Since the response of a WS-Federation sign-in request contains XML, the ASP.NET built-in request validation will trigger an exception. To solve this, request validation needs to be turned off for pages receiving such a response message.
Starting with ASP.NET 4.0 you can plug in your own request validation logic. This allows letting WS-Federation messages through, while applying all standard request validation to all other requests. The WIF SDK (v4) contains a sample validator that does exactly that:
public class WSFedRequestValidator : RequestValidator
protected override bool IsValidRequestString(
out int validationFailureIndex)
validationFailureIndex = 0;
if ( requestValidationSource == RequestValidationSource.Form &&
StringComparison.Ordinal ) )
SignInResponseMessage message =
if (message != null)
out validationFailureIndex );
Register this validator via web.config:
<httpRuntime requestValidationType=“WSFedRequestValidator“ />
I haven’t dug into the source of 4.5 to see what exactly they are doing, but it seems like something changed so that this is no longer needed. I’ve taken the requestValidationType attribute out of the httpRuntime config and I don’t get the “potential dangerous request” error anymore. Just curious if you knew if this is still needed with all the changes from .NET4.0/WIF to .NET4.5…
in 4.5 the ws-fed response check is builtin. Just set the requestValidationMode to “4.5”.
Good to know. Thanks for the info.
I too had same issue while using the WIF old sample (from MS lab exercise) into .NET 4.5 environment.
So I don’t need to use the “WsFederationRequestValidator.cs” if I am doing this in .NET 4.5?
I wish MS could have given the Hands on lab for claims in the .NET 4.5 environment.
Thanks for the info. I too had the same issue, and i was wondering why MS made WSFederationConstants as private in .NET 4.5
Is there any Hands on lab for claims with .NET 4.5 environment?