Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
After you choose your external key servicefor Google Workspace Client-side encryption (CSE), you need to connect Google Workspace to an identity provider (IdP)—either a third-party IdP or Google identity. The encryption key service chose to encrypt content will use your IdP to authenticate users before they can encrypt content or access encrypted content.
Note: After you configure your IdP, you can configure a guest IdP to allow external access to your organization's client-side encrypted content. For details, go to Configure a guest IdP.
Before you begin
Make sure you've chosen the encryption key services you want to use with CSE. For details, go to Choose your external key service.
Step 1: Plan your IdP connection
With your IdP connection, you can set up CSE for all supported Google Workspace web applications:
- Google Drive
- Google Docs
- Google Sheets
- Google Slides
- Gmail
- Google Calendar
- Google Meet (audio, video, and chat messages)
Your ldP connection also lets you set up CSE for the following desktop and mobile applications:
To use an encryption key service with CSE, you need an identity provider (IdP) that supports the OpenID Connect (OIDC) standard. If you don't already use an OIDC IdP with Google Workspace, you can set up your IdP for use with your key service in either of two ways:
Option 1: Use a third-party IdP (recommended)
Use an OIDC third-party IdP if your security model requires more isolation of your encrypted data from Google.
If you already use a third-party IdP for SAML-based Single-Sign-On (SSO): It's recommended that you use the same IdP for CSE that you use for access to Google Workspace services, if that IdP supports OIDC. Learn more about using SAML-based SSO with Google Workspace.
Option 2: Use Google identity
If your security model doesn't require additional isolation of your encrypted data from Google, you can use the default Google identity as your IdP.
If you use a third-party IdP for CSE, it's recommended that you allow third-party cookies from your IdP in your users' browsers; otherwise, users might need to sign-in to your IdP more often when using CSE.
- If your organization uses Chrome Enterprise: You can use the CookiesAllowedForUrls policy.
- For other browsers: Check with the browser's support content for instructions on how to allow third-party cookies.
You can set up your IdP—either a third party IdP or Google identity—using either a .well-known file that you host on your organization's website or the Admin console (which is your IdP fallback). There are several considerations for each method, as described in the table below.
Note: If you're configuring a guest IdP, you need to use the Admin console.
Considerations | .well-known setup | Admin console setup (IdP fallback) |
---|---|---|
Isolation from Google | IdP settings are stored on your own server. | IdP settings are stored on Google servers. |
Admin responsibilities | A webmaster can manage your setup instead of a Google Workspace Super Admin. | Only a Google Workspace Super Admin can manage your IdP setup. |
CSE availability | CSE availability (uptime) depends on availability of the server that hosts your .well-known file. | CSE availability corresponds to the general availability of Google Workspace services. |
Ease of setup | Requires changing DNS settings for your server, outside of the Admin console. | Configure settings in the Admin console. |
Sharing outside your organization | Your collaborator's external key service can easily access your IdP settings. This access can be automated and ensures your collaborator's service has immediate access to any changes to your IdP settings. |
Your collaborator's external key service can't access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator before you share encrypted files for the first time, as well as any time you change your IdP settings. |
Step 2: Create client IDs for CSE
You need to create a client ID and add redirect URIs for supported Google Workspace web applications. For a list of supported apps, go to Supported web, desktop, and mobile applications earlier on this page.
How you create a client ID for web applications depends on whether you're using a third-party IdP or Google identity.
Note: If you're configuring a guest IdP, you need to create an additional client ID for Google Meet access, which is used to verify that the guest was invited to the meeting. For more information, go to Configure a guest IdP.
If you're using a third-party IdP for CSE
Create a client ID using your IdP's admin console. You'll also need to add the following redirect URIs to your IdP's admin console:
Web services:
https://client-side-encryption.google.com/callback
https://client-side-encryption.google.com/oidc/cse/callback
https://client-side-encryption.google.com/oidc/drive/callback
https://client-side-encryption.google.com/oidc/gmail/callback
https://client-side-encryption.google.com/oidc/meet/callback
https://client-side-encryption.google.com/oidc/calendar/callback
https://client-side-encryption.google.com/oidc/docs/callback
https://client-side-encryption.google.com/oidc/sheets/callback
https://client-side-encryption.google.com/oidc/slides/callback
Drive for Desktop:
http://localhost
Android and iOS mobile apps:
https://client-side-encryption.google.com/oidc/gmail/native/callback
https://client-side-encryption.google.com/oidc/meet/native/callback
https://client-side-encryption.google.com/oidc/calendar/native/callback
https://client-side-encryption.google.com/oidc/drive/native/callback
https://client-side-encryption.google.com/oidc/gmail/meet/native/callback
If you're using Google identity for CSE
You need to create a client ID in the Google Cloud console. You'll also set up JavaScript origins (also called cross-origin resource sharing, or CORS) and add redirect URIs.
- Go to console.cloud.google.com.
- Create a new Google Cloud project. Get instructions.
