Error messages in web browser - nordvall/WifExamples GitHub Wiki

A potentially dangerous Request.Form value was detected from the client

The main problem here is that ASP.NET detects the token service XML response as a hacking attempt. There are a few ways of dealing with it:

###.NET 4.5: Verify that the following line is present under system.web in web.config:

<httpRuntime targetFramework="4.5" />

###.NET 4.0 There are a couple of possible solutions:

Use a custom request validator

This is the most secure option, because it takes another look at the request and accepts correct STS responses. Take a look at the NET40 projects here for examples. There are a WsFederationRequstValidator class and a system.web/httpRuntime section of the web.config.

Use legacy RequestValidationMode

This is less secure beacuse it accept all sorts of POST:s to your page. There are two parts of this solution:

Insert the following line under system.web in web.config:

<httpRuntime requestValidationMode="2.0" />

On the page that receives the STS responses (usually your default.aspx), add the following attribute to the Page directive in the top of the page:

ValidateRequest="false"

A way to improve the security of this solution would be to create a separate page just to receive STS responses, use ValidateRequest="false" on that page and register it as your response page in the STS.