Single sign-on (SSO) allows a user to maintain only the credential at the identity provider (IdP), instead of one credential for each relying party (RP), to login to numerous RPs. However, SSO introduces extra privacy leakage threats, compared with traditional authentication mechanisms, as (a) the IdP could track all the RPs which a user is visiting, and (b) collusive RPs could learn a user's online profile by linking his identities across these RPs. Several privacy-preserving SSO solutions have been proposed to defend against either the curious IdP or collusive RPs, but none of them addresses both of these privacy leakage threats at the same time.In this paper, we propose a privacy-preserving SSO system, called UPPRESSO, to protect a user's login traces against both the curious IdP and collusive RPs simultaneously. We analyze the identity dilemma between the SSO security requirements and these privacy concerns, and convert the SSO privacy problems into an identity-transformation challenge. In each login instance of UPPRESSO, an ephemeral pseudo-identity (denoted as PID RP ) of the RP which the user is attempting to visit, is firstly negotiated between the RP and the user. Then, PID RP is sent to the IdP and designated in the identity token, so that the IdP is not aware of the visited RP. Meanwhile, PID RP is used by the IdP to transform the permanent user identity ID U into an ephemeral user pseudo-identity (denoted as PID U ) in the identity token. On receiving the identity token, the RP transforms PID U into a permanent account (denoted as Acct) of the user, by a trapdoor in the negotiation. Given a user, the account at each RP is unique and different from ID U , so collusive RPs cannot link his identities across multiple RPs. To the best of our knowledge, this is the first practical SSO solution which solves the privacy problems caused by both the curious IdP and collusive RPs.We build the UPPRESSO prototype system for web applications, with standard functions of OpenID Connect (OIDC): the function of RP Dynamic Registration is used to support ephemeral PID RP , while the function of Core Sign-On is slightly modified to calculate PID U and Acct. The prototype system is implemented on top of open-source MITREid Con-nect, and the extensive evaluation shows that UPPRESSO introduces reasonable overheads and fulfills the requirements of both security and privacy.