How do I supply additional security tokens beyond those needed to sign and encrypt the message? How do I use those tokens on the service?
The additional security tokens are configured through the binding. The client binding needs to be configured with the list of tokens that should be sent to the service. The service binding needs to be configured with the list of tokens that it should expect to receive and authenticate.
The tokens are then scoped to either a single operation or all of the operations on an endpoint. This leads to multiple buckets of tokens on the security binding element.
The tokens are authenticated at the service, and once in your service code you can enumerate them from OperationContext.Current.SupportingTokens.
Next time: Request Queues