Identity and access management (IAM)
This section covers the following tasks:
- Connect Google Workspace to an identity provider for client-side encryption.
- Set up IAM in Google Workspace.
After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your identity provider (IdP). You can use any IdP that supports OAuth. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.
If you don't already use a third-party identity provider (IdP) with Google Workspace, you can set up your IdP for use with your key service in any of the following ways:
- Use VirtuCrypt IdP: This is detailed in the main document. Choose this if you want to use VirtuCrypt as your IdP.
- Use Google identity: If your security model doesn't require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP. This setup is detailed in Appendix B: Google IdP Configuration .
- Use Okta as your IdP: Okta is a popular identity provider that integrates well with Google Workspace CSE. This setup is detailed in Appendix C: Configure Okta IdP .
- Use another third-party IdP: Use another third-party IdP that supports the OpenID Connect (OIDC) standard. You can apply the general principles in the VirtuCrypt, Google, and Okta setups to most third-party IdPs.
You can set up your IdP by using either a .well-known file that you host on your organization website or the Admin console (which is your IdP fallback). The following table covers considerations for each method:
Considerations | .well-known setup | Admin console setup (IdP fallback) |
|---|---|---|
Isolation from Google | IdP settings are stored on your server. | IdP settings are stored on Google servers. |
Admin responsibilities | An IdP admin can manage your setup instead of a Google Workspace Super Admin. | Only a Google Workspace Super Admin can manage your IdP setup. |
CSE availability | CSE availability (uptime) depends on the availability of the server that hosts your .well-known file. | CSE availability corresponds to the general availability of Google Workspace services. |
Ease of setup | Requires changing DNS settings for your server, outside of the Admin console. | Configure settings in the Admin console. |
Sharing outside your organization | Your collaborator's external key service can easily access your IdP settings. This access can be automated and ensures your collaborator's service has immediate access to any changes to your IdP settings. | Your collaborator's external key service can't access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings. |
Refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an identity provider (IdP):
You need to turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following:
- Create or upload encrypted files to Google Drive
- Host encrypted meetings with Google Meet (beta)
You don't need to turn on CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see External user requirements in About client-side encryption.
To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.
At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.
Refer to this Google Workspace knowledge base article for instructions on how to perform the following steps for setting up IAM for CSE in Google Workspace:
- Set the default key service for your organization
- Turn CSE on or off for users