WCF authentication using credentials embedded in message

We are replacing an existing web service that supports both SOAP and POX endpoints for a large number of clients. SSL provides transport security but the messages contain credentials (username/password) embedded in the message bodies. All the WCF SOAP bindings that use message security require credentials to be in the message header, while the webHttpBinding only supports transport credentials.

Because of the application infrastructure, however, it is important that I properly set up WCF with our custom Principal and Identity objects. As far as I know the only way to do this is via an IAuthorizationPolicy.

We have added our custom ServiceAuthorizationManager and indicated we want to use PrincipalPermissionMode.Custom. I have created an IDispatchMessageInspector that examines the messages and can construct a ClaimSet to be used by our custom ServiceAuthorizationManager.

However, I cannot find a way to get that ClaimSet to the ServiceAuthorizationManager or set the Principal/Identity.

Since, I need to configure WCF to not use any of its inbuilt authentication mechanisms, it appears any IAuthorizationPolicy objects I configure are simply not called because WCF believes we ar开发者_运维问答e using Anonymous authentication.

Is it possible to get WCF to evaluate an IAuthorizationPolicy if it believes the authentication is Anonymous? Is there a simpler way to extract the credentials from the message and integrate with the standard WCF processing pipeline?