Service aggregation is becoming a cost-effective and time-efficient way for a business to develop new applications and services. While it creates tremendous opportunities in various industry sectors, its cross-organization nature raises serious challenges in the security domains for authentication. In this paper we formulate a formal definition of authentication in service aggregation and a security model for it, and propose two authentication protocols. One is a one-way protocol and another is an interactive one. In particular, the constructed authentication tokens are anonymous to verifiers. We prove their security, show how to choose optimal system parameters, and analyse the efficiency.