Wash_out supports only WSSE (Web service security) authentication.
It looks something like that:
<soap:Header>
<wsse:Security xmlns:wsse="http://schemas.xmlsoap.org/ws/2003/06/secext">
<wsse:UsernameToken wsu:Id="sample"
xmlns:wsu="http://schemas.xmlsoap.org/ws/2003/06/utility">
<wsse:Username>sample</wsse:Username>
<wsse:Password Type="wsse:PasswordText">oracle</wsse:Password>
<wsu:Created>2004-05-19T08:44:51Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
I believe, if you are using wash_out, you can get headers with something like this (I didn't try this code, I am just looking at https://github.com/inossidabile/wash_out/blob/master/lib/wash_out/dispatcher.rb
envelope = request.env['wash_out.soap_data'].values_at(:envelope, :Envelope).compact.first
header = envelope.values_at(:header, :Header).compact.first
userId = header.values_at(:userID, :UserID).compact.first
password = header.values_at(:password, :Password).compact.first