An environment is an internal service-based application running in a Windows environment with WCF.
There are several “middle tiers” of ASP.NET web applications and web services that authenticate the end client using Windows authentication and use the ASP.NET roles to set Thread.CurrentPrincipal to a suitable RolePrincipal. These applications run under their own service account, which is a domain account, and are considered trusted subsystems.
Some internal WCF web services that only these trusted mid-range applications can access. They use Windows authentication to restrict access to the service accounts used by these applications.
We now have a requirement that internal services verify the identity of the end customer, whose call for a mid-tier application leads to a call to the internal service.
To avoid making any changes to the application, I was thinking of writing an endpoint behavior that inserts a SOAP header with a client end identifier into a request sent to the backend. Note that mid-tier applications are trusted, so authentication of this SOAP header is not required.
It occurred to me that this requirement cannot be unique, so before I invent my own SOAP header for this purpose, I thought I would ask if there are any standards in this area that I could reuse ?