Cloud software authentication and authorisation – Frequently asked questions

This page provides frequently asked questions (FAQ) to assist digital service providers (DSP) with implementing the Cloud software authentication and authorisation (CAA) solution. For more information, refer to the CAA Software developer information kit. If you can’t find the answer to your question, contact us via the SBR Service Desk.

FAQ topics:

CAA solution

Q1. What is the definition of Cloud, to which this applies?

The Australian Signals Directorate website for a definition of Cloud computing.

Q2. Are current desktop software solutions still supported?

Yes. Businesses and intermediaries will still be able to maintain current processes and use existing machine credential authentication models when using desktop software solutions.

Q3. What is a Software ID?

A Software ID (SSID) is a unique ID that is used to identify each unique subscription or instance of software and is automatically generated by the software. See more information in the CAA Software developer information kit.

Q4. How secure is this solution, what if a fraudulent user obtains the software ID?

On lodgment, the software automatically sends the Software ID within the message (Software ID not entered by client). If a fraudulent user obtains a Software ID, they won't be able to manually enter it into the software. The ATO authorisation check will fail if the SSID passed by the software does not match the notification held by the ATO.

Q5. Is it an issue if a different DSP has the same Software ID in their software?

No. The Software ID is only required to be unique across the cloud software provider business entity (ABN). There is no risk if two different software provider business entities (ABNs) happen to generate and provide the same software ID to their clients.

Q6. Will the CAA solution be implemented for the ATO only? 

The initial solution has been implemented in the ATO Access Manager and is for ATO only. A similar solution has been implemented by USI in the Relationship Authorisation Manager. Other agencies may choose to leverage this solution.

Q7. Is the CAA solution for SBRCore and ebMS3?

Yes. The CAA solution is used for both SBRCore and ebMS3 channels.

Q8. Can a DSP nominate multiple machine credentials to be used to secure cloud software transmissions?

Yes.  A DSP can nominate multiple machine credentials to secure cloud software transmissions. This nomination is done in Access Manager.

Q9. Can a single device machine credential be used on multiple servers?

The ATO supports the use of a single machine credential or one for each server. The Keystore containing the single machine credential can be copied and placed on each server. However, the machine credential was designed to identify an electronic address that is authorised to transact with the ATO. Installing a unique machine credential on each server enables better identification of which server was used when transacting with the ATO (for fraud, accountability, logging etc).

Q10. Is there a web service that can be used as an alternative to the manual process of notification of a software provider in Access Manager?

No. Web services are not available to set up notifications. Clients are required to complete a hosted SBR software services notification in Access Manager or call the ATO via the 1300 85 22 32 priority phone service.

Q11. Is there a way DSP can verify if their clients have set up a notification in Access Manager correctly without transmitting an SBR message?

Yes. A DSP can verify client notification via the Access Manager under ‘Diagnostic reports’. More information on this service is available in the CAA Software developer information kit.

Q12. Can CAA be used with desktop solutions?

Yes, the CAA solution can be leveraged using hybrid desktop via cloud software. See more details in the Software developer information kit.


Q13. Can a DSP upload a client’s machine credential to the cloud?

No. Uploading clients’ machine credentials into the cloud is a breach of terms and conditions as it represents a significant risk to the integrity of the credential.

Q14. Will businesses be able to specify certain permissions for each provider?
(for example, BAS for one and not the other)

No. A standard set of permissions will be set when completing a hosted software service provider notification. It is up to the business to choose how they use their software product/s.

Q15. Will Machine credentials still be required?

When using the cloud solution the business does not require a machine credential of their own to transmit information to the ATO via SBR enabled cloud software. The cloud software provider requires a machine credential to authenticate the transmission. Machine credentials can still be used for non-cloud desktop software, but cannot be used for any ATO online services such as Online Services for Agents and Access Manager.

Q16. Can a business authorise multiple providers?

Yes. Businesses can nominate multiple cloud software providers.

Q17. Can multiple users lodge under a single subscription?

Yes, it is possible for cloud software products to allow

  • multiple users to submit transmissions via a single cloud software subscription (using a single Software ID).

Q18. Can multiple ABNs lodge under a single subscription?

No, cloud software products should issue a unique software subscription ID to each ABN.

Q19. When a business owner/employee removes a software provider notification, does ATO notify the software provider?

No. The ATO does not provide a service to notify the DSP if a notification is created or removed. The business and DSP will be informed upon lodgment via error messages if the notification has been removed.

Certification and testing

Q20. What will be the process for DSPs to ‘sign up’ and will it be the same process for registration or certification to that of SBR?

Yes, it is the same process. The CAA Software Developer Information Kit explains the CAA onboarding and accreditation processes.

Q21. What are the certification requirements for CAA?

Once SBR-self certified, there are no additional certification requirements for CAA. The conformance test suite is available to support DSPs integrate with SBR and the ATO by providing authentication and authorisation scenarios which may be used to test any message implementation. The Integrated Product test (IPT) suite provides CAA specific scenarios for DSPs wishing to test their implementation.
Once DSPs intending to use CAA have completed these scenarios they can then complete the CAA declaration form to declare that they have met the CAA requirements and be granted Hosted SBR Software Provider access in Access Manager.

Q22. Is there any testing and development documentation for CAA?

Yes. The Integrated product test (IPT) provides general authentication and authorisation scenarios including clients IDs that can be used to test with any message implementation.

Use the client data setup specified in the IPT for CAA. This can then be used to replace the designated conformance suite client data to test the scenarios for CAA clients. Contact us via SBR Service Desk for more information.

Q23. Can a universal test device credential be used to test CAA scenarios?

To test CAA, use the data setup specified in the Integrated Product Test Suite (IPT). in conjunction with the test machine credentials (ato.M2M.keystore) available in Sharefile. Only this data has been set up to give the correct responses for CAA. This data should then be used to replace the designated conformance suite data to test the scenarios in the conformance suites for CAA.

Q24. I have hosted SBR software provider access in Access Manager. How can I get a machine credential and make it visible on the screen to enable?

If you don't have a machine credential, see how to create a machine credential.

To make a machine credential visible in Access Manager you must:

  • Create and install your machine credential.
  • Submit an initial SBR transaction with your machine credential.This transaction may fail (this is normal). Once this has occurred the machine credential will become visible in Access Manager. See Using Access Manager - Access and permissions