Skip to main content
This section provides detailed instructions for configuring Okta as the Identity Provider (IdP) for Google Workspace Client-Side Encryption (CSE). The following overview details the basic workflow for using Okta with Google Workspace:
  1. Create an encrypted document in Google Docs
    • When you open Google Docs and create a new document, you can trigger encryption through the Google Workspace encryption add-on or integration.
  2. Authenticate in Okta
    • An Okta sign-in screen appears when Google Workspace requires authentication for encryption.
    • Okta authenticates you and issues a JWT token after you complete the sign-in (including MFA if configured).
  3. Google Workspace Communicates with Futurex HSM
    • After Okta authenticates you, Google Workspace passes the JWT token to the Futurex HSM, such as CryptoHub.
    • The Futurex HSM verifies the JWT token and performs the requested encryption or decryption operations.

Set Up Okta for Google CSE

Perform the following tasks to set up Okta for Google CSE:
  1. Create an Okta application integration.
  2. Assign Users to the Okta Application.
  3. Obtain the Okta OpenID configuration URL.

Create an Okta application integration

Perform the following steps to create an Okta application integration:
1
Go to the Okta Admin console and log in.
2
Go to Applications > Applications > Create App integration and configure the following settings:
  • Integration Type: select OIDC - OpenID Connect
  • Application Type: select Single-Page Application
3
To configure OIDC Web Integration, configure the following settings:
  1. Name: Give your application a name (such as Futurex CSE)
  2. Proof of possession: Leave unchecked
  3. Grant type: Select the Authorization Code checkbox (leave others unchecked)
4
To configure URIs, perform the following steps:
  1. For Sign-in Redirect URIs, enter all the following URIs:
    • https://workspace.google.com/cse/auth/callback
    • https://client-side-encryption.google.com/callback
    • https://client-side-encryption.google.com/oidc/cse/callback
    • https://client-side-encryption.google.com/oidc/drive/callback
    • https://client-side-encryption.google.com/oidc/gmail/callback
    • https://client-side-encryption.google.com/oidc/meet/callback
    • https://client-side-encryption.google.com/oidc/calendar/callback
    • https://client-side-encryption.google.com/oidc/docs/callback
    • https://client-side-encryption.google.com/oidc/sheets/callback
    • https://client-side-encryption.google.com/oidc/slides/callback
  2. Leave Sign-out redirect URLs and BaseURI empty
5
Save the application.
After creation, Okta provides the Client ID and other configuration details.

Assign users to the Okta application

Perform the following steps to assign users to the Okta application:
1
Go to the Assignments tab in the application.
2
Assign users who should have access to CSE functionality to the application.
3
Select [ Done ] to save the assignments.

Obtain the Okta OpenID configuration URL

Perform the following steps to obtain the Okta OpenID configuration URL:
1
While logged into your Okta environment as an Admin, note your Admin homepage URL.
2
Append /.well-known/openid-configuration to the Admin homepage URL.For example: https://trial-8715115-admin.okta.com/.well-known/openid-configuration
Remove -admin from the URL if you use it in the Google Admin console.
3
Optionally, you can append ?client_id=YOUR_CLIENT_ID to see information specific to your application integration

Configure CryptoHub for Okta IdP

To configure the Google CSE service in CryptoHub, configure the following settings:
  • Auto enrollment: Enable for users authenticated with Okta.
  • Set the rotation period for CSE keys.
  • Email domain: Enter your organization’s email domain.
  • Issuance policy: Select a policy for the public/private key pair (for Gmail users).
  • Identity provider type: Select OpenID Connect.
  • OpenID Connect URL: Enter your Okta well-known OpenID Connect URL
    • For example: https://trial-8715115.okta.com/.well-known/openid-configuration
    • Do not include -admin in this URL

Configure Google Admin Console

Perform the following steps to configure Google Admin Console:
1
Go to Data > Compliance > Client-side Encryption and add your CryptoHub external key service URL, making it the default key service.
2
Go to Data > Compliance > CSE > IdP configuration and configure the following settings:
  • Name: Okta
  • Client ID: The Client ID from your Okta application
  • Discovery URL: Your Okta OpenID discovery URL (without -admin)
  • Grant type: Authorization code with PKCE
Test the connection to ensure it works.

(Optional) Configure Gmail

If you need to use CSE with Gmail, perform the following steps to complete the additional configuration:
1
To create a Service Account in Google Cloud Console, perform the following steps:
  1. Go to IAM & Admin > Service accounts.
  2. Create a Service account.
  3. Generate a key.
  4. Download the JSON file.
2
To import the Key to CryptoHub, enter or upload the service account information in CryptoHub.
3
Use the CryptoHub PKI functionality to create a root and issuing CA.
4
Import the Root CA as a trusted Root in Google Admin under Apps > Google Workspace > Gmail.It takes up to 24 hours for Google to verify and validate the Root CA.

Conclusion

After completing the preceding steps, your Google CSE with Okta IdP integration should be operational. Then, when users create or access encrypted content, the system prompts them to authenticate with Okta.