Identity and access management (IAM)
After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your identity provider (IdP). Any IdP that supports OAuth can be utilized. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.
If you don't already use a third-party identity provider (IdP) with Google Workspace, you can set up your IdP for use with your key service in either of two ways:
- Use a third-party IdP (recommended) - Use a third-party IdP if your security model requires more isolation of your encrypted data from Google.
- Use Google identity - If your security model doesn't require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP.
You can set up your IdP—either a third party IdP or Google identity—using either a .well-known file that you host on your organization's website or the Admin console (which is your IdP fallback). There are several considerations for each method, as described in the table below.
Considerations | .well-known setup | Admin console setup (IdP fallback) |
|---|---|---|
Isolation from Google | IdP settings are stored on your own server. | IdP settings are stored on Google servers. |
Admin responsibilities | An IdP admin can manage your setup instead of a Google Workspace Super Admin. | Only a Google Workspace Super Admin can manage your IdP setup. |
CSE availability | CSE availability (uptime) depends on availability of the server that hosts your .well-known file. | CSE availability corresponds to the general availability of Google Workspace services. |
Ease of setup | Requires changing DNS settings for your server, outside of the Admin console. | Configure settings in the Admin console. |
Sharing outside your organization | Your collaborator's external key service can easily access your IdP settings. This access can be automated and ensures your collaborator's service has immediate access to any changes to your IdP settings. | Your collaborator's external key service can't access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings. |
Please refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an identity provider (IdP):
You need to turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following:
- Create or upload encrypted files to Google Drive
- Host encrypted meetings with Google Meet (beta)
You don't need to turn on CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see "External user requirements" in About client-side encryption.
To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.
At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.
Please refer to this Google Workspace knowledge base article for instructions on how to perform the following steps for setting up IAM for CSE in Google Workspace:
- Set the default key service for your organization
- Turn CSE on or off for users