WCF Authentication -- Authenticate user/pass one time, then authenticate some other way afterwards?

Basically, I have the following scenario and information:

• We're using HTTPS.
• We want to authenticate a user by user/pass when they first log in.
• After they are authenticated, I want any future calls to OTHER services (not the login service) to use the username and some sort of session (in case the password ch开发者_开发知识库anges in the middle of a session).
• I want to make sure my sessions can timeout and control them in a way that if a user tries to call a service and they don't have a session they get an error (cause they haven't logged in). Not sure if there's a WCF built-in way to do sessions this way or if I'll have to do something customized with a database.
• I think we want to use WSHttpBinding (not BasicHttpBinding), 90% sure on this.

I just can't seem to figure out how to do this. Often time's I'll find information on the client code doing client.ClientCredentials.UserName.UserName = username and client.ClientCredentials.UserName.Password = password. But, that just doesn't work because what is my server checking against? I'm trying to grab that info and validate it against a database of user/passes. I'm not looking to use Windows Authentication or that sort (because I don't care who is logged into the computer, just who is logging into the app).

You want to use a Secure Token Service (STS) to authenticate and get a Security Token (maybe SAML) back that identifies the user which can then be passed to your other services and they can just use the identity information to identify and authorize because they trust the STS has verified the user's identity up front.

This is a large subject to discuss, so I suggest searching for WCF STS and doing some more research, but that's definitely the direction I'd recommend going. If you're going to build your own STS implementation, I also recommend looking into using the Windows Identity Foundation (WIF) components to ease your development efforts.

Here's the download link for WIF v1.0 which is the latest version at the time of this answer.