This is effectively just a "retweet" but I wanted to call this out because it was very helpful recently solving a problem in what I think is an important scenario - using ACS for federated identity management with an application hosted in the new Azure web sites. Vittorio Bertocci posted on the relatively easy change you need to make in order to have this work when using .NET 4.5. You typically see the problem manifest itself with an error message like this: "The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context". Most solutions you will find on the net talk about writing a custom SessionSecurityTokenHandler, but that method doesn't work with .NET 4.5 where WIF is basically absorbed into the core framework.
In any case, for more details please see Vittorio's post on this topic here: http://blogs.msdn.com/b/vbertocci/archive/2013/01/28/running-wif-based-apps-in-windows-azure-web-sites.aspx?wa=wsignin1.0.
For those of you wondering how/why I came across this, I built a web app for a demo with SharePoint 2013, and am using a combination of the new app model, the new Microsoft.SharePoint.Client.SharePointOnlineCredentials class for authentication, and now ACS and Azure web sites. It is part of a simple little poll application, but is mostly interesting in tying all these pieces together.