Appendix B: Google IdP Configuration

this appendix provides detailed instructions for configuring the google identity provider (idp) for use with google workspace client side encryption (cse), including the following tasks configure google cloud console configure {{ch}} for google idp configure google admin console review the setup for users, licenses, and organizational units pre requisites to set up and manage google workspace cse with google idp, you must have google admin rights to access google admin console google cloud console google workspace access with the necessary licenses to use client side encryption (cse) cryptohub access to deploy the google cse service configure google cloud console perform the following steps to configure google cloud console visit https //console cloud google com/ https //console cloud google com/ to access the google cloud console to create a new project, select \[ create project ] configure the following settings project name choose a meaningful name for your project organization select the domain under which this project will be created location use your domain name (such as futurex com ) after you create the project, go to the google section on the left hand menu and select apis & services select \[ create credentials ] and select oauth client id then, configure the following settings select the application type as web application choose an appropriate name for the oauth client to create an oauth2 0 client, select \[ create credentials ] button and select oauth client id configure the following settings select the application type as web application choose an appropriate name for the oauth client for configure authorized redirect uris , enter all of the following uris https //client side encryption google com/callback https //client side encryption google com/oidc/cse/callback https //client side encryption google com/oidc/drive/callback https //client side encryption google com/oidc/gmail/callback https //client side encryption google com/oidc/meet/callback https //client side encryption google com/oidc/calendar/callback https //client side encryption google com/oidc/docs/callback https //client side encryption google com/oidc/sheets/callback https //client side encryption google com/oidc/slides/callback https //krahsc google com/callback (optional) if required, perform the following steps to complete the oauth consent screen under application home page , enter https //workspace google com/cse under application privacy policy , enter https //policies google com/privacy under application terms of service , enter https //policies google com/terms under authorized domains , add google com your organization's domain (such as futurex com ) for developer contact information , enter your email address under the audience tab, set the user type to internal after you finish the setup, the system generates a client id, that looks similar to the following sample 147413232810 0o2adc04gmh9rusgluls475ii955j4o8 apps googleusercontent com save this client id for use in the admin console configuration configure {{ch}} for google idp perform the following steps to configure {{ch}} for google idp log in to {{ch}} as an admin search for the google cse service and deploy it during deployment, configure the following details for service info new users enabled by default email domain your domain (such as futurex com ) issuance policy configure as needed (can be done later) the kacls url is automatically populated identity provider type select openid connect openid connect url https //accounts google com/o/oauth2/v2/auth https //accounts google com/o/oauth2/v2/auth leave the remaining fields empty and deploy the service configure google admin console perform the following steps to configure google admin console go to the google admin console at https //admin google com/ go to data > compliance > client side encryption perform the following steps to configure the external key service select \[ add ] enter a name for your key service enter the url from cryptohub (such as https //exampleuser useast1 cryptohub uat virtucrypt com/v0/key encrypt/client ) test the connection to verify it works under identity provider configuration, select \[ configure idp fallback ] and provide the following information name a descriptive name (such as google idp ) client id the client id obtained from the google cloud console discovery url https //accounts google com/ well known/openid configuration grant type set to implicit for google as the idp test the connection to verify it works review set up for users, licenses, and organizational units when setting up cse with google idp, ensure that you create all users who will use cse in google workspace with appropriate licenses users have the necessary google workspace licenses to access cse functionality you properly set up organizational units (ous) to define groups for different encryption policies you assign the correct key services to each ou in the google admin console you enable cse for the appropriate ous with the correct key service selected after completing all these steps, your google cse with google idp integration should be operational you can test by creating an encrypted document in google drive