WIF, ASP.NET 4.0 and Request Validation

Posted on July 24, 2010 by Dominick Baier

Since the response of a WS-Federation sign-in request contains XML, the ASP.NET built-in request validation will trigger an exception. To solve this, request validation needs to be turned off for pages receiving such a response message.

Starting with ASP.NET 4.0 you can plug in your own request validation logic. This allows letting WS-Federation messages through, while applying all standard request validation to all other requests. The WIF SDK (v4) contains a sample validator that does exactly that:

public class WSFedRequestValidator : RequestValidator
{

    protected override bool IsValidRequestString(
      HttpContext context,
      string value,
      RequestValidationSource requestValidationSource,
      string collectionKey,
      out int validationFailureIndex)
    {
        validationFailureIndex = 0;


        if ( requestValidationSource == RequestValidationSource.Form &&
             collectionKey.Equals(
               WSFederationConstants.Parameters.Result,
               StringComparison.Ordinal ) )
        {
            SignInResponseMessage message =
              WSFederationMessage.CreateFromFormPost(context.Request)
               as SignInResponseMessage;

            if (message != null)
            {
                return true;
            }
        }

        return base.IsValidRequestString(
          context,
          value,
          requestValidationSource,
          collectionKey,
          out validationFailureIndex );
    }
}

Register this validator via web.config:

<httpRuntime requestValidationType=WSFedRequestValidator />

This entry was posted in IdentityModel. Bookmark the permalink.

5 Responses to WIF, ASP.NET 4.0 and Request Validation

  1. Eric Berens says:
    September 27, 2012 at 02:23

    I haven’t dug into the source of 4.5 to see what exactly they are doing, but it seems like something changed so that this is no longer needed. I’ve taken the requestValidationType attribute out of the httpRuntime config and I don’t get the “potential dangerous request” error anymore. Just curious if you knew if this is still needed with all the changes from .NET4.0/WIF to .NET4.5…

    Reply
  2. Venkat says:
    February 2, 2016 at 17:07

    I too had same issue while using the WIF old sample (from MS lab exercise) into .NET 4.5 environment.
    So I don’t need to use the “WsFederationRequestValidator.cs” if I am doing this in .NET 4.5?

    I wish MS could have given the Hands on lab for claims in the .NET 4.5 environment.

    Reply
  3. Venkat says:
    February 2, 2016 at 17:09

    Thanks for the info. I too had the same issue, and i was wondering why MS made WSFederationConstants as private in .NET 4.5
    Is there any Hands on lab for claims with .NET 4.5 environment?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s