An apparatus and method for providing Single Sign-On services to a user when accessing a selected Service Provider from a plurality of Service Providers. An Authentication Provider authenticates the user at with a user-identity, provides the user with a token as proof of the authentication, and assigns a temporary alias-identity to the user for use when the user accesses the selected Service Provider. The Authentication Provider and the selected Service Provider link the assigned alias-identity and the user-identity to identify the user at respective sites. The user accesses the selected Service Provider by presenting the token along with a local user-identity valid for the selected Service Provider. When the user attempts a subsequent access at the selected Service Provider, the user is identified by the shared alias-identity, if the user allowed permanent linking. If the user did not allow permanent linking, the process is repeated for each subsequent access.