Single Sign-on (SSO) allows a user to obtain a single credential from a Trusted Third Party (TTP) once and then authenticates himself/herself to different service providers by using the same credential. Though different SSO schemes have been obtained from various primitives, user anonymity has not yet been studied formally. Motivated by the fact that anonymity is a very essential security requirement in certain scenarios, in this paper we first formalize a security model of anonymous single-sign on (ASSO). Subsequently, we present a generic ASSO scheme which is transformed from group signatures. Formal proofs are provided to show that the proposed ASSO is secure under the assumption that the underlying group signature is secure according to Bell are et al.'s model introduced at CT-RSA 2005. Compared to existing SSO schemes, our transformation not only implements the user's anonymity, but also reduces the trust level in TTP.