In our project all WCF services are secured by wsHttpBinding (TransportWithMessageCredential, UserName) option.
It works fine but now we need to implement the security with one more parameter (ClientId).
When a WCF service gets a call it doesn't know what is the DB of the call (where to check user name and password), so at first it should go the "main" database of our company (where all the clients are stored) and get a connection string by ClientId.
How can we implement this?
I've implemented that in the past by using specially formatted Username strings to allow additional information to be sent. There are no rules around exactly how you send through the username and password in those string fields, so the content could actually be a serialized object, compressed string, or whatever you deem necessary.
I couldn't find any other way to send information along elegantly.
Just parse that information out in your AuthorizationPolicy implementation.