Verviam User Guide     
  See Verviam Credentials Examples       
    Use Cases     Register Endpoints
    Credentials     Identity as a Service     Encryption
Verviam provides the following credentials forwarding options for each REST service:
- Secret ID/Secret Value pair e.g. UserID and Password
- Connection URL e.g. database or device connection string
- JWT URL e.g. signed JWT with access scopes
Verviam Presentation at Cloud Security Alliance APAC Summit 2020    Zero Trust, Identity as a Service and Software Defined Perimeter
Typical use cases
REST Services are generated with optional parameters, tags and scope, issued a JWT token that is validated at the Verviam Access Gateway.
Credentials and parameters can be encrypted or decrypted as required.
     - for a personal sign in, this can be user ID and password or signed JWT
     - for smart devices, this can be device ID and secret or signed JWT
     - For applications, this can be client ID and client secret.
     - when the endpoint is a complete connection string, the credentials can be embedded in the string
     - for all end user types, the secret value can be a token in the format expected by your endpoint
    1. Go to Create a Verviam Account.
    2. Provide a name, email, pin and password and mandatory details.
    3. Follow the on screen instructions to complete the account set up. Look for a welcome email for further instructions.
Endpoint Registration
     Register your destination endpoints (the URL in the form that your application expects) as follows:
    1. Enter your account number, plus the password and pin you provided when you set up the account.
    2. Look for an email with an MFA code.
    3. Enter the code into the browser MFA field.
    4. Enter a name for your endpoint REST service
    5. Select credentials type and encryption option for each REST service endpoint.
    6. Enter details for each endpoint, including optional parameters, tags and personal identity details.
    7. Press the "Send Request" button when the form is completed. You can access registration configuration to edit the values at any time.
    8. Connection details are returned to the browser as a JWS token, signed with your private key.
    9. Copy and use the connection details as a REST service from e.g. a browser application.
Credential Types.
A Verviam signed JWT token protect your data from browser origin to the Verviam Access Gateway.
Verviam recommends encrypting all secret data. For each destination endpoint request, the appropriate credentials type is selected:
     - Secret ID/Secret Value pair https://endpointURL?ID=yoursecretID&secretValue=yoursecretValue&tags=yourtags Secret ID/Value pair and tags are optionally encrypted
     - Connection string https://endpointURL?parameters=yourparameters&tags=yourtags Connection string parameters and tags are optionally encrypted
     - Signed JWT https://endpointURL?JWT=header.payload.signature&tags=yourtags Tokens are signed, tags are optionally encrypted
Each account is issued its own protected secret keys (endpoint public and private keypairs, and account secret key),
all data is encrypted in transit to and from your browser over the internet, stored field encrypted in an encrypted data store.
From the Verviam Access Gateway, credentials can be forwarded encrypted or decrypted, as required.
Identity as a Service:
Identity as a Service provides a signed JWT token for use with your application sign in. The token is exchanged for the application credentials at the Verviam access gateway. Configure your sign in details from the Registration module.
Enter connection details for each user, the URL of the endpoint, plus optional scope information, parameters and attribute tags that your endpoint can use to authorize access to particular applications.
An endpoint may also be a complete connection string including credentials (e.g. a server endpoint URL plus authentication, a database URL plus credentials).
You can access and edit your endpoint configuration details at any time.
Verviam tokens are exchanged for destination endpoint connection details:
For each destination endpoint, Verviam provides a REST service and a unique endpoint JWT token that is validated at the Verviam Access Gateway, where private endpoint credentials are exchanged for the token prior to forwarding to the configured destination endpoints, encrypted as required.
Account private endpoint details are only accessed at runtime:
Connections to Verviam gateway are signed JWT tokens. They are validated then forwarded as REST calls from the Verviam Access Gateway to the configured destination endpoint.
Tokens are signed with the account secret key, protected by encryption with the account public/private RSA keypair both in transit and at rest in the database. Endpoint secrets, parameters, scopes and tags
encrypted with the account secret key can be decrypted on the destination server using the Node.js RSA library. It can be decrypted by the same library or any equivalent e.g. a Java RSA library See Verviam Encryption Information
Parameters can be sent encrypted or decrypted .
Depending on your use case (e.g. database connection, REST service to backend system), the token can be unencrypted at the Verviam Access Gateway, or you can elect to forward the JWS token to your endpoint
and use your private key to decryption the payload prior prior to forwarding to your request endpoint destination system.
All account information is encrypted in process, in transit and at rest.
All account data is encrypted in the browser, transported across the internet encrypted, and stored encrypted. Not only private personal data, include name, email, pins and passwords, but also private technical technical data such as endpoints, parameters, connection URLs, tags and scopes.
The only person who ever sees the technical and personal private data (PII), is the person who entered the details in the browser. Multi-Factor Authentication (MFA) is required by default for updating account profile and configuration details.
    - For the encrypted credentials option, an account Secret Key is used to encrypt credential parameters and tags.
    - For security reasons it is only provided in encrypted format as part of the credentials forwarding REST service.
    - Use the account Private Key to decrypt and validate the account secret key, ensuring the integrity of your REST Service.
    - The secret key is an input field to the Crypto.AES algorithm used to encrypt account parameters. It also decrypts the parameters.
    - The account RSA Public Private keypair is used to protect your secret key.