_provider.py
index 94c45de06e..a35f0c2371 100644
--- a/auth_saml/models/auth_saml_provider.py
+++ b/auth_saml/models/auth_saml_provider.py
@@ -308,6 +308,14 @@ def _validate_auth_response(self, token: str, base_url: str = None):
         except SignatureError:
             # we have a metadata url: try to refresh the metadata document
             if self.idp_metadata_url:
+                self.env.cr.execute(
+                    """
+                    SELECT id, idp_metadata
+                    FROM auth_saml_provider
+                    WHERE id=%s FOR NO KEY UPDATE NOWAIT
+                    """,
+                    (self.id,),
+                )
                 self.action_refresh_metadata_from_url()
                 # retry: if it fails again, we let the exception flow
                 client = self._get_client_for_provider(base_url)
@@ -424,11 +432,6 @@ def action_refresh_metadata_from_url(self):
 
         # lock the records we might update, so that multiple simultaneous login
         # attempts will not cause concurrent updates
-        provider_ids = tuple(providers_to_update.keys())
-        self.env.cr.execute(
-            "SELECT id FROM auth_saml_provider WHERE id in %s FOR UPDATE",
-            (tuple(provider_ids),),
-        )
         updated = False
         for provider in providers:
             if provider.id in providers_to_update: