Skip to main content
This section covers connecting Google Workspace to an identity provider and setting up Identity and Access Management (IAM) in Google Workspace.

Connect Google Workspace to an identity provider for client-side encryption

After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your identity provider (IdP). You can use any IdP that supports OAuth. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.

Choose your IdP for CSE

If you don’t already use a third-party identity provider (IdP) with Google Workspace, you can set up your IdP for use with your key service in the following ways:
  • Use a third-party IdP (recommended): Use a third-party IdP if your security model requires more isolation of your encrypted data from Google.
  • Use Google identity: If your security model doesn’t require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP.

Choose how to connect to your IdP for CSE

You can set up your IdP—either a third-party IdP or Google identity—by using either a .well-known file hosted on your organization website or the Admin console (which is your IdP fallback). The following table describes considerations for each method:
Considerations.well-known setupAdmin console setup (IdP fallback)
Isolation from Google IdP settings are stored on your server.IdP settings are stored on Google servers.
Admin responsibilities An IdP admin can manage your setup instead of a Google Workspace Super Admin.Only a Google Workspace Super Admin can manage your IdP setup.
CSE availabilityCSE availability (uptime) depends on the availability of the server that hosts your .well-known file.CSE availability corresponds to the general availability of Google Workspace services
Ease of setup Requires changing DNS settings for your server, outside of the Admin console.Configure settings in the Admin console.
Sharing outside your organizationYour collaborator’s external key service can easily access your IdP settings. This access can be automated and ensures your collaborator’s service has immediate access to any changes to your IdP settings.Your collaborator’s external key service can’t access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings.
Refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an identity provider (IdP): https://support.google.com/a/answer/10743588?hl=en#zippy=%2Coption-to-connect-to-your-idp-using-a-wellknown-file

Set up IAM in Google Workspace

You must turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following tasks:
  • Create or upload encrypted files to Google Drive
  • Host encrypted meetings with Google Meet (beta)
You don’t need to turn on CSE for users who need only to view or edit encrypted files or attend meetings. However, external users must use an identity provider (IdP) allowlisted by your domain. For details, see external user requirements inAbout client-side encryption.
To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to. At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible. Refer to this Google Workspace knowledge base article ( support.google.com/a/answer/10745596) for instructions on how to perform the following steps for setting up IAM for CSE in Google Workspace:
  1. Set the default key service for your organization
  2. Turn CSE on or off for users