Onegini Security Proxy

An introduction

The Security Proxy is essentially a reverse proxy. Within the Onegini Mobile Platform it serves as the gateway for all the traffic between the enterprise and mobile device. It serves both requests that need to be handled by the the Token Server and data requests (aka resource requests) that bring the enterprise data safely to the mobile device.

The picture below shows how the Security Proxy is positioned within the Onegini Mobile Platform.

The most important role of the Security Proxy is to form a secure bridge between the enterprise and mobile application. It does so by adding an additional layer of encryption on the application layer of the TCP/IP protocol. This is what Onegini calls payload encryption. This additional encryption is added on top of the SSL/TLS security layer, which is handled on the transport layer of the TCP/IP protocol. Hence, SSL/TLS and payload encryption can be used in conjunction with each other to further protect the mobile device from leaking information.

The picture below shows a really high level schematic overview of the message flow for payload encryption.

  +-----+                             +----------------+                               +------------------+
  | SDK | ---- encrypted request ---> | Security Proxy |  ---- plaintext request --->  |   Token Server   |
  |     |                             |                |                               |        or        |
  |     | <--- encrypted response --- |                |  <--- plaintext response ---  | Resource Gateway |
  +-----+                             +----------------+                               +------------------+

Apart from the payload encryption feature the Security Proxy is mostly a normal reverse proxy. The Security proxy is an additional product next to the Token Server, therefore it needs the Token Server to function.

The next sections explain how to install and configure the Security Proxy.