WIF, ASP.NET 4.0 and Request Validation

Since the response of a WS-Federation sign-in request contains XML, the ASP.NET built-in request validation will trigger an exception. To solve this, request validation needs to be turned off for pages receiving such a response message.

Starting with ASP.NET 4.0 you can plug in your own request validation logic. This allows letting WS-Federation messages through, while applying all standard request validation to all other requests. The WIF SDK (v4) contains a sample validator that does exactly that:

public class WSFedRequestValidator : RequestValidator
{

    protected override bool IsValidRequestString(
      HttpContext context,
      string value,
      RequestValidationSource requestValidationSource,
      string collectionKey,
      out int validationFailureIndex)
    {
        validationFailureIndex = 0;


        if ( requestValidationSource == RequestValidationSource.Form &&
             collectionKey.Equals(
               WSFederationConstants.Parameters.Result,
               StringComparison.Ordinal ) )
        {
            SignInResponseMessage message =
              WSFederationMessage.CreateFromFormPost(context.Request)
               as SignInResponseMessage;

            if (message != null)
            {
                return true;
            }
        }

        return base.IsValidRequestString(
          context,
          value,
          requestValidationSource,
          collectionKey,
          out validationFailureIndex );
    }
}

Register this validator via web.config:

<httpRuntime requestValidationType=WSFedRequestValidator />

This entry was posted in IdentityModel. Bookmark the permalink.

5 Responses to WIF, ASP.NET 4.0 and Request Validation

  1. Eric Berens says:

    I haven’t dug into the source of 4.5 to see what exactly they are doing, but it seems like something changed so that this is no longer needed. I’ve taken the requestValidationType attribute out of the httpRuntime config and I don’t get the “potential dangerous request” error anymore. Just curious if you knew if this is still needed with all the changes from .NET4.0/WIF to .NET4.5…

  2. Venkat says:

    I too had same issue while using the WIF old sample (from MS lab exercise) into .NET 4.5 environment.
    So I don’t need to use the “WsFederationRequestValidator.cs” if I am doing this in .NET 4.5?

    I wish MS could have given the Hands on lab for claims in the .NET 4.5 environment.

  3. Venkat says:

    Thanks for the info. I too had the same issue, and i was wondering why MS made WSFederationConstants as private in .NET 4.5
    Is there any Hands on lab for claims with .NET 4.5 environment?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s