Configure Identity and Access Management

after you set up your external key service and connect it to google workspace, you need to connect google workspace to your identity provider (idp) you can use any idp that supports oauth your external key service uses the idp to authenticate users before they can encrypt files or access encrypted files this section shows how to configure identity and access management (iam) choose your idp for client side encryption (cse) if you don't already use a third party idp with google workspace, choose one of the following options to set up your key service idp use a third party idp (recommended) use this method if your security model requires more isolation of your encrypted data from google use google identity use this method if your security model doesn't require additional isolation of your encrypted data from google choose how to connect to your idp for cse you can set up your idp—either a third party idp or google identity—by using either a well known file that you host on your organization website or the admin console (which is your idp fallback) the following table describes the considerations for each method considerations well known setup admin console setup (idp fallback) isolation from google idp settings are stored on your server idp settings are stored on google servers admin responsibilities an idp admin can manage your setup instead of a google workspace super admin only a google workspace super admin can manage your idp setup cse availability cse availability (uptime) depends on the availability of the server that hosts your well known file cse availability corresponds to the general availability of google workspace services ease of setup requires changing dns settings for your server outside of the admin console configure settings in the admin console sharing outside your organization your collaborator's external key service can easily access your idp settings you can automate this access and ensure your collaborator's service has immediate access to any changes to your idp settings your collaborator's external key service can't access your idp settings in the admin console you must provide your idp settings directly to your collaborator, both before sharing encrypted files for the first time and whenever you change your idp settings refer to the following google workspace knowledge base article for further details on connecting google workspace to an idp https //support google com/a/answer/10743588?hl=en#zippy=%2coption to connect to your idp using a well known file https //support google com/a/answer/10743588?hl=en#zippy=%2coption to connect to your idp using a well known file set up iam on the {{k3}} you must create two different idps on the {{k3}} configure one with the authentication json web token (jwt) that the idp issues to attest a user identity, and configure the other with the authorization jwt that google issues to verify that the caller is authorized to encrypt or decrypt a resource in addition to creating the idps, you must create a new role for google cse and new identities for all users in your organization who need to use google cse to set up iam, perform the following tasks described in this section create the authentication jwt idp create the authorization jwt idp create the cse role definition create an identity for the cse user set up iam in google workspace create the jwt idp perform the following steps to create an authentication jwt idp to allow the identity partner to attest a user's identity (in this procedure, {{vc}} serves as the identity partner ) go to identity management > identity providers , right click the background, and select add > provider > json web token on the info tab of the identity provider editor window, specify a name for the idp and deselect the enforce dual factor checkbox on the jwt options tab, you can specify an issuer and set leeway and max validity values according to your requirements the issuer field is optional, but if you use {{vc}} as the idp, set this field to vip on the jwt key tab, select the json web key set ( jwks ) radio button two new fields populate in the dialog jwks url and tls pki the jwks url is a read only endpoint url that points to a list of public keys that verify jwts you don't need to configure a ca certificate in the tls pki field if trusted public internet cas can verify the domain configured in the jwks url field however, if you have set up a jwk on your lan, you must select the custom ca certificate used to sign the domain specified in the jwks url field for the {{vc}} use case, leave the tls pki field blank because vip virtucrypt com has a certificate issued by a trusted public internet ca if your use case requires you to configure a custom ca certificate, you must download and then copy that certificate to the storage medium configured on the {{k}} and import the certificate into a certificate container in the pki > certificate authorities menu after you do that, you can browse and select the certificate in the tls pki field select \[ ok ] to save right click the idp that you created and select add > mechanism > json web token on the info tab of the authentication mechanism editor window, specify a name for the authentication mechanism leave the default settings on the identifiers and claims tabs, and select \[ ok ] to save create the jwt idp perform the following steps to create an authorization jwt idp to enable google to verify that the caller is authorized to encrypt or decrypt a resource go to identity management > identity providers , right click the background, and select add > provider > json web token on the info tab of the identity provider editor window, specify a name for the idp and deselect the enforce dual factor checkbox on the jwt options tab, you can specify an issuer and set leeway and max validity values according to your requirements the issuer field is optional, but an appropriate value might be gsuitecse tokenissuerdrive\@system gserviceaccount com on the jwt key tab, select jwks and then specify https //www googleapis com/service accounts/v1/jwk/gsuitecse tokenissuer drive\@system gserviceaccount com in the jwks url field leave tls pki blank because trusted public internet cas can verify the www googleapis com domain therefore, you don't need to configure a custom ca certificate select \[ ok ] to save right click the idp that you created and select add > mechanism > json web token on the info tab of the authentication mechanism editor window, specify a name for the authentication mechanism leave the default settings in the identifiers and claims tabs, and select \[ ok ] to save create the role definition perform the following steps to create the role definition for cse go to the identity management > roles menu and select \[ add ] in the role editor window, specify a name for the role, set the role class to principal , and set logins required to 1 principal roles have view permissions on any objects created by that principal role this makes sharing encrypted documents possible within an organization because all cse users are assigned the same principal role for example, suppose one cse user in your organization shares a document with another cse user the second cse user's browser can decrypt the document by using the first user's personal key because the shared cse principal role created that personal key however, all encrypted documents that the second user creates are encrypted with their personal key on the permissions tab, select the following permissions permission subpermission cryptographic operations unwrap, wrap keys only the top level keys permission on the advanced tab, leave the values set to the default settings select \[ ok ] to finish creating the role create an identity for the cse user go to the identity management > identities menu, right click the background, and select add > user leave storage set to application in the name field, enter the email address the cse user uses to log into google workspace on the assigned roles tab, select the role that you just created on the device info tab, leave the values set to the default settings on the authentication tab, select \[ add ] to add the following credentials the authentication jwt idp and the authorization jwt idp remove the default password credential after configuring the authentication and authorization jwt credentials select \[ ok ] to finish creating the identity set up iam in google workspace you must turn on google workspace cse for all users who need to do any of the following tasks create or upload encrypted files to google drive host encrypted meetings with google meet (beta) you don't need to enable cse for users who only need to view or edit encrypted files or attend meetings however, external users need to use an idp allowlisted by your domain for details, see external user requirements in about client side encryption https //support google com/a/answer/10741897#requirements to turn on cse for users, you need to turn on cse for the organizational units or configuration groups to which the users belong at any time, you can disable cse for users by turning cse off for the organizational units or configuration groups they belong to if you disable cse for users, any existing client side encrypted content remains encrypted and accessible follow the steps in the google workspace knowledge base article ( support google com/a/answer/10745596 ) to set up iam in google workspace the process includes the following tasks set the default key service for your organization turn cse on or off for users