Error messages in web browser - nordvall/WifExamples GitHub Wiki
A potentially dangerous Request.Form value was detected from the client
The main problem here is that ASP.NET detects the token service XML response as a hacking attempt. There are a few ways of dealing with it:
###.NET 4.5: Verify that the following line is present under system.web in web.config:
<httpRuntime targetFramework="4.5" />
###.NET 4.0 There are a couple of possible solutions:
Use a custom request validator
This is the most secure option, because it takes another look at the request and accepts correct STS responses. Take a look at the NET40 projects here for examples. There are a WsFederationRequstValidator class and a system.web/httpRuntime section of the web.config.
Use legacy RequestValidationMode
This is less secure beacuse it accept all sorts of POST:s to your page. There are two parts of this solution:
Insert the following line under system.web in web.config:
<httpRuntime requestValidationMode="2.0" />
On the page that receives the STS responses (usually your default.aspx), add the following attribute to the Page directive in the top of the page:
ValidateRequest="false"
A way to improve the security of this solution would be to create a separate page just to receive STS responses, use ValidateRequest="false" on that page and register it as your response page in the STS.