Provide external access to client-side encrypted content

As an administrator, you can let external users access your content encrypted with Google Workspace Client-side encryption (CSE). There are 2 methods for providing external access:

  • Set up access for external organizations that also use CSE. With this method, you can give an external organization access to encrypted content if they meet the user and CSE requirements.
  • Configure a guest identity provider (IdP) to allow access for any external users With this method, your users can provide access to your client-side encrypted content to both Google and non-Google accounts. External organizations don't need to set up CSE, and their users don't need a Google Workspace or Cloud Identity license.
    The guest IdP configuration is currently available for Google Meet, Drive, Docs, Sheets, and Slides web applications only. The guest IdP configuration for mobile applications of these services will be available in an upcoming release.

About access to encrypted email: Your users can exchange client-side encrypted email messages with external users, if the external users use S/MIME. No other setup is needed, and external users don't need a Google Workspace or Cloud Identity license. For details about sending and receiving client-side encrypted emails, go to Learn about Gmail Client-side encryption.

Set up external access for external organizations that use CSE

If an external organization and your organization meet the following requirements, you can give the external access to your organization's client-side encrypted content for Drive & Docs, Calendar, and Meet.

Expand section  |  Collapse all

License requirements for external users

External users must have a Google Workspace or Cloud Identity license to access data encrypted with CSE.

Note: With this external access method, users with a consumer (unmanaged) Google Account or a visitor account can't access your organization's client-side encrypted content.

Setup requirements for external organizations
To access your organization's client-side encrypted content, external organizations must also set up CSE.
Setup requirements for your organization
  • Have the external organization's IdP service allowlisted with your encryption key service. You can usually find the IdP service in their publicly .well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details. 
  • Make sure their admin understands that their users need to provide their authentication tokens to your key service to view or edit your organization's encrypted content. The authentication process requires a user to share their IP address and other identity information. For details, go to Authentication tokens in the Client-side encryption API Reference guide.
  • Depending on your and the external organization's security policies, they might also need to create separate web and mobile client IDs for access to your organization's encrypted content. You'll need to have these client IDs allowlisted with encryption key service.

Configure a guest IdP for any external users

To give external organizations access to your client-side encrypted content, you can configure a guest IdP  to authenticate external users, using the same IdP you use or a different one. With a guest IdP, your users can share encrypted content with others at external organizations, whether or not those organizations also use CSE.

Note: If you already set up external access for organizations that also use CSE (as described earlier on this page), that setup is ignored once you configure a guest IdP.

Expand section  |  Collapse all

Configure a guest IdP in the Admin console

Follow the instructions to set up an IdP in Connect to identity provider for client-side encryption. During setup, you'll do the following:

  • Choose an OIDC-compliant IdP—For Google Meet, you can use either a third-party IdP or Google identity. However, for Google Drive and Docs editors, you can use only a third-party IdP. This restriction ensures guest access support for visitor accounts. Your third-party IdP can be the same IdP you use for your users or a different one. 
  • Create an additional client ID for Google Meet—During the step in which you create your client ID for web services, you'll need to create an additional client ID for Google Meet.

    The primary client ID for web services is used for the key encryption service, and isn't shared with Google systems. The additional client ID for Meet is used to verify that guests who aren't signed in the Meet were invited to the meeting.

  • Use the Admin console to configure your guest IdP—You must use the Admin console to configure your guest IdP connection, and choose the option Configure guest IdP. You can't configure your guest IdP using a .well-known file.
Set up guest IdP authentication options

After you complete the IdP configuration in the Admin console, you can use your IdP's tools to set up how external users will be authenticated. Depending on your guest IdP implementation, the following options might be available:

  • Set up separate accounts for guests and provide them with the account passwords.
  • Send guests one-time codes to verify their email address.
  • Allow guests to use pre-configured IdPs, such as Google, Apple, or Microsoft.

    Note: With Google identity, users can sign in with their Google Account. If they don't have an account, they can create one.

With any authentication method, guests will be presented with pop-up message asking them to sign in with an identity provider before they can access client-side encrypted content.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu