Cloud software authentication and authorisation (CAA)

This page provides links and information to assist digital service providers (DSP) with implementing the Cloud software authentication and authorisation (CAA) solution.

• Summary
• Status
• Key dates
• Consultation (meetings, seminars, workshops)
• More information
• Links and documents

Summary

The ATO, in conjunction the software developer community, designed and implemented a solution where customers of cloud hosted software are able to securely exchange information with us, for example lodgments and prefilling.

The CAA solution:

• enables approved DSPs to setup a dedicated machine credential for the purposes of securing transmissions to us made by businesses through online software
• allows businesses to notify the ATO of a nominated DSP who can send secure transmissions to the ATO on behalf of the business from within their online software
• eliminate the need for businesses to obtain, upload or use a machine credential to secure transmissions when interacting with us via online software
• has been deployed for businesses and tax agents lodging to the ATO
• can be leveraged for desktop software (cloud gateway required)
• co-exists with existing compliant solutions.

For further information on CAA solution refer to the Software Developer Information Kit v1.6 (PDF 1.1MB).

Status

28 March 2020

On 27 March 2020, Device AUSkeys were replaced with machine credentials which are installed via Relationship Authorisation Manager. We worked with Cloud Software Providers using the CAA solution to implement machine credentials (replacing all previous Device AUSkeys). No changes were made to the CAA solution during this change.

6 September 2016

The transition to CAA has now been finalised. We would like to thank all those who have supported and worked with us on the project, beginning late 2014, ensuring the move to a compliant solution. This is a great achievement.

24 June 2016

Thank you to all those who have worked with us to transition to CAA. We have received positive feedback from clients and have processed over half a million transactions with numbers increasing daily.

If you have not already done so, ensure you transition any remaining clients and remove shared client AUSkeys from the cloud to avoid these being revoked from July 2016.

If you are experiencing any issues, contact the SBR Service Desk mailbox or call 1300 488 231.

Key updates:

• The functionality to enable online software providers to complete a notification using their own ABN in Access Manager has been deployed (Issue 138).
• We have received a number of enquiries from service providers looking to potentially use CAA for high volume lodgments to support STP, SuperStream and whole-of-government initiatives. CAA standard and high volume intermediaries' scenarios (PDF, 208KB) have been mapped to facilitate further design with interested developers. Email your comments to DPO@ato.gov.au.

13 May 2015

Finalising CAA transition

Clients are continuing to transition to the CAA solution, with over 250,000 interactions processed across thousands of clients.

Reminder: You should be transitioning all remaining clients who have shared their AUSkey with you and removing these client AUSkeys from your servers by 30 May 2016.

Following our latest round of consultation on communicating the revised CAA transition timeline with your clients, we have now updated the Cloud software authentication and authorisation webpage.

Key updates include:

• revised client message ‘From July 2016, if you don’t notify us and continue to lodge with a shared client AUSkey, your AUSkey may be revoked, as this is a breach of AUSkey terms and conditions.’
• new FAQs to assist clients with their transition.

If you are experiencing issues with finalising your transition, contact the SBR Service Desk mailbox or call 1300 488 231.

Updates

The CAA issues register has been updated:

• A fix has been deployed to resolve the issue of DSP authorisation check service not working for device AUSkeys:
  • OSP Appointment Web Service – MIG (PDF, 782.70KB)
  • OSP Appointment Web Service (ZIP, 12KB)
• A new issue has been raised relating to page loading slowness for browsing lengthy client listings in Access Manager. Clients are not affected (Issue 140).

Key dates

• 18 June 2015 - EVTE testing environment made available for testing
• 24 July 2015 - SBR deployment to Production
• 7 August 2015 - ebMS3 deployment to Production
• 19 October - Updated documentation available (IPT, CMIG)
• 31 October 2015 - Phase 2 deliverables progressively available in EVTE
• 3 December 2015 - Phase 2 deployment to Production
• 31 December 2015 - Cloud software products are compliant with the CAA solution
• 31 March 2016 - Existing cloud software clients have transitioned to the solution
• 30 May 2016 - All remaining clients transitioned to the CAA solution
• 1 July 2016 - Identified non-compliant client AUSkeys will be revoked

Consultation (meetings, seminars, workshops)

Ongoing - The Software developers Technical Working Group is being used as the working group.

