Since the response of a WS-Federation sign-in request contains XML, the ASP.NET built-in
request validation will trigger an exception. To solve this, request validation needs
to be turned off for pages receiving such a response message.
Starting with ASP.NET 4.0 you can plug in your own request validation logic. This
allows letting WS-Federation messages through, while applying all standard request
validation to all other requests. The WIF SDK (v4) contains a sample validator that
does exactly that:
public class WSFedRequestValidator : RequestValidator
{
    protected override bool IsValidRequestString(
      HttpContext context, 
      string value, 
      RequestValidationSource requestValidationSource, 
      string collectionKey, 
      out int validationFailureIndex)
    {
        validationFailureIndex
= 0;
        if (
requestValidationSource == RequestValidationSource.Form
&& 
             collectionKey.Equals( 
               WSFederationConstants.Parameters.Result, 
               StringComparison.Ordinal
) )
        {
            SignInResponseMessage message
= 
              WSFederationMessage.CreateFromFormPost(context.Request) 
               as SignInResponseMessage;
            if (message
!= null)
            {
                return true;
            }
        }
        return base.IsValidRequestString( 
          context, 
          value, 
          requestValidationSource, 
          collectionKey, 
          out validationFailureIndex
);
    }
}
Register this validator via web.config:
<httpRuntime requestValidationType="WSFedRequestValidator" />