Supported editions for this feature: Enterprise; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
After you set up your external key service for Google Workspace Client-side encryption (CSE) and connect it to Google Workspace, you need to connect Google Workspace to your identity provider (IdP)—either a third party IdP or Google identity. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.
Before you begin
Make sure you've completed the following steps:
- Set up your external key service.
- Add your key service to your Admin console.
- Assign a key service to your top-level organizational unit, and any other key services you're using to the appropriate organizational units or configuration groups. Optionally, you can complete this step after you connect to your IdP .
Plan your IdP connection
Your IdP connection provides CSE for all supported Google web services:
- Google Drive
- Gmail
- Google Calendar
- Google Meet (audio, video, and chat messages)
With your ldP connection, you can also set up CSE for the following applications:
- Drive for desktop
- Drive on Android and iOS
- Calendar on Androidand iOS (Calendar app support is in beta and requires signup)
CSE support for other applications will be available in a later release.
If you don't already use a third-party identity provider (IdP) with Google Workspace, you can set up your IdP for use with your key service in either of two ways:
- Use a third-party IdP (recommended)—Use a third-party IdP if your security model requires more isolation of your encrypted data from Google.
Already use a third-party IdP for SAML-based Single-Sign-On (SSO)? It's recommended that you use the same IdP for CSE that you use for access to Google Workspace services. Learn more about using SAML-based SSO with Google Workspace.
- Use Google identity—If your security model doesn't require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP.
You can set up your IdP—either a third party IdP or Google identity—using either a .well-known file that you host on your organization's website or the Admin console (which is your IdP fallback). There are several considerations for each method, as described in the table below.
Considerations | .well-known setup | Admin console setup (IdP fallback) |
---|---|---|
Isolation from Google | IdP settings are stored on your own server. | IdP settings are stored on Google servers. |
Admin responsibilities | An IdP admin can manage your setup instead of a Google Workspace Super Admin. | Only a Google Workspace Super Admin can manage your IdP setup. |
CSE availability | CSE availability (uptime) depends on availability of the server that hosts your .well-known file. | CSE availability corresponds to the general availability of Google Workspace services. |
Ease of setup | Requires changing DNS settings for your server, outside of the Admin console. | Configure settings in the Admin console. |
Sharing outside your organization | Your collaborator's external key service can easily access your IdP settings. This access can be automated and ensures your collaborator's service has immediate access to any changes to your IdP settings. |
Your collaborator's external key service can't access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings. |
Connect to your IdP for CSE
To connect Google Workspace to your identity provider (IdP), you can use a .well-known file or the Admin console. After you establish the connection, you need to allowlist your IdP in the Admin console.
To set up your third-party or Google IdP, you need to place a .well-known file on your organization’s public website. This file establishes which IdP you use and allows your external collaborators to discover your IdP settings.
1. Place your .well-known file on your server
Your IdP configuration must be placed at this URI on your domain:
https://cse.subdomain.domain.tld/.well-known/cse-configuration
where subdomain.domain.tld should match the domain in your email address. For example, if the domain in your email address is solarmora.com, you would place your .well-known file at:
https://cse.solarmora.com/.well-known/cse-configuration
Note: The prefix https://cse. is required because the .well-known URI is not registered with the IETF (RFC 8615).
2. Configure your .well-known file
The contents of your .well-known file, at well-known/cse-configuration, must be JSON encoded (RFC 8259) and contain these fields:
Field | Description |
---|---|
name |
The name of the IdP—you can use any name you like. This name will appear in IdP error messages for users in Google services, such as Drive and Docs Editors. |
client_id |
The OpenID Connect (OIDC) client ID that the CSE client application uses to acquire a JSON Web Token (JWT). If you're using a third-party IdP: You generate this ID using your IdP's admin console. If you're using Google identity: You generate this ID using the Google Cloud console. For details, go to Create a client ID for Google identity below. |
discovery_uri |
The OIDC discovery URL, as defined in this OpenID specification. If you're using a third-party IdP: Your IdP provides you with this URL, which usually ends with If you're using Google identity: Use |
grant_type |
The OAuth flow used for OIDC. If you're using a third-party IdP: You can use either the If you're using Google identity: You can use only the |
(optional) |
The applications you want to use CSE with. See Supported services and applications above. You need to add a client ID for each app to your .well-known file. If you're using a third-party IdP: Use your IdP's admin console to generate a separate client ID for each app. If you're using Google identity: Use the following client IDs, as shown in the examples below.
