DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner's Amendment was given in a telephone interview with Applicant's representative Mutter, Nathan on January 11, 2021.

Examiner Amendments

Claims

Please replace claims as following:
Claim 1; 	(Currently Amended) A method for user device authentication at an application platform providing a single sign-on (SSO) service for user devices to access one or more cloud-based applications, comprising:
receiving, at the application platform and from a user device, an initial login request;
redirecting the initial login request to a proxy server based at least in part on the initial login request lacking authentication information or an authorization message;
receiving, at the application platform and from the [[a]] proxy server, a first login request and the authentication information based at least in part on a certificate of the [[a]] user device, wherein the authentication information comprises , wherein receiving, at the application platform and from the proxy server, the first login request and the authentication information is based at least in part on the redirecting;
performing a validation process for the proxy server based at least in part on the authentication information;
transmitting the [[an]] authorization message for use by the user device based at least in part on a successful result of the validation process;
receiving, at the application platform and from the user device, a second login request and the authorization message;
initiating a login procedure for the user device based at least in part on receiving the second login request and the authorization message; and
authenticating, at the application platform, the user device for access to the application platform based at least in part on the login procedure and receiving the second login request and the authorization message at the application platform, wherein the authenticating at the application platform allows the user device to communicate with the application platform via a route bypassing the proxy server.

Claim 2;	(Original) The method of claim 1, wherein the authentication information comprises a proxy server-specific secret, and wherein performing the validation process for the proxy server comprises:
identifying the proxy server based at least in part on the proxy server-specific secret and an Internet Protocol (IP) address associated with the proxy server.

Claim 3;	(Previously Presented) The method of claim 1, wherein the login procedure comprises:
receiving, from the user device, one or more user identifiers for the login procedure, wherein the user device is authenticated for access to the application platform further based at least in part on the one or more user identifiers.

Claim 4;	(Canceled) 


Claim 6;	(Original) The method of claim 1, further comprising:
encrypting the authorization message for transmission using an encryption key; and
decrypting the authorization message received from the user device using the encryption key.

Claim 7; 	(Canceled)

Claim 8; 	(Original) The method of claim 1, wherein the authentication information comprises an indication of a successful mutual transport level security (mTLS) process between the proxy server and the user device, the successful mTLS process based at least in part on the certificate of the user device.

Claim 9; 	(Previously Presented) The method of claim 8, further comprising:
receiving, at the application platform and from the proxy server, an additional login request and an additional indication of an unsuccessful mTLS process between the proxy server and an additional user device, the unsuccessful mTLS process based at least in part on an invalid certificate of the additional user device; and
transmitting a message indicating that the additional user device is not authorized for the login procedure based at least in part on the additional indication of the unsuccessful mTLS process.

Claim 10;	(Previously Presented) The method of claim 1, wherein transmitting the authorization message for use by the user device comprises:
relaying the authorization message from the application platform, through the proxy server, and to the user device.

receiving the second login request and the authorization message directly from the user device without routing data through the proxy server.

Claim 12; 	(Original) The method of claim 1, wherein the authorization message comprises an Internet Protocol (IP) address and a timestamp, and wherein initiating the login procedure comprises:
validating the IP address and the timestamp.

Claim 13;	(Currently Amended) An apparatus for user device authentication at an application platform providing a single sign-on (SSO) service for user devices to access one or more cloud-based applications, comprising:
a processor;
memory in electronic communication with the processor; and
instructions stored in the memory and executable by the processor to cause the apparatus to:
receive, at the application platform and from a user device, an initial login request;
redirect the initial login request to a proxy server based at least in part on the initial login request lacking authentication information or an authorization message;
receive, at the application platform and from the [[a]] proxy server, a first login request and the authentication information based at least in part on a certificate of the [[a]] user device, wherein the authentication information comprises identification information for the proxy server, wherein receiving, at the application platform and from the proxy server, the first login request and the authentication information is based at least in part on the redirecting;
perform a validation process for the proxy server based at least in part on the authentication information;
transmit the [[an]] authorization message for use by the user device based at least in part on a successful result of the validation process;

initiate a login procedure for the user device based at least in part on receiving the second login request and the authorization message; and
authenticate, at the application platform, the user device for access to the application platform based at least in part on the login procedure and receiving the second login request and the authorization message at the application platform, wherein the authenticating at the application platform allows the user device to communicate with the application platform via a route bypassing the proxy server.

Claim 14; 	(Original) The apparatus of claim 13, wherein the authentication information comprises a proxy server-specific secret, and wherein the instructions to perform the validation process for the proxy server are further executable by the processor to cause the apparatus to:
identify the proxy server based at least in part on the proxy server-specific secret and an Internet Protocol (IP) address associated with the proxy server.

Claim 15;	(Previously Presented) The apparatus of claim 13, wherein the login procedure comprises further instructions executable by the processor to cause the apparatus to:
receive, from the user device, one or more user identifiers for the login procedure, wherein the user device is authenticated for access to the application platform further based at least in part on the one or more user identifiers.