Set the project up however you want—it's just to hold credentials.
- In the console, go to Menu APIs & ServicesCredentials.
- Create an OAuth Client ID for a new web app you'll use with CSE. Get full instructions.
- Update JavaScript origins with the following:
https://admin.google.com
https://client-side-encryption.google.com
- Update Authorized Redirect URIs with the following.
Web services:
https://client-side-encryption.google.com/callback
https://client-side-encryption.google.com/oidc/cse/callback
https://client-side-encryption.google.com/oidc/drive/callback
https://client-side-encryption.google.com/oidc/gmail/callback
https://client-side-encryption.google.com/oidc/meet/callback
https://client-side-encryption.google.com/oidc/calendar/callback
https://client-side-encryption.google.com/oidc/docs/callback
https://client-side-encryption.google.com/oidc/sheets/callback
https://client-side-encryption.google.com/oidc/slides/callback
Drive for Desktop:
http://localhost
Android and iOS mobile apps:
No additional configuration is needed for Android and iOS mobile apps.
An OAuth client ID is created. Save this ID so you can use it for your .well-known/cse-configuration file or the Admin console.
If you want your users to use CSE with desktop and mobile applications, you need client IDs for those apps. For each mobile app, you'll need one client ID for each platform (Android and iOS). For a list of supported apps, go to Supported web, desktop, and mobile applications earlier on this page.
How you get client IDs for desktop and mobile applications depends on whether you're using a third-party IDP or Google identity.
Note: These client IDs must support the authorization_code
grant type for PKCE (RFC 7636).
If you'll use a third-party IdP for CSE
Use your IdP's admin console to generate a separate client ID for each app.
If you'll use Google identity for CSE
Use the following client IDs:
- Drive for Desktop—Use the client ID
947318989803-k88lapdik9bledfml8rr69ic6d3rdv57.apps.googleusercontent.com
- Drive on Android—Use the client ID
313892590415-6lbccuf47cou4q45vanraqp3fv5jt9do.apps.googleusercontent.com
- Drive on iOS—Use the client ID
313892590415-d3h1l7kl4htab916r6jevqdtu8bfmh9m.apps.googleusercontent.com
- Calendar on Android—Use the client ID
313892590415-q84luo8fon5pn5vl8a6rppo1qvcd3qvn.apps.googleusercontent.com
- Calendar on iOS—Use the client ID
313892590415-283b3nilr8561tedgu1n4dcm9hd6g3hr.apps.googleusercontent.com
- Gmail on Android—Use the client ID
313892590415-samhd32i4piankgs42o9sit5e9dug452.apps.googleusercontent.com
- Gmail on iOS—Use the client ID
313892590415-ijvjpbnsh0gauuunjgsdn64ngg37k6rc.apps.googleusercontent.com
- Meet on Android—Use the client ID
313892590415-i06v47su4k03ns7ot38akv7s9ari5oa5.apps.googleusercontent.com
- Meet on iOS—Use the client ID
313892590415-32ha2bvs0tr1b12s089i33o58hjvqt55.apps.googleusercontent.com
Step 3: Connect to your IdP for CSE
To connect Google Workspace to your identity provider (IdP), you can use a .well-known file or the Admin console. After you establish the connection, you need to allowlist your IdP in the Admin console.
Note: If you're configuring a guest IdP, you need to use the Admin console.
Option 1: Connect to your IdP using a .well-known file
To set up your third-party or Google IdP with this option, you need to place a .well-known file on your organization’s public website. This file establishes which IdP you use and allows your external collaborators to discover your IdP settings.
Your IdP configuration must be placed at this URI on your domain:
https://cse.subdomain.domain.tld/.well-known/cse-configuration
where subdomain.domain.tld should match the domain in your email address. For example, if the domain in your email address is solarmora.com, you would place your .well-known file at:
https://cse.solarmora.com/.well-known/cse-configuration
Note: The prefix https://cse. is required because the .well-known URI is not registered with the IETF (RFC 8615).
