Skip to main content
This section provides detailed instructions for configuring the Google Identity Provider (IdP) for use with Google Workspace Client-Side Encryption (CSE), including the following tasks:
  1. Configure Google Cloud Console.
  2. Configure CryptoHub for Google IdP.
  3. Configure Google Admin Console.
  4. Review the setup for users, licenses, and organizational units.

Before you start

To set up and manage Google Workspace CSE with Google IdP, you must have the following services and access:
  • Google Admin Rights to access:
    • Google Admin Console
    • Google Cloud Console
  • Google Workspace Access with the necessary licenses to use Client-Side Encryption (CSE)
  • CryptoHub Access to deploy the Google CSE service

Configure Google Cloud Console

Perform the following steps to configure Google Cloud Console:
1
Visit:https://console.cloud.google.com/ to access the Google Cloud Console.
2
To create a new project, select**[ Create Project ]**.Configure the following settings:-Project Name: Choose a meaningful name for your project
  • Organization: Select the domain under which this project will be created
  • Location: Use your domain name (such as futurex.com)
3
After you create the project, go to the Google section on the left-hand menu and select APIs & Services.
4
Select [ Create Credentials ] and select OAuth Client ID. Then, configure the following settings:
  • Select the Application Type as Web Application.
  • Choose an appropriate Name for the OAuth client.
5
To create an OAuth2.0 client, select [ Create Credentials ] and select OAuth Client ID. Configure the following settings:
  • Select the Application Type as Web Application.
  • Choose an appropriate Name for the OAuth client.
6
For the Configure Authorized Redirect URIs field, enter all of the following URIs:
  • https://client-side-encryption.google.com/callback
  • https://client-side-encryption.google.com/oidc/cse/callback
  • https://client-side-encryption.google.com/oidc/drive/callback
  • https://client-side-encryption.google.com/oidc/gmail/callback
  • https://client-side-encryption.google.com/oidc/meet/callback
  • https://client-side-encryption.google.com/oidc/calendar/callback
  • https://client-side-encryption.google.com/oidc/docs/callback
  • https://client-side-encryption.google.com/oidc/sheets/callback
  • https://client-side-encryption.google.com/oidc/slides/callback
  • https://krahsc.google.com/callback
7
(Optional) If required, perform the following steps to complete the OAuth consent screen:
  1. Under Application Home Page, enter: https://workspace.google.com/cse
  2. Under Application Privacy Policy, enter: https://policies.google.com/privacy
  3. Under Application Terms of Service, enter: https://policies.google.com/terms
  4. Under Authorized Domains, add:
    • google.com
    • Your organization’s domain (such as futurex.com)
  5. For Developer Contact Information, enter your email address.
  6. Under the Audience tab, set the User Type to Internal.
8
After you finish the setup, the system generates a Client ID that looks similar to the following sample:
None
147413232810-0o2adc04gmh9rusgluls475ii955j4o8.apps.googleusercontent.com
Save this Client ID for use in the Admin Console configuration.

Configure CryptoHub for Google IdP

Perform the following steps to configure CryptoHub for Google IdP:
1
Log in to CryptoHub as an Admin.
2
Search for the Google CSE Service and deploy it.
3
During deployment, configure the following details for Service Info:
  • New Users: Enabled by default
  • Email Domain: Your domain (such as futurex.com)
  • Issuance Policy: Configure as needed (can be done later)
  • The KACLS URL is automatically populated
  • Identity Provider Type: Select OpenID Connect
  • OpenID Connect URL:
https://accounts.google.com/o/oauth2/v2/auth
4
Leave the remaining fields empty and deploy the service

Configure Google Admin Console

Perform the following steps to configure Google Admin Console:
1
Go to the Google Admin Console at https://admin.google.com/.
2
Go toData > Compliance > Client-Side Encryption.
3
Perform the following steps to configure the external Key Service:
  1. Select [ Add ].
  2. Enter a name for your key service.
  3. Enter the URL from CryptoHub (such as https://exampleuser.useast1-cryptohub-uat.virtucrypt.com/v0/key-encrypt/client).
  4. Test the connection to verify it works
4
Under Identity provider configuration, select [ Configure IdP fallback ] and provide the following information:
  1. Name: A descriptive name (such as Google IdP).
  2. Client ID: The Client ID obtained from the Google Cloud Console.
  3. Discovery URL: https://accounts.google.com/.well-known/openid-configuration
  4. Grant Type: Set to Implicit for Google as the IdP.
  5. Test the connection to verify it works.

Review set up for users, licenses, and organizational units

When setting up CSE with Google IdP, ensure that you perform the following tasks:
1
Create all users who will use CSE in Google Workspace with appropriate licenses.
2
Ensure users have the necessary Google Workspace licenses to access CSE functionality.
3
Properly set up Organizational Units (OUs) to define groups for different encryption policies.
4
Assign the correct key services to each OU in the Google Admin Console.
5
Enable CSE for the appropriate OUs with the correct key service selected.

Conclusion

After completing all these steps, your Google CSE with Google IdP integration should be operational. You can test by creating an encrypted document in Google Drive.