In federated identity management systems identity providers authenticate users of its realm via single sign-on and forward authentication assertion as a response to the service provider's requests. Secure single sign-on authentication is always a challenging task in an open environment such as in Internet. The risk associated with an open environment authentication and authorization are user credentials stealing via man-in-the-middle attack, user platform infected with virus or Trojan horse, identity provider and service provider collude with each others. We reviewed current technologies' Kerberos, Liberty Alliance, OpenlD and Windows Live ID. However, the existing systems have limitations and weaknesses such as presence of third parties, no platform trust, and a weak authentication mechanism. In this paper, we propose a singlesign-on authentication model for an open environment to combine the trusted module security and platform trust in federated user systems. This model excludes third party involvement in every transaction such as identity or authentication service provider. The user platform in this model plays a role of an identity provider or authentication service. The security and privacy analysis of the proposed model shows our model can achieve strong security, platform trust and enhanced privacy. © 2010 IEEE.