The Trusted Digital Identity Framework (TDIF) is an accreditation framework for Digital Identity services. It sets out the requirements that applicants need to meet to achieve accreditation. The TDIF also includes guidance material and templates to support providers to meet TDIF requirements.
Organisations and government agencies can apply for TDIF accreditation and undergo a series of assurance evaluations for their Digital Identity service. To become a TDIF accredited participant, applicants are required to demonstrate how their Digital Identity service meets requirements for:
- accessibility and usability
- privacy protection
- security and fraud control
- risk management
- technical integrity and more.
This includes the need for:
- an independent privacy impact assessment
- an independent security assessment
- ICT penetration test
- organisational policies and practices that demonstrate alignment with the Australian Government Protective Security Policy Framework, the Information Security Manual, the Australian Privacy Principles and the Privacy Code.
The requirements defined in the framework build on the baseline of the Australian Cyber Security Centre’s Essential Eight cyber security mitigations.
Once accredited, participants need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.
The TDIF supports 4 accreditation roles.
The TDIF Accreditation Authority has granted accreditation to the following services:
|Participant (and service name)||Service type||IP/CL Level||Accreditation date|
|Services Australia (Exchange)||IdX||13 May 2019|
|Australia Post (Digital iD)||IdP and CSP (mobile app)||IP 2
|17 May 2019|
|Australian Taxation Office (myGovID)||IdP and CSP (mobile app)||IP 2
|30 May 2019|
|Australian Taxation Office (Relationship Authorisation Manager)||ASP||20 June 2019|
The TDIF is currently made up of 13 policies. Additional policies will be added as required and as we learn more about user needs.
01 – Glossary of Abbreviations and Terms [PDF, 637KB] includes a list of acronyms and defines the key abbreviations and terms used in the TDIF.
02 – Overview [PDF, 611KB] provides a high-level overview of the TDIF.
03 – Accreditation Process [PDF, 571KB] sets out the process and requirements an applicant is required to complete to achieve TDIF accreditation.
04 – Functional Requirements [PDF, 677KB] outlines requirements applicable to the accredited roles, including fraud control, privacy, protective security, user experience and technical testing. It also includes a series of Functional Assessments to be undertaken by the applicant to achieve TDIF accreditation including a Privacy Impact Assessment, Privacy Assessment, Security Assessment, penetration test and an Accessibility Assessment against the Web Content Accessibility Guidelines.
04A – Functional Guidance [PDF, 647KB] provides guidance to applicants on meeting the requirements set out in the TDIF 04 Functional requirements.
05A – Role Guidance [PDF, 608KB] provides guidance to applicants on meeting requirements set out in the TDIF 05 Role requirements.
06 – Federation Onboarding Requirements [PDF, 646KB] outlines the requirements to be met when an applicant’s identity system is approved to onboard to the Australian Government’s identity federation. This document includes functional requirements, technical integration testing requirements, operating obligations and the accreditation requirements for an identity exchange.
06B – OpenID Connect 1.0 Profile [PDF, 1.15MB] describes how OpenID Connect 1.0 is used within the Australian Government’s identity federation.
06C – SAML 2.0 Profile [PDF, 812KB] describes how SAML 2.0 is used within the Australian Government’s identity federation.
06D – Attribute Profile [PDF, 756KB] describes the Attributes used within the Australian Government’s identity federation and how these are mapped in the OpenID Connect 1.0 Profile and SAML 2.0 Profile.
07 – Annual Assessment [PDF, 412KB] sets out the process and requirements an accredited participant is required to complete by the anniversary of their initial accreditation date to remain TDIF accredited.
The following templates are provided as guidance for applicants and can help support their accreditation effort.
TDIF Accreditation Requirements – template [XLS, 394KB] includes all TDIF requirements.
TDIF Application for Accreditation Letter – template [dotx, 67KB] a template for the TDIF accreditation letter as required in the TDIF 03 accreditation process.
TDIF Fraud Control Plan – template [dotx, 163KB] sets out the standard assessment requirements to be covered by an applicant’s Fraud Control Plan.
TDIF Functional Assessments (generic) – template [dotx, 164KB] sets out the standard assessment requirements to be covered by an applicant’s functional assessment.
TDIF Privacy Impact Assessment (PIA) – template [dotx, 206KB] sets out the standard assessment requirements to be covered by an applicant’s privacy impact Assessment.
TDIF Privacy Assessment (functional assessment) [dotx, 182KB] sets out the specific assessment requirements to be covered by an applicant’s privacy assessment.
TDIF Technical Test Plan – template [dotx, 178KB] sets out the requirements to be covered by an applicant’s Technical Test Plan and report.
TDIF Cryptographic Key Management Plan - template [dotx, 159KB] sets out the requirements to be covered by an applicant’s Cryptographic Key Management Plan.
Exemption request form [PDF, 319KB] to be used by an applicant when submitting an exemption request to the DTA.
The next scheduled review of the TDIF will occur by July 2022. Any changes made to the document suite before this date will be recorded in a TDIF change management document and will be made available on our website. All changes to the TDIF will occur in accordance with the TDIF Variation Standard Operating Procedure.
TDIF Variation Standard Operating Procedure [PDF, 440KB] sets out the procedure for implementing requested changes to the TDIF.
TDIF Change Request Form [PDF, 149KB] use this form to request any changes to the TDIF.
TDIF Change Log – Mar 2021 [XLS, 43KB] records any changes made to the TDIF before July 2022.