Invoking a ACL protected RFC Adapter service programmatically

We have an in-house developed workflow tool that generates an XML payload and has a capability of doing HTTP POST & HTTPS POST to the Web service on webMethods. This web service will in turn invoke an RFC adapter service and post the data from the XML payload to SAP.
Option 1:
We tried posting using HTTP POST from the HTTP version of workflow tool; however the workflow tool is not able to authenticate itself using the BASIC ACCESS AUTHENTICATION with Web service.
Option 2:
We tried posting using HTTPS POST from the HTTPS version of workflow tool, in which the authentication is supposed to be using HTTPS certificates, but due to some reason the workflow is not able to authenticate itself using exchange of certificates.
Option 3:
We are now trying an option of making the Web service as HTTPS + anonymous so that the request can reach the Web service and then to RFC Adapter service. Here comes the security issue, so to circumvent the security issue we are planning to make the RFC Adapter service secured. So, we can set the ACL for the RFC Adapter service.

The UserID and password cannot be sent separately other than the XML payload in the POST. So the question is, whether the webMethods can programmatically parse the XML payload and take the UserID and password from the XML payload and authenticate with the RFC adapter service by passing the UserID and password parameters to access the RFC adapter service?