The authentication token used to log into the client site should be passed through to the WCF service.
In this case you should be requesting an "ActAs" token from the STS:
- The WCF service should be configured as a Relying Party of the STS.
- The MVC site should call back to the STS and request an ActAs token specific to the WCF service.
- The MVC site uses the ActAs token to call the service.
The motivation for the complexity: Delegation, or traversing multilayer architectures
Since you mentioned WS standards: Requesting Delegation (ActAs) Tokens using WSTrustChannel (as opposed to Configuration Madness)
Not knowing your STS its hard to say more, but Googling "ActAs token" will probably give you what you need.