Why am I getting the "A potentially dangerous Request.Form value was detected from the client" error?

You might try decorating the controller action you are posting to (and the one which throws this exception) with the [ValidateInput(false)] attribute (by leaving <httpRuntime requestValidationMode="2.0"/> in web.config).

I had the same problem.

Here is an example of my solution:

 [ValidateInput(false)]    public ActionResult *YourMethodName*(FormCollection forms)    {          // Encoded String          string EncodedValue = Server.HtmlEncode(forms[*name or index*]);         // Normal String          string value = forms[*name or index*]         //....     }

You don't need anything in your webconfig.

I wrote a small blog note on this here: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/. It isn't necessary to turn off request validation, or set it to 2.0 for your entire site.

In short, you only need to alter the requestValidationMode to 2.0 mode on the specific URL that WIF posts back the SAML token to. This can be done with a element (see location Element (ASP.NET Settings Schema) for details) in your web.config, like this:

<location path="WIFHandler">  <system.web>    <httpRuntime requestValidationMode="2.0" />  </system.web></location>

The “WIFHandler” location does not need to exist in your app, as WIF will shortcut the pipeline before ASP.NET tries to handle the request, and redirect you to the return url (ru in the wctx parameter of the SAML token POST) instead.

In your WIF configuration section of the web.config file, be sure to match the “reply” parameter with the location where you set request validation mode to 2.0 mode:

<microsoft.identityModel>    <service>      <federatedAuthentication>        <wsFederation passiveRedirectEnabled="true"                       issuer="https://localhost/STS/"                       realm="https://localhost/MyApp/"                      reply="https://localhost/MyApp/WIFHandler/" />(...)