In single sign-on (SSO), identity providers (IdPs) can track all relying parties (RPs) accessed by users, while malicious RPs may infer user profiles via cross-site correlation. This paper proposes the first privacy-preserving identity transformation modeling framework for SSO, featuring a two-layer pseudonymization mechanism—RP-specific pseudonyms (PID_RP) and user-level pseudonyms (PID_U)—together with ephemeral trapdoor account mapping, enabling irreversible, RP-exclusive ID_U→PID_U transformation. Built upon an extended OpenID Connect (OIDC) protocol and implemented on MITREid Connect, the prototype ensures that the IdP remains unaware of the target RP and that RPs cannot correlate user identities across sites. The scheme preserves authentication security while achieving both access unlinkability and identity uncorrelatability. Evaluation shows end-to-end latency overhead remains below 15%, demonstrating practical deployability.

Single sign-on (SSO) allows a user to maintain only the credential at the identity provider (IdP), to login to numerous RPs. However, SSO introduces extra privacy threats, compared with traditional authentication mechanisms, as (a) the IdP could track all RPs which a user is visiting, and (b) collusive RPs could learn a user's online profile by linking his identities across these RPs. This paper proposes a privacypreserving SSO system, called UPPRESSO, to protect a user's login activities against both the curious IdP and collusive RPs. We analyze the identity dilemma between the security requirements and these privacy concerns, and convert the SSO privacy problems into an identity transformation challenge. In each login instance, an ephemeral pseudo-identity (denoted as PID_RP ) of the RP, is firstly negotiated between the user and the RP. PID_RP is sent to the IdP and designated in the identity token, so the IdP is not aware of the visited RP. Meanwhile, PID_RP is used by the IdP to transform the permanent user identity ID_U into an ephemeral user pseudo-identity (denoted as PID_U ) in the identity token. On receiving the identity token, the RP transforms PID_U into a permanent account (denoted as Acct) of the user, by an ephemeral trapdoor in the negotiation. Given a user, the account at each RP is unique and different from ID_U, so collusive RPs cannot link his identities across these RPs. We build the UPPRESSO prototype on top of MITREid Connect, an open-source implementation of OIDC. The extensive evaluation shows that UPPRESSO fulfills the requirements of both security and privacy and introduces reasonable overheads.