Claim 16; 	(Original) The apparatus of claim 13, wherein the instructions are further executable by the processor to cause the apparatus to:
encrypt the authorization message for transmission using an encryption key; and
decrypt the authorization message received from the user device using the encryption key.


Claim 17;	(Currently Amended) A non-transitory computer-readable medium storing code for user device authentication at an application platform providing a single 
receive, at the application platform and from a user device, an initial login request;
redirect the initial login request to a proxy server based at least in part on the initial login request lacking authentication information or an authorization message;
receive, at the application platform and from the [[a]] proxy server, a first login request and the authentication information based at least in part on a certificate of the [[a]] user device, wherein the authentication information comprises identification information for the proxy server, wherein receiving, at the application platform and from the proxy server, the first login request and the authentication information is based at least in part on the redirecting;
perform a validation process for the proxy server based at least in part on the authentication information;
transmit the [[an]] authorization message for use by the user device based at least in part on a successful result of the validation process;
receive, at the application platform and from the user device, a second login request and the authorization message;
initiate a login procedure for the user device based at least in part on receiving the second login request and the authorization message; and
authenticate, at the application platform, the user device for access to the application platform based at least in part on the login procedure and receiving the second login request and the authorization message at the application platform, wherein the authenticating at the application platform allows the user device to communicate with the application platform via a route bypassing the proxy server.




Claim 18; 	(Original) The non-transitory computer-readable medium of claim 17, wherein the authentication information comprises a proxy server-specific secret, and wherein the instructions to perform the validation process for the proxy server are further executable by the processor to:
identify the proxy server based at least in part on the proxy server-specific secret and an Internet Protocol (IP) address associated with the proxy server.


receive, from the user device, one or more user identifiers for the login procedure, wherein the user device is authenticated for access to the application platform further based at least in part on the one or more user identifiers.

Claim 20;	(Original) The non-transitory computer-readable medium of claim 17, wherein the instructions are further executable by the processor to:
encrypt the authorization message for transmission using an encryption key; and
decrypt the authorization message received from the user device using the encryption key.

Claim 21; 	(Currently Amended) The method of claim 1 [[7]], further comprising:
refraining from transmitting a login form to the user device in response to the initial login request; and
transmitting the login form to the user device in response to the second login request and the authorization message





Examiner’s Statement of reason for Allowance
Claims 1-3, 5-6 and 8-21 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is associate with a proxy server perform a certificate challenge with a user device to determine whether the user device is authorized to access the application, if verify successfully, the proxy server will transmit a login request and authentication information to the application server. The application server then determine whether the certificate challenge was successful, and verify whether the proxy server is a valid proxy for the application. If these validations are 
The closest prior art, as previously recited, are Schincariol (US 20150227749), Birk (US 20050154886), Carpenter (US 20110194692), Delibie (US 20070165579), Gargaro (US 20120167193) and Gupta (US 20160157098) in which, Schincariol discloses the data storage system may be configured to receive a request from a requester on a client device to access information stored in the data storage system. Upon receiving the request, the first system may determine that an access token identifying the requester is stored in a cache in the data storage system. Birk discloses a framework that allows an application server to enforce a trust evaluation and allows reverse proxy security server to assert a client's security identity, as well as other client security credential information. Carpenter discloses A VoIP device sends a multiple pipe scrambling request, wherein the multiple pipe scrambling request includes a numeric value indicating the number pipes, an IP address for each pipe, and a port number for each pipe. Delibie discloses a communication session is initialized by the client terminal with the mobile server terminal; and the communication session is established by opening a direct communication tunnel between the client terminal and the server terminal. Gargaro discloses a Single Sign-on between a reverse proxy and a back-end server can include instigating an authentication process through a browser for a user to obtain access to the back-end server, intercepting a login page from the back-end server at the reverse proxy and adding a routine thereto, thereby loading an asynchronous engine on the browser executing a login process with an 
However, none of Schincariol (US 20150227749), Birk (US 20050154886), Carpenter (US 20110194692), Delibie (US 20070165579), Gargaro (US 20120167193) and Gupta (US 20160157098), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim 1 and similarly Claim 13 and Claim 17. For example, none of the cited prior teaches or suggest the steps of Claim 1 and similarly Claim 13 and Claim 17: receiving, at the application platform and from a user device, an initial login request; redirecting the initial login request to a proxy server based at least in part on the initial login request lacking authentication information or an authorization message; receiving, at the application platform and from the proxy server, a first login request and the authentication information based at least in part on a certificate of the user device, wherein the authentication information comprises identification information for the proxy server, wherein receiving, at the application platform and from the proxy server, the first login request and the authentication information is based at least in part on the redirecting; performing a validation process for the proxy server based at least in part on the authentication information; transmitting the authorization message for use by the user device based at least in part on a successful result of the validation process; receiving, at the application platform and from the user device, a second login request and the authorization message; initiating a login procedure for the user device based at least in part on receiving the second login request and the authorization message; and authenticating, at the application platform, the user device for access to the application platform based at least in part on the login procedure and receiving the second login request and the authorization message at the application platform, wherein the authenticating at the application platform allows the user device to communicate with the application platform via a route bypassing the proxy server.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	



	/C.W./Examiner, Art Unit 2439   



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439