Business Process Outsourcing (BPO) enables the delegation of entire business processes to third party providers. Such scenarios involve communication between federated and heterogenous workflow engines. However, state-of-the-art workflow engines fall short of a distributed authorisation mechanism for this heterogenous, federated BPO setting. In a cross-organisational context, the security requirements involve (i) delegation and verification of privileges in a confidential manner, (ii) secure asynchronous operations during the long-term workflows even when the users are logged-off, and (iii) controlling access to interfaces of the different workflow engines involved. To address these challenges, we present a voucher-based authorisation architecture and middleware. We extended the WF-Interop [ ] middleware with a security module to support this authorisation architecture. We further validated our contributions by prototyping a billing workflow case study on top of the extended WF-Interop middleware and evaluated the performance overhead of the security extensions to the middleware.