Cloud key management
Google Workspace CSE

Appendix B: Google IdP Configuration

6min

This appendix provides detailed instructions for configuring the Google Identity Provider (IdP) for use with Google Workspace Client-Side Encryption (CSE), including the following tasks:

  1. Configure Google Cloud Console.
  2. Configure for Google IdP.
  3. Configure Google Admin Console.
  4. Review the setup for users, licenses, and organizational units.

Pre-Requisites

To set up and manage Google Workspace CSE with Google IdP, you must have:

  • Google Admin Rights to access:
    • Google Admin Console
    • Google Cloud Console
  • Google Workspace Access with the necessary licenses to use Client-Side Encryption (CSE)
  • CryptoHub Access to deploy the Google CSE service

Configure Google Cloud Console

Perform the following steps to configure Google Cloud Console:

1

Visit: https://console.cloud.google.com/ to access the Google Cloud Console.

2

To create a new project, select [ Create Project ].

Configure the following settings:

  • Project Name: Choose a meaningful name for your project
  • Organization: Select the domain under which this project will be created
  • Location: Use your domain name (such as futurex.com)
3

After you create the project, go to the Google section on the left-hand menu and select APIs & Services.

4

Select [ Create Credentials ] and select OAuth Client ID. Then, configure the following settings:

  • Select the Application Type as Web Application.
  • Choose an appropriate Name for the OAuth client.
5

To create an OAuth2.0 client, select [ Create Credentials ] button and select OAuth Client ID. COnfigure the following settings:

  • Select the Application Type as Web Application.
  • Choose an appropriate Name for the OAuth client.
6

For Configure Authorized Redirect URIs, enter all of the following URIs:

  • https://client-side-encryption.google.com/callback
  • https://client-side-encryption.google.com/oidc/cse/callback
  • https://client-side-encryption.google.com/oidc/drive/callback
  • https://client-side-encryption.google.com/oidc/gmail/callback
  • https://client-side-encryption.google.com/oidc/meet/callback
  • https://client-side-encryption.google.com/oidc/calendar/callback
  • https://client-side-encryption.google.com/oidc/docs/callback
  • https://client-side-encryption.google.com/oidc/sheets/callback
  • https://client-side-encryption.google.com/oidc/slides/callback
  • https://krahsc.google.com/callback
7

(Optional) If required, perform the following steps to complete the OAuth consent screen:

  1. Under Application Home Page, enter: https://workspace.google.com/cse
  2. Under Application Privacy Policy, enter: https://policies.google.com/privacy
  3. Under Application Terms of Service, enter: https://policies.google.com/terms
  4. Under Authorized Domains, add:
    • google.com
    • Your organization's domain (such as futurex.com)
  5. For Developer Contact Information, enter your email address.
  6. Under the Audience tab, set the User Type to Internal.
8

After you finish the setup, the system generates a Client ID, that looks similar to the following sample:

Text


Save this Client ID for use in the Admin Console configuration.

Configure for Google IdP

Perform the following steps to configure for Google IdP:

1

Log in to as an Admin.

2

Search for the Google CSE Service and deploy it

3

During deployment, configure the following details for Service Info:

  • New Users: Enabled by default
  • Email Domain: Your domain (such as futurex.com)
  • Issuance Policy: Configure as needed (can be done later)
  • The KACLS URL is automatically populated
  • Identity Provider Type: Select OpenID Connect
  • OpenID Connect URL: https://accounts.google.com/o/oauth2/v2/auth
4

Leave the remaining fields empty and deploy the service

Configure Google Admin Console

Perform the following steps to configure Google Admin Console:

1

Go to the Google Admin Console at https://admin.google.com/.

2

Go to Data > Compliance > Client-Side Encryption.

3

Perform the following steps to configure the external Key Service:

  1. Select [ Add ].
  2. Enter a name for your key service.
  3. Enter the URL from CryptoHub (such as https://exampleuser.useast1-cryptohub-uat.virtucrypt.com/v0/key-encrypt/client).
  4. Test the connection to verify it works
4

Under Identity provider configuration, select [ Configure IdP fallback ] and provide the following information:

  1. Name: A descriptive name (such as Google IdP).
  2. Client ID: The Client ID obtained from the Google Cloud Console.
  3. Discovery URL: https://accounts.google.com/.well-known/openid-configuration
  4. Grant Type: Set to Implicit for Google as the IdP.
  5. Test the connection to verify it works.

Review set up for Users, Licenses, and Organizational Units

When setting up CSE with Google IdP, ensure that:

  1. You create all users who will use CSE in Google Workspace with appropriate licenses.
  2. Users have the necessary Google Workspace licenses to access CSE functionality.
  3. You properly set up Organizational Units (OUs) to define groups for different encryption policies.
  4. You assign the correct key services to each OU in the Google Admin Console.
  5. You enable CSE for the appropriate OUs with the correct key service selected.

After completing all these steps, your Google CSE with Google IdP integration should be operational. You can test by creating an encrypted document in Google Drive.

Updated 20 Apr 2025
Did this page help you?
PREVIOUS
Appendix A: Troubleshooting Google CSE
NEXT
Appendix C: Configure Okta IdP
Docs powered by Archbee