Throughout - Potential seminars for industry following ATO release of functionality

2016

• 13 October - Software Developer Technical Working Group #45
• 8 September - Software Developer Technical Working Group #44
• 18 August - Software Developer Technical Working Group #43
• 21 July - Software Developer Technical Working Group #42
• 23 June - Software Developer Technical Working Group #41
• 26 May - Software Developer Technical Working Group #40 (cancelled)
• 28 April - Software Developer Technical Working Group #39
• 31 March - Software Developer Technical Working Group #38 (rescheduled to 28 April)
• 3 March – Software Developer Technical Working Group #37
• 11 February - Software Developer Technical Working Group #36 (out of session)
• 4 February - Software Developer Technical Working Group #35 (rescheduled to 11 February)

2015

• 17 December - Software Developer Technical Working Group #34
• 19 November - eCommerce Technical Working Group #33
• 1 October - eCommerce Technical Working Group #32
• 3 September - eCommerce Technical Working Group #31
• 6 August - eCommerce Technical Working Group #30
• 23 July - eCommerce Technical Working Group #29
• 9 July - eCommerce Technical Working Group #28
• 11 June - eCommerce Technical Working Group #27
• 28 May - ELS2SBR eCommerce SWD TWG #26
• 14 May - ELS2SBR eCommerce SWD TWG #25
• 16 April - ELS2SBR eCommerce SWD TWG #24
• 19 March - ELS2SBR eCommerce SWD TWG #23
• 26 February - ELS2SBR eCommerce SWD TWG #22
• 19 February - ELS2SBR eCommerce SWD TWG #22 (rescheduled to 26 February)
• 11 February - phone hookup to discuss identity validation issue (PDF, 460KB)
• 22 January - scheduled topic at eCommerce TWG

2014

• 11 December - Special eCommerce SWD Technical Working Group Meeting to discuss technical details
• 25 November - ATO phone hookup with targeted DSPs to discuss a proposed solution to the future state and transition options (PDF, 621KB)
  • ATO offer to hold one-on-one discussions as needed. (Emails to DPO@ato.gov.au)
  • SWD requests for more detail in order to determine transition and impacts
• September – SRAM 17/9/2014 and TPSD 18/9/2014 – included AUSkey update and noting desired future state is clients use a Whole of Government service to authorise a provider’s Device AUSkey to transmit on their behalf
  • ATO would work with agencies to develop the future state solution
  • ATO would work with agencies and digital service providers to develop a transition plan to move towards compliant models and the future state solution
• December 2013 to April 2014 – ATO conduct 'one-on-one' sessions as requested
  • Understanding of various implementations
  • Understanding of issues with the policy
  • ATO to work with AGIMO to develop a draft policy and bring back to DSPs for co-development and co-operation on transition.

2013

22 November – Tax Practitioner Software Developers (TPSD) meeting 22/11/2013

More information

• Feedback and queries can be emailed to the SBR Service Desk or by phone on 1300 488 231

Links and documents

• CAA - Frequently asked questions

2016

• 21 April
  • Consultation on client communication (63.28KB)
  • OSP Web Appointment Service – MIG (PDF, 782.70KB)
  • OSP Web Appointment Service  (ZIP, 12KB)
• 7 March – Software Developer Information Kit v1.6 (PDF, 1.1MB)
• 26 February – Consultation on key messages and draft communication
  • Key messages (PDF, 232KB)
  • Draft Tax Agent communications (PDF, 316KB)
  • Possible scripting for client notification (PDF, 393KB)
• 22 January - Use of CAA solution for desktop software consultation paper (PPTX, 230KB)

2015

• 16 December - Updated Access Manager user interfaces (PPTX, 2.2MB)
• 30 November - Phase 2 deliverables
• 11 November - Software Developer Information Kit v1.4
• 5 November - SWD 130 OSP Appointment Web Service
• 19 October
  • Updated Integrated Product Test (IPT) and ATO Common Message Implementation Guide
  • Access Manager user interfaces (PPTX, 2.2MB)
  • Software Developer Information Kit v1.3
• 1 October - Phase 2 scope
• 14 August - Cloud software authentication and authorisation - ato.gov.au
• 31 July
  • Software Developer Kit Information v1.2
  • SWD 136 NRCF (PPTX, 223KB)
• 21 July
  • SWD134 Documented Scenario (PPTX, 341KB)
  • Communication Approach
  • SBR.gov.au site for production copies of documents
• 17 July - New releases for EVTE and Production
• 1 July - ATO ebMS3 EVTE
• 30 June - CAA integrated product testing - documents ready
• 22 May -  Software Developer Information Kit v1.1
• 6 May -  Software Developer Information Kit v1.0
• 7 April -  Draft Information Kit v0.12 (PDF, 4.1MB)
• 23 March - Draft Information Kit v0.11 (PDF, 4.1MB)
• 9 March - Draft Information Kit (PDF, 3.7MB)
• 25 February - DRAFT Access manager user Interface Designs (PDF, 555KB)
• 6 February Identity Validation issue

2014

• 28 December 2014 - Media release 'Cutting red tape through Single Touch Payroll' (PDF, 628KB)
• AUSkey overview