--- title: Creating an encrypted embedded assertion framework: authenticationservices role: article role_heading: Article path: authenticationservices/creating-an-encrypted-embedded-assertion --- # Creating an encrypted embedded assertion Request an encrypted embedded assertion for login types that require password encryption. ## Overview Overview During authentication, if the SSO extension requests password encryption by setting the loginRequestEncryptionPublicKey in the login configuration, the system doesn’t send the password in the login request. Instead, it creates an encrypted embedded assertion instead, that contains the password. The assertion is a JSON Web Encryption (JWE) object that’s encrypted according to RFC 7516 Section 5.1 with JWE Compact Serialization. The supported key agreement algorithm is ECDH-ES per RFC 7518 Section 4.6. This algorithm is ECIES, a proven-secure algorithm with the public keys included. See the Configure concatenation key derivation function (Concat KDF) section below for input values. Key agreement uses the public key for the loginRequestEncryptionPublicKey that’s supplied during registration. The supported encryption algorithm is A256GCM per RFC 7518 Section 5.3. The following table specifies the header parameters that the system uses to create an encrypted embedded assertion: | | | | | | | | | | | | | | | | | | The following table specifies the body parameters that the system uses to create an encrypted embedded assertion: | | | | | | | | | | | | | | | | | | | | | | Configure concatenation key derivation function (Concat KDF) Configuration of Concat KDF for Platform SSO is per RFC 7518 Section 4.6.2 and NIST.800-56A sections 5.8.1 and 6.2.2.2. See the input definitions in the table below. The system concatenates these values per NIST.800-56A sections 5.8.1 and then it computes a SHA-256 hash to create the key. Then, it sends the PartyUInfo and PartyVInfo values to the server in the header. | | | | | | | | | | | | The following code sample provides an example of an encrypted embedded assertion request: { "enc" : "A256GCM", "apv" : "AAAADUFQUExFRU1CRURERUQAAABBBCX87eqonWyNUNz2JeH2wG68_WiPfQlJw6AiDvHSD08n5Hdn1oDUBxhL_TRarvhUUGDYsnBRk2HRH_ZoXGtpUncAAABuQXdBQkFBQUFBQUFEQU96X0JBRHZfeHRndV9TTTFNdm9xMDJQWXpfWWZYeHg1RkFnY0xITE5pa0g2Z2pyQld3Y3FuUldfaGF4cU85SkNpUGF0NUtma1RpbHkwNFM4RUgzQVF3VnNXQ3hIWVFnQUE", "alg" : "ECDH-ES", "epk" : { "y" : "1wfUpcnhOq7SPl77UBfkanXdQObiBXDIDLx0n1_zlJI", "x" : "NUnMKzz81Fl0SilEVYgWWjL_4lTAaXHeJ4uJGQ19AAk", "kty" : "EC", "crv" : "P-256" }, "kid" : "7y1xXc4I6iAyldmVkIeGtQxo8NRq2FgKFb++Or13jxU=", "apu" : "AAAABUFQUExFAAAAQQQ1ScwrPPzUWXRKKURViBZaMv_iVMBpcd4ni4kZDX0ACdcH1KXJ4Tqu0j5e-1AX5Gp13UDm4gVwyAy8dJ9f85SS", "typ" : "platformsso-encrypted-login-assertion+jwt" }.{ "iat" : 1685732130, "password" : "bar", "iss" : "foo", "request_nonce" : "AwABAAAAAAADAOz_BADv_xtgu_SM1Mvoq02PYz_YfXxx5FAgcLHLNikH6gjrBWwcqnRW_haxqO9JCiPat5KfkTily04S8EH3AQwVsWCxHYQgAA", "sub" : "foo", "scope" : "openid offline_access urn:apple:platformsso", "exp" : 1685732430, "aud" : "060798FF-814E-4C38-97F8-28C954B7E058", "nonce" : "D1DEE607-0F44-43F5-8B3E-042E91F425A7" }.[Signature] For more information, see Authentication process. ## See Also ### Login request - [Performing a WS-Trust login request](authenticationservices/performing-a-ws-trust-login-request.md) - [Creating an embedded assertion](authenticationservices/creating-an-embedded-assertion.md) - [Creating and validating a login request](authenticationservices/creating-and-validating-a-login-request.md) - [Creating a refresh request](authenticationservices/creating-a-refresh-request.md) - [Supporting key requests and key exchange requests](authenticationservices/supporting-key-requests-and-key-exchange-requests.md)