|
If you're using a third-party IdP, your .well-known file should look like this:
{
"name" : "name of your IDP",
"client_id" : "ID from IDP",
"discovery_uri" : "https://your_idp.com/.well-known/openid-configuration",
"applications":{
"drivefs":{
"client_id": "ID from IDP"
},
"drive-android": {
"client-ID": "ID from IDP"
},
"drive-ios": {
"client-ID": "ID from IDP"
},
"calendar-android": {
"client-ID": "ID from IDP"
},
"calendar-ios": {
"client-ID": "ID from IDP"
}
}
}
If you're using Google identity, your .well-known file should look like this:
{
"name" : "Google Identity",
"client_id" : "ID from Google Cloud",
"discovery_uri" : "https://accounts.google.com/.well-known/openid-configuration",
"applications":{
"drivefs":{
"client_id": "947318989803-k88lapdik9bledfml8rr69ic6d3rdv57.apps.googleusercontent.com"
},
"drive-android":{
"client_id": "378076965553-g44pde5vvf113hdd8j84a32kl4e7hqa0.apps.googleusercontent.com"
},
"drive-ios":{
"client_id": "640853332981-r48oo8ht2kl9v029vsgtatkh4gtue0pn.apps.googleusercontent.com"
},
"calendar-android":{
"client_id": "313892590415-q84luo8fon5pn5vl8a6rppo1qvcd3qvn.apps.googleusercontent.com"
},
"calendar-ios":{
"client_id": "313892590415-283b3nilr8561tedgu1n4dcm9hd6g3hr.apps.googleusercontent.com"
}
}
}
3. Set your configurations for CORS
Your .well-known/openid-configuration and .well-known/cse-configuration need to allow origin URLs for Cross-Origin Resource Sharing (CORS) calls. Set up your configurations as follows:
.well-known/openid-configuration (discovery URI)
- Methods: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
.well-known/cse-configuration
- Methods: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
4. Add redirect URIs to your IdP admin console
Use your IdP admin console to add these authorized redirect URIs in the CSE client application you previously created.
Web services:
https://client-side-encryption.google.com/callback
https://client-side-encryption.google.com/oidc/cse/callback
https://client-side-encryption.google.com/oidc/drive/callback
https://client-side-encryption.google.com/oidc/gmail/callback
https://client-side-encryption.google.com/oidc/meet/callback
https://client-side-encryption.google.com/oidc/calendar/callback
https://client-side-encryption.google.com/oidc/docs/callback
https://client-side-encryption.google.com/oidc/sheets/callback
https://client-side-encryption.google.com/oidc/slides/callback
Drive for Desktop:
http://localhost
Android and iOS mobile apps:
https://client-side-encryption.google.com/oidc/drive/native/callback
https://client-side-encryption.google.com/oidc/calendar/native/callback
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu
Security
Access and data control
Client-side encryption.
Note: Under Identity provider configuration, a message appears indicating that Google Workspace can't reach your .well-known file. Since you're connecting to your IdP using the Admin console, you can ignore this message. - Under Identity provider configuration, click Configure IdP fallback.
- Enter the details for your IdP.
These details are the same as for a .well-known file. For details about entering this information, refer to Configure your .well-known file above.
-
Configure your discovery URI to allow origin URLs for Cross-Origin Resource Sharing (CORS) calls, as follows:
- Method: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
- Click Test connection.
If Google Workspace can connect to your IdP, the "Connection success" message appears.
- (Optional) To use CSE with specific applications:
- Under Authentication for Google desktop and mobile applications (optional), select the applications you want to use CSE with.
- For Client ID, provide the client ID for the application, depending on which IdP you're using:
If you're using a third-party IdP—Provide a separate client ID specifically for the application, which you can generate using your IdP's admin console.
If you're using Google identity—Provide the following client IDs for the applications you want to use:
- Drive for desktop:
947318989803-k88lapdik9bledfml8rr69ic6d3rdv57.apps.googleusercontent.com
- Drive on Android:
378076965553-g44pde5vvf113hdd8j84a32kl4e7hqa0.apps.googleusercontent.com
- Drive on iOS:
640853332981-r48oo8ht2kl9v029vsgtatkh4gtue0pn.apps.googleusercontent.com
- Calendar on Android—Use the client ID
313892590415-q84luo8fon5pn5vl8a6rppo1qvcd3qvn.apps.googleusercontent.com
- Calendar on iOS—Use the client ID
313892590415-283b3nilr8561tedgu1n4dcm9hd6g3hr.apps.googleusercontent.com
- Drive for desktop:
- Click Add provider to close the card.
To provide CSE for supported Google services using Google identity instead of a third-party IdP, you need to create a client ID in the Google Cloud console:
- Go to console.cloud.google.com.
- Create a new Google Cloud project. Get instructions.
Set the project up however you want—it's just to hold credentials.
- In the console, go to Menu
APIs & Services
Credentials.
- Create an OAuth Client ID for a new Web App you'll use with CSE. Get full instructions.
- Update JavaScript origins with the following:
https://admin.google.com
https://client-side-encryption.google.com
- Update Authorized Redirect URIs with the following.
Web services:
Drive for Desktop:
http://localhost
Android and iOS mobile apps:
https://client-side-encryption.google.com/callback
https://client-side-encryption.google.com/oidc/cse/callback
https://client-side-encryption.google.com/oidc/drive/callback
https://client-side-encryption.google.com/oidc/gmail/callback
https://client-side-encryption.google.com/oidc/meet/callback
https://client-side-encryption.google.com/oidc/calendar/callback
https://client-side-encryption.google.com/oidc/docs/callback
https://client-side-encryption.google.com/oidc/sheets/callback
https://client-side-encryption.google.com/oidc/slides/callback
https://client-side-encryption.google.com/oidc/drive/native/callback
https://client-side-encryption.google.com/oidc/calendar/native/callback
An OAuth client ID is created. Save this ID so you can use it for your .well-known/cse-configuration file. For instructions, refer to Configure your .well-known file above.
Next steps...
After you set up your IdP, you can Turn on CSE for users.