Appendix C: Configure Okta IdP

this appendix provides detailed instructions for configuring okta as the identity provider (idp) for google workspace client side encryption (cse) the following overview details the basic workflow for using okta with google workspace encrypted document creation in google docs when a user opens google docs and creates a new document, they can trigger encryption through the google workspace encryption add on or integration okta authentication an okta sign in screen appears when google workspace requires authentication for encryption okta authenticates the user and issues a jwt token after the user completes the sign in (including mfa if configured) google workspace communication with futurex hsm after okta authenticates the user, google workspace passes the jwt token to the {{futurex}} hsm, such as {{ch}} the {{futurex}} hsm verifies the jwt token and performs the requested encryption or decryption operations set up okta for google cse perform the following tasks to set up okta for google cse create an okta application integration assign users to the okta application obtain okta's openid configuration url create an okta application integration perform the following steps to create an okta application integration go to the okta admin console and log in go to applications > applications > create app integration and configure the following settings integration type select oidc openid connect application type select single page application to configure oidc web integration , configure the following settings name give your application a name (such as futurex cse ) proof of possession leave unchecked grant type select the authorization code checkbox (leave others unchecked) to configure uris, perform the following steps for sign in redirect uris , enter all the following uris https //workspace google com/cse/auth/callback https //client side encryption google com/callback https //client side encryption google com/oidc/cse/callback https //client side encryption google com/oidc/drive/callback https //client side encryption google com/oidc/gmail/callback https //client side encryption google com/oidc/meet/callback https //client side encryption google com/oidc/calendar/callback https //client side encryption google com/oidc/docs/callback https //client side encryption google com/oidc/sheets/callback https //client side encryption google com/oidc/slides/callback leave sign out redirect urls and baseuri empty save the application after creation, okta provides the client id and other configuration details assign users to the okta application perform the following steps to assign users to the okta application go to the assignments tab in the application assign users who should have access to cse functionality to the application select \[ done ] to save the assignments obtain the okta openid configuration url perform the following steps to obtain the okta openid configuration url while logged into your okta environment as an admin, note your admin homepage url append / well known/openid configuration to the admin homepage url for example https //trial 8715115 admin okta com/ well known/openid configuration remove admin from the url if you use it in the google admin console optionally, you can append ?client id=your client id to see information specific to your application integration configure {{ch}} for okta idp to configure the google cse service in {{ch}} , configure the following settings auto enrollment enable for users authenticated with okta set the rotation period for cse keys email domain enter your organization's email domain issuance policy select a policy for the public/private key pair (for gmail users) identity provider type select openid connect openid connect url enter your okta well known openid connect url for example https //trial 8715115 okta com/ well known/openid configuration do not include admin in this url configure google admin console perform the following steps to configure google admin console go to data > compliance > client side encryption and add your cryptohub external key service url, making it the default key service go to data > compliance > cse > idp configuration and configure the following settings name okta client id the client id from your okta application discovery url your okta openid discovery url (without admin ) grant type authorization code with pkce test the connection to ensure it works (optional) configure gmail if you need to use cse with gmail, perform the following steps to complete the additional configuration to create a service account in google cloud console, perform the following steps go to iam & admin > service accounts create a service account generate a key download the json file to import the key to {{ch}} , enter or upload the service account information in {{ch}} use the {{ch}} pki functionality to create a root and issuing ca import the root ca as a trusted root in google admin under apps > google workspace > gmail it takes up to 24 hours for google to verify and validate the root ca conclusion after completing the preceding steps, your google cse with okta idp integration should be operational then, when users create or access encrypted content, the system prompts them to authenticate with okta