Identity and access management (IAM)

this section covers the following tasks connect google workspace to an identity provider for client side encryption set up iam in google workspace connect google workspace to an identity provider for client side encryption after you set up your external key service and connect it to google workspace, you need to connect google workspace to your identity provider (idp) you can use any idp that supports oauth your external key service uses the idp to authenticate users before they can encrypt files or access encrypted files choose your idp for cse if you don't already use a third party identity provider (idp) with google workspace, you can set up your idp for use with your key service in any of the following ways use virtucrypt idp this is detailed in the main document choose this if you want to use {{futurex}} virtucrypt as your idp use google identity if your security model doesn't require additional isolation of your encrypted data from google, you can use the default google identity as your idp this setup is detailed in appendix b google idp configuration docid\ mme3zc9jo1ww0tnhgysuw use okta as your idp okta is a popular identity provider that integrates well with google workspace cse this setup is detailed in appendix c configure okta idp docid\ cxuihvqgbbh9 pelq784s use another third party idp use another third party idp that supports the openid connect (oidc) standard ( openid net/connect/ ) you can apply the general principles in the virtucrypt, google, and okta setups to most third party idps choose how to connect to your idp for cse you can set up your idp by using either a well known file that you host on your organization website or the admin console (which is your idp fallback) the following table covers considerations for each method considerations well known setup admin console setup (idp fallback) isolation from google idp settings are stored on your server idp settings are stored on google servers admin responsibilities an idp admin can manage your setup instead of a google workspace super admin only a google workspace super admin can manage your idp setup cse availability cse availability (uptime) depends on the availability of the server that hosts your well known file cse availability corresponds to the general availability of google workspace services ease of setup requires changing dns settings for your server, outside of the admin console configure settings in the admin console sharing outside your organization your collaborator's external key service can easily access your idp settings this access can be automated and ensures your collaborator's service has immediate access to any changes to your idp settings your collaborator's external key service can't access your idp settings in the admin console you must provide your idp settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your idp settings refer to the following google workspace knowledgebase article for further details on connecting google workspace to an identity provider (idp) https //support google com/a/answer/10743588?hl=en#zippy=%2coption to connect to your idp using a wellknown file set up iam in google workspace you need to turn on google workspace client side encryption (cse) for all users who need to do any of the following create or upload encrypted files to google drive host encrypted meetings with google meet (beta) you don't need to turn on cse for users who only need to view or edit encrypted files or attend meetings however, external users need to use an identity provider (idp) allowlisted by your domain for details, see external user requirements in the about client side encryption section at support google com/a/answer/10741897#requirements to turn on cse for users, you need to turn on cse for the organizational units or configuration groups the users belong to at any time, you can disable cse for users by turning cse off for the organizational units or configuration groups they belong to if you disable cse for users, any existing client side encrypted content remains encrypted and accessible refer to this google workspace knowledge base article ( support google com/a/answer/10745596 ) for instructions on how to perform the following steps for setting up iam for cse in google workspace set the default key service for your organization turn cse on or off for users