Using HTTP vs HTTPS - nordvall/WifExamples GitHub Wiki

Windows Identity Foundation mostly supports both HTTP and HTTPS. HTTP could seem easier to use, however:

• WCF refuses to use unencrypted security tokens. If you don't use HTTPS for your site, then WCF will require you to use an encryption certificate for the tokens. In other words, you will need a certificate anyway.
• The DummySTS in the code samples accepts web sign in without HTTPS, but when you move to production, ADFS will require an HTTPS address to redirect users back to after authentication.

So in summary: Use HTTPS when working with WIF.