Cloud key management
Google Workspace CSE

Appendix C: Configure Okta IdP

9min

This appendix provides detailed instructions for configuring Okta as the Identity Provider (IdP) for Google Workspace Client-Side Encryption (CSE).

The following overview details the basic workflow for using Okta with Google Workspace:

  1. Encrypted document creation in Google Docs
    • When a user opens Google Docs and creates a new document, they can trigger encryption through the Google Workspace encryption add-on or integration.
  2. Okta authentication
    • An Okta sign-in screen appears when Google Workspace requires authentication for encryption.
    • Okta authenticates the user and issues a JWT token after the user completes the sign-in (including MFA if configured).
  3. Google Workspace Communication with Futurex HSM
    • After Okta authenticates the user, Google Workspace passes the JWT token to the HSM, such as .
    • The HSM verifies the JWT token and performs the requested encryption or decryption operations.

Set Up Okta for Google CSE

Perform the following tasks to set up Okta for Google CSE:

  1. Create an Okta application integration.
  2. Assign Users to the Okta Application.
  3. Obtain Okta's OpenID configuration URL.

Create an Okta application integration

Perform the following steps to create an Okta application integration:

1

Go to the Okta Admin console and log in.

2

Go to Applications > Applications > Create App integration and configure the following settings:

  • Integration Type: select OIDC - OpenID Connect
  • Application Type: select Single-Page Application
3

To configure OIDC Web Integration, configure the following settings:

  1. Name: Give your application a name (such as Futurex CSE)
  2. Proof of possession: Leave unchecked
  3. Grant type: Select the Authorization Code checkbox (leave others unchecked)
4

To configure URIs, perform the following steps:

  1. For Sign-in Redirect URIs, enter all the following URIs:
    • https://workspace.google.com/cse/auth/callback
    • https://client-side-encryption.google.com/callback
    • https://client-side-encryption.google.com/oidc/cse/callback
    • https://client-side-encryption.google.com/oidc/drive/callback
    • https://client-side-encryption.google.com/oidc/gmail/callback
    • https://client-side-encryption.google.com/oidc/meet/callback
    • https://client-side-encryption.google.com/oidc/calendar/callback
    • https://client-side-encryption.google.com/oidc/docs/callback
    • https://client-side-encryption.google.com/oidc/sheets/callback
    • https://client-side-encryption.google.com/oidc/slides/callback
  2. Leave Sign-out redirect URLs and BaseURI empty
5

Save the application.

After creation, Okta provides the Client ID and other configuration details.

Assign users to the Okta application

Perform the following steps to assign users to the Okta application:

1

Go to the Assignments tab in the application.

2

Assign users who should have access to CSE functionality to the application.

3

Select [ Done ] to save the assignments.

Obtain the Okta OpenID configuration URL

Perform the following steps to obtain the Okta OpenID configuration URL:

1

While logged into your Okta environment as an Admin, note your Admin homepage URL.

2

Append /.well-known/openid-configuration to the Admin homepage URL.

For example: https://trial-8715115-admin.okta.com/.well-known/openid-configuration

Remove -admin from the URL if you use it in the Google Admin console.

3

Optionally, you can append ?client_id=YOUR_CLIENT_ID to see information specific to your application integration

Configure for Okta IdP

To configure the Google CSE service in , configure the following settings:

  • Auto enrollment: Enable for users authenticated with Okta.
  • Set the rotation period for CSE keys.
  • Email domain: Enter your organization's email domain.
  • Issuance policy: Select a policy for the public/private key pair (for Gmail users).
  • Identity provider type: Select OpenID Connect.
  • OpenID Connect URL: Enter your Okta well-known OpenID Connect URL
    • For example: https://trial-8715115.okta.com/.well-known/openid-configuration
    • Do not include -admin in this URL

Configure Google Admin Console

Perform the following steps to configure Google Admin Console:

1

Go to Data > Compliance > Client-side Encryption and add your CryptoHub external key service URL, making it the default key service.

2

Go to Data > Compliance > CSE > IdP configuration and configure the following settings:

  • Name: Okta
  • Client ID: The Client ID from your Okta application
  • Discovery URL: Your Okta OpenID discovery URL (without -admin)
  • Grant type: Authorization code with PKCE

Test the connection to ensure it works.

(Optional) Configure Gmail

If you need to use CSE with Gmail, perform the following steps to complete the additional configuration:

1

To create a Service Account in Google Cloud Console, perform the following steps:

  1. Go to IAM & Admin > Service accounts.
  2. Create a Service account.
  3. Generate a key.
  4. Download the JSON file.
2

To import the Key to , enter or upload the service account information in .

3

Use the PKI functionality to create a root and issuing CA.

4

Import the Root CA as a trusted Root in Google Admin under Apps > Google Workspace > Gmail.

It takes up to 24 hours for Google to verify and validate the Root CA.

Conclusion

After completing the preceding steps, your Google CSE with Okta IdP integration should be operational. Then, when users create or access encrypted content, the system prompts them to authenticate with Okta.

Updated 21 Apr 2025
Did this page help you?
PREVIOUS
Appendix B: Google IdP Configuration
NEXT
Google Workspace CSE for Gmail
Docs powered by Archbee