Skip to main content
This section helps you select the IdP that best fits your needs. It also outlines key considerations when choosing between configuring the IdP in Google Workspace by using a .well-known file or the Admin console. Before proceeding to the main integration guide located at External Key Service Setup for Google Workspace CSE , choose and configure your preferred IdP. After configuring it, if you’re not usingVirtuCrypt, retain the following information required for integrating the IdP with both CryptoHub and Google Workspace:
  • OpenID Connect Discovery URL
  • OpenID Connect Client ID
  • OpenID Connect PKI

Choose your IdP for CSE

If you don’t already use a third-party IdP with Google Workspace, you can set up your IdP for use with your key service in any of the following ways: -Use VirtuCrypt IdP: This is detailed in the main document. Choose this if you want to use Futurex VirtuCrypt as your IdP.
  • If you’re following this path, continue to the next paragraph. -Use Google identity: If your security model doesn’t require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP.
  • Complete
Google IdP integration before starting the main integration.
  • Use Okta IdP: Okta is a popular identity provider that integrates well with Google Workspace CSE.
    • Complete
Okta integration before reading the main integration guide. -Use another third-party IdP: Use another third-party IdP that supports the OpenID Connect (OIDC) standard ( openid.net/connect/). You can apply the general principles in the Google and Okta setups to most third-party IdPs.

Choose how to connect to your IdP for CSE

You can set up your IdP by using either a .well-known file that you host on your organization website or the Admin console (which is your IdP fallback). The following table covers considerations for each method:
Considerations.well-known setupAdmin console setup (IdP fallback)
Isolation from GoogleIdP settings are stored on your server.IdP settings are stored on Google servers.
Admin responsibilitiesAn IdP admin can manage your setup instead of a Google Workspace Super Admin.Only a Google Workspace Super Admin can manage your IdP setup.
CSE availabilityCSE availability (uptime) depends on the availability of the server that hosts your .well-known file.CSE availability corresponds to the general availability of Google Workspace services.
Ease of setupRequires changing DNS settings for your server, outside of the Admin console.Configure settings in the Admin console.
Sharing outside your organizationYour collaborator’s external key service can easily access your IdP settings. This access can be automated and ensures your collaborator’s service has immediate access to any changes to your IdP settings.Your collaborator’s external key service can’t access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings.
Refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an identity provider (IdP): https://support.google.com/a/answer/10743588?hl=en#zippy=%2Coption-to-connect-to-your-idp-using-a-wellknown-file