I've had a few people ask whether the WCF subset in Silverlight supports message-level security. The answer currently is not very much. The security support is limited to basically the facilities that you'd expect to have for any other browser based application, primarily HTTPS and common browser HTTP authentication modes.
Dominick Baier though has put together a set of workarounds to enable basic support for federation from a Silverlight client. The method uses some customization of the token service to simplify the protocol required and pick one of the supported authentication types plus some customization of the client application to manually insert the security headers into messages. This gives you a simple form of bearer tokens in messages for a service implemented across two different security domains.