External key service setup for Google Workspace CSE

this section describes the steps required to use {{ch}} as an external key service for google workspace cse this involves deploying the google workspace cse service in {{ch}} , as well as configuring a key access control list service (kacls) and identity provider (idp) in the google admin console deploy the google workspace cse service in {{ch}} open the {{ch}} web dashboard in a browser log in to {{ch}} with the default admin identities select the google workspace cse (client side encryption) service from the list of available services on the service management page on the google workspace cse service overview page, select \[ deploy ] specify a service name and service category , and select \[ next ] (optional) select any roles and identities you want to to access the service, and select \[ next ] choose if you want new users enabled by default specify the desired rotation period for personal keys in the issuance policy drop down menu, leave the external ca option selected because {{ch}} does not issue the certificates google cse uses leave selected the default kacls url that is auto populated select the identity provider type you want to use (such as existing , openid connect , virtucrypt vip , or virtucrypt test ), and fill in the required fields in the service account info box, copy and paste the information from your google service account json file select \[ deploy ] when finished a message displays confirming that the google workspace cse service was successfully deployed (optional) select manage service to create new service users, view logs, read instructions for using the service, or manage access permissions after deployment, you can modify the issuance policy and service account info for the service to modify the issuance policy , perform the following steps go to deployed services > google workspace cse (client side encryption) in the management menu, select \[ edit service ] under issuance policy , use the drop down list to select a different issuance policy select \[ save ] at the bottom of the window to modify the service account go to deployed services > google workspace cse (client side encryption) in the management menu, select \[ edit service ] in the service account info box, copy and paste the information from your google service account json file for your new service account select \[ save ] at the bottom of the window configurations in the google admin console before outlining the configuration steps, you should understand the following terms key access control list service (kacls) is your external key service (such as {{ch}} ) that uses this api to control access to encryption keys stored in an external system identity provider (idp) is the service that authenticates users before they can encrypt files or access encrypted files this integration uses {{vc}} as the idp for demonstration purposes, but you can use any idp that supports oauth configure kacls perform the following steps to configure kacls sign in to your google admin console sign in using an account with super administrator privileges in the main menu, select security > access and data control > client side encryption select the external key service card to open it select add external key service enter a name for your key service enter the url for your key service (such as https //\<server ip>/v0/key encrypt/client ) google requires this connection to be tls, with a publicly trusted certificate the connection can be through nat or a reverse proxy to confirm that google workspace can communicate with the external key service, select test connection to close the card, select continue configure idp to connect google workspace to your identity provider (idp), you can use a well known file or the admin console after establishing the connection, you must allowlist your idp in the admin console this section describes connecting google workspace to your idp by using the admin console however, this method is meant to be a fallback method for the well known file method refer to the following google workspace documentation instructions on connecting google workspace to your idp using a well known file https //support google com/a/answer/10743588#config wellknown\&zippy=%2coption to connectto your idp using a well known file perform the following steps to connect your idp to google workspace sign in to your google admin console sign in using an account with super administrator privileges in the main menu, select security > access and data control > client side encryption under identity provider configuration , select configure idp fallback enter the details of your idp in the name field, specify a descriptive name for your idp that dispays in idp messages for users in the client id field, you must specify the openid connect (oidc) client id that the cse client application uses to acquire a json web token (jwt) if you're using a third party idp you generate this id by using your idp admin console if you're using google identity you generate this id by using the google cloud platform (gcp) admin console for details, go to create a client id for google identity in the discovery uri field, specify the oidc discovery url, as defined in this openid specification if you're using a third party idp your idp provides you with this url, which usually ends with / wellknown/openid configuration if you're using google identity use https //accounts google com/ well known/openidconfiguration note configure your discovery uri to allow origin urls for cross origin resource sharing (cors) calls, as follows methods get allowed origins https //admin google com https //client side encryption google com https //krahsc google com/callback https //krahsc google com/oidc/cse/callback https //krahsc google com/oidc/drive/callback https //krahsc google com/oidc/gmail/callback https //krahsc google com/oidc/meet/callback https //krahsc google com/oidc/calendar/callback https //krahsc google com/oidc/docs/callback https //krahsc google com/oidc/sheets/callback https //krahsc google com/oidc/slides/callback https //client side encryption google com/callback https //client side encryption google com/oidc/cse/callback https //client side encryption google com/oidc/drive/callback https //client side encryption google com/oidc/gmail/callback https //client side encryption google com/oidc/meet/callback https //client side encryption google com/oidc/calendar/callback https //client side encryption google com/oidc/docs/callback https //client side encryption google com/oidc/sheets/callback https //client side encryption google com/oidc/slides/callback select test connection if google workspace can connect to your idp, the connection success message appears select add provider to close the card