Configure Identity and Access Management (IAM)

after you set up your external key service and connect it to google workspace, you need to connect google workspace to your idp you can use any idp that supports oauth your external key service uses the idp to authenticate users before they can encrypt files or access encrypted files choose your idp for cse if you don't already use a third party idp with google workspace, choose one the following options to set up your key service idp use a third party idp (recommended) use this method if your security model requires more isolation of your encrypted data from google use google identity use this method if your security model doesn't require additional isolation of your encrypted data from google choose how to connect to your idp for cse you can set up your idp—either a third party idp or google identity—by using either a well known file that you host on your organization website or the admin console (which is your idp fallback) there are several considerations for each method, as described in the following table considerations well known setup admin console setup (idp fallback) isolation from google idp settings are stored on your own server idp settings are stored on google servers admin responsibilities an idp admin can manage your setup instead of a google workspace super admin only a google workspace super admin can manage your idp setup cse availability cse availability (uptime) depends on the availability of the server that hosts your well known file cse availability corresponds to the general availability of google workspace services ease of setup requires changing dns settings for your server, outside of the admin console configure settings in the admin console sharing outside your organization your collaborator's external key service can easily access your idp settings you can automate this access and ensure your collaborator's service has immediate access to any changes to your idp settings your collaborator's external key service can't access your idp settings in the admin console you must provide your idp settings directly to your collaborator both before you share encrypted files for the first time and any time you change your idp settings refer to the following google workspace knowledgebase article for further details on connecting google workspace to an idp https //support google com/a/answer/10743588?hl=en#zippy=%2coption to connect to your idp using a well known file https //support google com/a/answer/10743588?hl=en#zippy=%2coption to connect to your idp using a well known file set up iam on the kmes series 3 you must create two different idps on the kmes series 3 configure one with the authentication json web token (jwt) that the idp issues to attest a user identity, and configure the other with the authorization json web token (jwt) that google issues to verify that the caller is authorized to encrypt or decrypt a resource in addition to creating the idps, you must create a new role for google cse and new identities for all users in your organization who need to use google cse to set up iam, perform the following tasks create the authentication jwt idp create the authorization jwt idp create the cse role definition create an identity for the cse user set up iam in google workspace create the authentication jwt idp perform the following steps to create a jwt idp to allow the identity partner to attest a user's identity (in this example, virtucrypt is serving as the identity partner ) go to identity management > identity providers , right click the background, and select add > provider > json web token on the info tab of the identity provider editor window, specify a name for the idp and de select the enforce dual factor checkbox on the jwt options tab, you can specify an issuer and set leeway and max validity values according to your requirements the issuer field is optional, but if you are using virtucrypt as the idp, set this field to vip on the jwt key tab, select the jwks radio button (jwks stands for json web key set) two new fields populate in the dialog jwks url and tls pki the jwks url is a read only endpoint url that points to a list of public keys that verify json web tokens (jwt) you don't need to configure a ca certificate in the tls pki field if the domain configured in the jwks url field can be verified by using trusted public internet cas however, if you have set up a jwk on your lan, you must select the custom ca certificate used to sign the domain specified in the jwks url field for the virtucrypt use case, leave the tls pki field blank because vip virtucrypt com has a certificate issued by a trusted public internet ca if your use case requires you to configure a custom ca certificate, you must download and then copy that certificate to the storage medium configured on the kmes and import the certificate into a certificate container in the pki > certificate authorities menu after you do that, you can browse and select the certificate in the tls pki field select \[ ok ] to save right click the idp that you created and select add > mechanism > json web token on the info tab of the authentication mechanism editor window, specify a name for the authentication mechanism leave the default settings on the identifiers and claims tabs, and select \[ ok ] to save create the authorization jwt idp perform the following steps to create a jwt idp to allow google to verify that the caller is authorized to encrypt or decrypt a resource go to identity management > identity providers , right click the background, and select add > provider > json web token on the info tab of the identity provider editor window, specify a name for the idp and de select the enforce dual factor checkbox on the jwt options tab, you can specify an issuer and set leeway and max validity values according to your requirements the issuer field is optional, but an appropriate value might be gsuitecse tokenissuerdrive\@system gserviceaccount com on the jwt key tab, select jwks and then specify https //www googleapis com/service accounts/v1/jwk/gsuitecse tokenissuer drive\@system gserviceaccount com in the jwks url field leave tls pki blank because the www googleapis com domain can be verified by using trusted public internet cas therefore, you don't need to configure a custom ca certificate select \[ ok ] to save right click the idp that you created and select add > mechanism > json web token on the info tab of the authentication mechanism editor window, specify a name for the authentication mechanism leave the default settings in the identifiers and claims tabs, and select \[ ok ] to save create the role definition for cse go to the identity management > roles menu and select \[ add ] in the role editor window, specify a name for the role, set the role class to principal , and set logins required to 1 principal roles have view permissions on any objects created by that principal role this makes sharing encrypted documents possible within an organization because all cse users are assigned the same principal role for example, suppose one cse user in your organization shares a document with another cse user the second cse user's browser can decrypt the document by using the first user's personal key since that personal key was created by the shared cse principal role however, all encrypted documents that the second user creates are encrypted with their personal key on the permissions tab, select the following permissions permission subpermission cryptographic operations unwrap, wrap keys only the top level keys permission on the advanced tab, leave the values set to the default settings select \[ ok ] to finish creating the role create an identity for the cse user go to the identity management > identities menu, right click the background, and select add > user leave storage set to application and in the name field, enter the cse user's email address with which they log in to google workspace on the assigned roles tab, select the role that you just created on the device info tab, leave the values set to the default settings on the authentication tab, select \[ add ] to add the following credentials the authentication jwt idp and the authorization jwt idp remove the default password credential after configuring the authentication and authorization jwt credentials select \[ ok ] to finish creating the identity set up iam in google workspace you must turn on google workspace client side encryption (cse) for all users who need to do any of the following tasks create or upload encrypted files to google drive host encrypted meetings with google meet (beta) you don't need to turn on cse for users who need only to view or edit encrypted files or attend meetings however, external users need to use an identity provider (idp) allowlisted by your domain for details, see external user requirements in about client side encryption https //support google com/a/answer/10741897#requirements to turn on cse for users, you need to turn on cse for the organizational units or configuration groups to which the users belong at any time, you can disable cse for users by turning cse off for the organizational units or configuration groups they belong to if you disable cse for users, any existing client side encrypted content remains encrypted and accessible perform the following action to set up iam in google workspace follow the steps in this https //support google com/a/answer/10745596 google workspace knowledge base article to perform the following iam setup actions for cse in google workspace set the default key service for your organization turn cse on or off for users