Using Html.AntiForgeryToken in MVC 4 has changed slightly from the previous version if you’re building a claims-aware application. In prior versions User.Identity.Name was included in the anti-forgery token as a way to validate the <form> being submitted, but in MVC 4 if the identity is IClaimsIdentity (WIF) or ClaimsIdentity (.NET 4.5) then the anti-forgery token attempts to put one or more claim values into the anti-forgery token.
The problem is which claim(s) should it use? The value needs to uniquely identifier the user, so by default MVC expects the nameidentifier (“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” from OASIS) and the identityprovider (“http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider” from Windows Azure ACS). So if you’re using ACS as your STS then you’re all set. If you’re not using ACS then you’ll see this error:
A claim of type ‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier’ or ‘http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider’ was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the…
View original post 151 more words