In this scenario we also have a security context between the client and the service, but the client doesn't have a X.509 certificate, so the context is established using a symmetric key.
All the communication in the security context is signed using the keys from the security context: