Configure Identity and Access Management

After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your Identity Provider (IdP). You can use any IdP that supports OAuth. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files. This section shows how to configure Identity and Access Management (IAM).

Choose your IdP for Client-side encryption (CSE)

If you don’t already use a third-party IdP with Google Workspace, choose one of the following options to set up your key service IdP:

Use a third-party IdP (recommended): Use this method if your security model requires more isolation of your encrypted data from Google.
Use Google identity: Use this method if your security model doesn’t require additional isolation of your encrypted data from Google.

Choose how to connect to your IdP for CSE

You can set up your IdP—either a third-party IdP or Google identity—by using either a .well-known file that you host on your organization website or the Admin console (which is your IdP fallback). The following table describes the considerations for each method:

Considerations	`.well-known` setup	Admin console setup (IdP fallback)
Isolation from Google	IdP settings are stored on your server.	IdP settings are stored on Google servers.
Admin responsibilities	An IdP admin can manage your setup instead of a Google Workspace Super Admin.	Only a Google Workspace Super Admin can manage your IdP setup.
CSE availability	CSE availability (uptime) depends on the availability of the server that hosts your `.well-known` file.	CSE availability corresponds to the general availability of Google Workspace services.
Ease of setup	Requires changing DNS settings for your server outside of the Admin console.	Configure settings in the Admin console.
Sharing outside your organization	Your collaborator’s external key service can easily access your IdP settings. You can automate this access and ensure your collaborator’s service has immediate access to any changes to your IdP settings.	Your collaborator’s external key service can’t access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator, both before sharing encrypted files for the first time and whenever you change your IdP settings.

Refer to the following Google Workspace knowledge base article for further details on connecting Google Workspace to an IdP: https://support.google.com/a/answer/10743588?hl=en#zippy=%2Coption-to-connect-to-your-idp-using-a-well-known-file

Set up IAM on the KMES Series 3

You must create two different IdPs on the KMES Series 3. Configure one with the Authentication JSON Web Token (JWT) that the IdP issues to attest a user identity, and configure the other with the Authorization JWT that Google issues to verify that the caller is authorized to encrypt or decrypt a resource. In addition to creating the IdPs, you must create a new role for Google CSE and new identities for all users in your organization who need to use Google CSE. To set up IAM, perform the following tasks described in this section:

Create the Authentication JWT IdP.
Create the Authorization JWT IdP.
Create the CSE role definition.
Create an identity for the CSE user
Set up IAM in Google Workspace.

Create the JWT IdP

Perform the following steps to create an Authentication JWT IdP to allow the identity partner to attest a user’s identity: (In this procedure, VirtuCrypt serves as the Identity partner.)

Go to Identity Management > Identity Providers, right-click the background, and select Add> Provider> JSON Web Token.

On the Info tab of the Identity Provider Editor window, specify a name for the IdP and deselect the Enforce Dual Factor checkbox

On the JWT Options tab, you can specify an issuer and set leeway and max validity values according to your requirements. The Issuer field is optional, but if you use VirtuCrypt as the IdP, set this field to vip.

On the JWT Key tab, select the JSON Web Key Set (JWKS) radio button.Two new fields populate in the dialog: JWKS URL and TLS PKI. The JWKS URL is a read-only endpoint URL that points to a list of public keys that verify JWTs. You don’t need to configure a CA certificate in the TLS PKI field if trusted public internet CAs can verify the domain configured in the JWKS URL field. However, if you have set up a JWK on your LAN, you must select the custom CA certificate used to sign the domain specified in the JWKS URL field.For the VirtuCrypt use case, leave the TLS PKI field blank because vip.virtucrypt.com has a certificate issued by a trusted public internet CA. If your use case requires you to configure a custom CA certificate, you must download and then copy that certificate to the storage medium configured on the KMES and import the certificate into a certificate container in the PKI> Certificate Authorities menu. After you do that, you can browse and select the certificate in the TLS PKI field.

Select [ OK ] to save.

Right-click the IdP that you created and select Add> Mechanism> JSON Web Token.

On the Info tab of the Authentication Mechanism Editor window, specify a name for the authentication mechanism.

Leave the default settings on the Identifiers and Claims tabs, and select [ OK ] to save.

Create the JWT IdP

Perform the following steps to create an Authorization JWT IdP to enable Google to verify that the caller is authorized to encrypt or decrypt a resource:

Go to Identity Management > Identity Providers, right-click the background, and select Add> Provider> JSON Web Token.

On the Info tab of the Identity Provider Editor window, specify a name for the IdP and deselect the Enforce Dual Factor checkbox.

On the JWT Options tab, you can specify an issuer and set leeway and max validity values according to your requirements. The issuer field is optional, but an appropriate value might be gsuitecse-tokenissuerdrive@system.gserviceaccount.com.

On the JWT Key tab, select JWKS and then specify https://www.googleapis.com/service_ accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com in the JWKS URL field. Leave TLS PKI blank because trusted public internet CAs can verify the www.googleapis.com domain. Therefore, you don’t need to configure a custom CA certificate.

Select [ OK ] to save.

Right-click the IdP that you created and select Add> Mechanism> JSON Web Token.

On the Info tab of the Authentication Mechanism Editor window, specify a name for the authentication mechanism.

Leave the default settings in the Identifiers and Claims tabs, and select [ OK ] to save.

Create the role definition

Perform the following steps to create the role definition for CSE:

Go to the Identity Management> Roles menu and select [ Add ].

In the Role Editor window, specify a Name for the role, set the Role class to Principal, and set Logins Required to 1.

Principal roles have view permissions on any objects created by that principal role. This makes sharing encrypted documents possible within an organization because all CSE users are assigned the same principal role.For example, suppose one CSE user in your organization shares a document with another CSE user. The second CSE user’s browser can decrypt the document by using the first user’s personal key because the shared CSE principal role created that personal key. However, all encrypted documents that the second user creates are encrypted with their personal key.

On the Permissions tab, select the following permissions:

Permission	Subpermission
Cryptographic Operations	Unwrap, Wrap
Keys	Only the top-level Keys permission

On the Advanced tab, leave the values set to the default settings.

Select [ OK ] to finish creating the role.

Create an identity for the CSE user

Go to the Identity Management> Identities menu, right-click the background, and select Add> User.

Leave Storage set to Application.In the Name field, enter the email address the CSE user uses to log into Google Workspace.

On the Assigned Roles tab, select the Role that you just created.

On the Device Info tab, leave the values set to the default settings.

On the Authentication tab, select [ Add ] to add the following credentials: the Authentication JWT IdP and the Authorization JWT IdP.Remove the default Password credential after configuring the authentication and authorization JWT credentials.

Select [ OK ] to finish creating the identity.

Set up IAM in Google Workspace

You must turn on Google Workspace CSE for all users who need to do any of the following tasks:

Create or upload encrypted files to Google Drive
Host encrypted meetings with Google Meet (beta)

You don’t need to enable CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an IdP allowlisted by your domain. For details, see External user requirements in About client-side encryption.

To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups to which the users belong. At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible. Follow the steps in the Google Workspace knowledge base article (support.google.com/a/answer/10745596) to set up IAM in Google Workspace. The process includes the following tasks:

Set the default key service for your organization.
Turn CSE on or off for users.

​Choose your IdP for Client-side encryption (CSE)

​Choose how to connect to your IdP for CSE

​Set up IAM on the KMES Series 3

​Create the JWT IdP

​Create the JWT IdP

​Create the role definition

​Create an identity for the CSE user

​Set up IAM in Google Workspace

Choose your IdP for Client-side encryption (CSE)

Choose how to connect to your IdP for CSE

Set up IAM on the KMES Series 3

Create the JWT IdP

Create the JWT IdP

Create the role definition

Create an identity for the CSE user

Set up IAM in Google Workspace