Workarounds to use Windows Identity Foundation SDK with Visual Studio 2010 RC

There’re some known issues with using Windows Identity Foundation SDK on Visual Studio 2010 RC that don’t exist with VS 2008. When VS 2010 is released, we expect to refresh SDK to resolve these problems, in the meantime, we’ve some simple guidance for using SDK with VS 2010. “Request Validation: difference in behavior stems from […]

There’re some known issues with using Windows Identity Foundation SDK on Visual Studio 2010 RC that don’t exist with VS 2008. When VS 2010 is released, we expect to refresh SDK to resolve these problems, in the meantime, we’ve some simple guidance for using SDK with VS 2010. “Request Validation: difference in behavior stems from changes made to .NET 4.0 runtime with respect to validating user input received by ASP.NET web forms. In VS2008, any form field or cookie coming from browser was checked for potentially dangerous content unless validateRequest=false was set (either in web.config or a specific .aspx file). In a passive federated authentication scenario, response token from an STS (represented in XML) is posted back to ASP.NET site in a form field, and thus will be flagged as dangerous by default. With ASP.NET 4.0 a web site must declare a class which’ll be responsible for validating all input. Value of validateRequest is ignored by default. If no such class is declared, suspicious input (including token XML) will be rejected,” explained Microsoft. There’re several simple workarounds to this problem.