The contents of your .well-known file, at well-known/cse-configuration, must be JSON encoded (RFC 8259) and contain these fields:
Field | Description |
---|---|
|
The name of the IdP—you can use any name you like. This name appears in IdP error messages for users in Google services, such as Drive and Docs Editors. |
|
The OpenID Connect (OIDC) client ID that the CSE client web application uses to acquire a JSON Web Token (JWT) When you create a client ID, you'll also add redirect URIs in the Google Cloud console. For details on creating a client ID, go to Create a client ID for web applications earlier on this page. |
discovery_uri |
The OIDC discovery URL, as defined in this OpenID specification. |
If you're using a third-party IdP Your IdP provides you with this URL, which usually ends with |
|
If you're using Google identity Use |
|
grant_type |
The OAuth flow used for OIDC with CSE client web applications |
If you're using a third-party IdP You can use either the |
|
If you're using Google identity You can use only the |
|
|
The additional client applications you want to use CSE with. You need to add a client ID for each app to your .well-known file. Note: These client IDs must support the For details on creating client IDs, go to Create a client ID for desktop and mobile applications earlier on this page. |
If you're using a third-party IdP, your .well-known file should look like this:
{
"name" : "name of your IdP",
"client_id" : "ID from IdP",
"discovery_uri" : "https://your_idp.com/.well-known/openid-configuration",
"applications":{
"drivefs":{
"client_id": "ID from IdP"
},
"drive-android": {
"client_id": "ID from IdP"
},
"drive-ios": {
"client_id": "ID from IdP"
},
"calendar-android": {
"client_id": "ID from IdP"
},
"calendar-ios": {
"client_id": "ID from IdP"
},
"gmail-android": {
"client_id": "ID from IdP"
},
"gmail-ios": {
"client_id": "ID from IdP"
},
"meet-android": {
"client_id": "ID from IdP"
},
"meet-ios": {
"client_id": "ID from IdP"
}
}
}
If you're using Google identity, your .well-known file should look like this:
{
"name" : "Google Identity",
"client_id" : "ID from Google Cloud (created above)",
"discovery_uri" : "https://accounts.google.com/.well-known/openid-configuration",
"applications":{
"drivefs":{
"client_id": "947318989803-k88lapdik9bledfml8rr69ic6d3rdv57.apps.googleusercontent.com"
},
"drive-android":{
"client_id": "313892590415-6lbccuf47cou4q45vanraqp3fv5jt9do.apps.googleusercontent.com"
},
"drive-ios":{
"client_id": "313892590415-d3h1l7kl4htab916r6jevqdtu8bfmh9m.apps.googleusercontent.com"
},
"calendar-android":{
"client_id": "313892590415-q84luo8fon5pn5vl8a6rppo1qvcd3qvn.apps.googleusercontent.com"
},
"calendar-ios":{
"client_id": "313892590415-283b3nilr8561tedgu1n4dcm9hd6g3hr.apps.googleusercontent.com"
},
"gmail-android":{
"client_id": "313892590415-samhd32i4piankgs42o9sit5e9dug452.apps.googleusercontent.com"
},
"gmail-ios":{
"client_id": "313892590415-ijvjpbnsh0gauuunjgsdn64ngg37k6rc.apps.googleusercontent.com"
},
"meet-android":{
"client_id": "313892590415-i06v47su4k03ns7ot38akv7s9ari5oa5.apps.googleusercontent.com"
},
"meet-ios":{
"client_id": "313892590415-32ha2bvs0tr1b12s089i33o58hjvqt55.apps.googleusercontent.com"
}
}
}
If you're using Google identity for your IdP: You set up CORS in the Google Cloud console when creating your client ID. For details, go to Create a client ID for web applications earlier on this page.
If you're using a third-party IdP: Your .well-known/openid-configuration and .well-known/cse-configuration need to allow origin URLs for cross-origin resource sharing (CORS) calls. In your IdP's admin console, set up your configurations as follows:
.well-known/openid-configuration (discovery URI)
- Methods: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
.well-known/cse-configuration
- Methods: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
Option 2: Connect to your IdP using the Admin console
To connect to your IdP using the Admin console, you'll need the following information about your IdP:
Name of your IdP | For details, go to Configure your .well-known file earlier on this page. |
Client ID for web applications | For details, go to Create a client ID for web applications earlier on this page. |
Discovery URI | For details, go to Configure your .well-known file earlier on this page. |
Client IDs for desktop and mobile apps (optional) | For details, see Create client IDs for desktop and mobile applications earlier on this page. |
If you're using Google identity: You set up cross-origin resource sharing (CORS) in the Google Cloud console when creating your client ID. For details, go to Create a client ID for web applications earlier on this page.
If you're using a third-party IdP: In your IdP's admin console, configure your discovery URI to allow origin URLs for cross-origin resource sharing (CORS) calls, as follows:
- Method: GET
- Allowed origins:
https://admin.google.com
https://client-side-encryption.google.com
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
Note: Under Identity provider configuration, a message appears indicating that Google Workspace can't reach your .well-known file. Since you're connecting to your IdP using the Admin console, you can ignore this message.
- Under Identity provider configuration, click Configure IdP fallback.
Or, if you're configuring a guest IdP, click Configure guest IdP.
- Enter the following information about your IdP:
- Name
- Client ID (for web applications)
- Discovery URI
-
Click Test connection.
If Google Workspace can connect to your IdP, the "Connection success" message appears.
- If you're configurating a guest IdP: Click Continue, and then choose the Web apps for which you want to provide guest access. Then click Save to close the card.
Note: Currently, only Google Meet is available.
- (Optional) To use CSE with specific applications:
- Under Authentication for Google desktop and mobile applications (optional), select the applications you want to use CSE with.
- For Client ID, provide the client ID for the application.
- Click Add provider to close the card.
Step 4 (third-party IdP only): Add your IdP to the allowlist in the Admin console
Next step
After you set up your IdP, you're ready to set up your key encryption service.