When users log out using CAS SSO, ASP.NET MVC triggers a HttpRequestValidationException

Question

We're using the Jasig .NET CAS Client to interface with our organization's CAS SSO server.

However, we've noticed that in ASP.NET MVC 3 (and I would assume this affects ASP.NET WebForms as well) applications, when users log out, we see the following error in our error log:

System.Web.HttpRequestValidationException (0x80004005):
A potentially dangerous Request.Form value was detected from the client
(logoutRequest="<samlp:LogoutRequest...").
  at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
  at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
  at System.Web.HttpRequest.get_Form()
  at System.Web.HttpRequest.FillInParamsCollection()
  at System.Web.HttpRequest.GetParams()
  at DotNetCasClient.Utils.RequestEvaluator.GetRequestIsCasSingleSignOut() in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Utils\RequestEvaluator.cs:line 292
  at DotNetCasClient.CasAuthenticationModule.OnBeginRequest(Object sender, EventArgs e) in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\CasAuthenticationModule.cs:line 93
  at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

I don't believe this is an error message users are receiving -- it seems to only be seen by the server. As far as the users are concerned, log out is successful.

Is there any way I can get ASP.NET MVC to stop trying to validate these types of requests? I know I can disable request validation completely, but that's out of the question. The site with a hyphen has a good question on this, but not really an acceptable answer:

add the following setting to the web.config:

<httpRuntime requestValidationMode="2.0" />

After setting this value, U can disable request validation by setting validateRequest="false"

So, is there any way to disable ASP.NET validation for this request without turning it off completely?

Edit: This is also tricky to debug because this request is coming from the CAS server, NOT from the user's browser. I think this is the CAS server attempting to notify all running applications that the user has signed out (single sign out). So we're only receiving this error in production, not when testing locally.

Answer 1

The dotnetcas client gets access to the request before it gets to an MVC controller action, so it is not possible to simply set the validation attribute on an MVC controller or action.

The target of this request seems to be the last URL that was validated, so it is not possible to disable validation for a specific path in your application by using this method either: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/

From what I see you have a couple of options:

Disable this validation:

<system.web>
  <httpRuntime  requestValidationMode="2.0" />
</system.web>

or

.Net 4.5 allows you to access a request before it goes through validation. If you have access to this you can re-compile the client from source, fixing the relevant issue.

Answer 2

I am not familar with Jasig .NET CAS but ASP.NET MVC allows you to disable request validation at the page level.

Add the following attribute to your controller action:

[ValidateInput(false)]