We present recent advances that improve the privacy of SSO protocols such as OIDC: our approach supports RP authentication, RP-bound tokens and RP-specific pseudonyms - all without the IdP learning the identity of the RP the user wants to access.