I'm sure everybody appreciated how WSE2 makes exceptionally easy to use WS-SecureConversation: you turn autoIssueSecurityContextToken on, you lay out two matching policy caches and voilà. Your endpoint has a double life: by day it answers WSDL-legitimate requests, by night it gives away SCTs to the worthy clients :-)
What is less known is that you can apply exactly the same model even if you lay out your own SecurityContextTokenService heir: you have just to add a classical type attribute to autoIssueSecurityContextToken, where you describe your issuer class:

<autoIssueSecurityContextToken enabled="true" type="MyAssembly.CustomSecurityContextTokenService, MyAssembly" />

your custom SCT issuer will be automagically associated with the endpoint, exactly like the WSE one. Coool, isn't it?