DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/26/2020 has been entered.

-Claims 21, 23, 24, 27-33 and 37-39 have been amended.
-Claims 1-20 have previously been cancelled.
-No claims have been added.
-Objection to claim 31 has been withdrawn based on the claim amendment.
-Rejection under 35 USC 112(b) of claim 29 has been withdrawn based on the claim amendment.
-The double patenting rejection has been withdrawn based on the terminal disclaimer filed and approved on 2/21/2020.
-Claims 21-41 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant’s Remarks filed on 10/26/2020 have been considered.
With respect to the arguments regarding the newly added feature of “pre-generated set of login credentials” in independent claims 21 and 29 and with respect to the argument regarding claims 27 and 28, these arguments are moot in view of the new reference Omshehe. 
With respect to the argument that the login credentials for the selected resource are unknown to the user rejected by relying on [para.0110] of Hayton, Applicant argues A user at the client device 302 may thus use a single set of authentication credentials to successfully login to multiple different resources 304 and services 308 that require different sets of the credentials.  This functionality may be transparent to the user, so that the user need not know the correct authentication credentials for many different resources 304 and services 308, but may nonetheless access these different resources304 and services308.
With respect to the argument regarding dependent claim 23, Applicant amended the claim and therefore the arguments are moot in view of the new grounds of rejection.
With respect to the argument regarding dependent claim 25, Examiner interprets an application that injects the credentials as an application programming interface.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21-37 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Hayton (US Pub.No. 2014/0331060) in view of Omshehe et al (US Pub.No.2010/0228865) and further in view of Sarukkai et al (US Patent No. 9,137,131)

Re Claim 21. Hayton discloses a computer-implemented method, comprising: receiving, by a usage proxy, enterprise credentials supplied by a user via a client on an electronic device, the enterprise credentials corresponding to an enterprise account of a user; causing, by the usage proxy, the enterprise credentials to be authenticated by an authentication component associated with an enterprise, to thereby authenticate the user (i.e. a user at a client device 302 initiates a login request to the enterprise system including a first set of authentication credentials. The login request in step 601 may be similar to the first authentication request (step 501) described above in FIG.5 …………the login request may be received by an access gateway 360…………………… the access gateway 360 may route the login request and authentication credentials to an authentication service 358 to validate the credentials and determine whether or not the user is authorized to login to the enterprise system ) [Hayton, para.0115-0116, see also para.0090-0091]; determining, by the usage proxy, which of a set of software-as-a-service (SaaS) applications the user is authorized to access (i.e. Within the enterprise system, a single user may have multiple different authentication credentials corresponding to different enterprise resources 304 and services 308. For example, a user may have a first set of credentials (e.g., username and password) to login to the enterprise system, a second set of credentials to login to the user's email server 304, a third set of credentials to access a web-based application on a web application server 304, a fourth set of credentials to invoke a file sharing service 368, and so on……………………..In step 605, the access gateway 360 may receive and store the additional sets of credentials for the user in a memory within the gateway 360 or other storage accessible to the gateway 360. In some embodiments, the user's additional sets of credentials may be stored securely within the gateway 360 and/or may be stored external to the gateway 360 to provide additional security for the enterprise) [Hayton, para.0118-0119, see para.0048 for SaaS applications]; receiving, by the usage proxy, a selection by the user of a SaaS application that the user is authorized to access, said selection made by the user after said authentication of the user (i.e. In step 606, the user at a client device 302 initiates a request to an enterprise resource 304 or service 308 within the enterprise system ……………… a request for data or services from a resource 304 or service 308 in the enterprise system, for example, an email server 304, file sharing server 304, web application server 304, device manager service 324, file sharing service 368, social integration service 372, or any other resource or service provided by the enterprise system) [Hayton, para.0121, Fig.6, step 606 occurs after step 601]; 
Hayton does not explicitly disclose whereas Hayton in view of Omshehe does: assigning, by the usage proxy, a pre-generated set of login credentials for the selected SaaS application to the user (i.e. The license manager also confirms that a concurrent license is available to assign to the identified source.  If such a license is both needed by the requesting identified entity and all the concurrent licenses under a currently enforced maximum concurrent user license have not been claimed, the license manager allows the requesting identified entity to claim a concurrent user license.  The concurrent user license persists by adding the identified source to a list of concurrent users to which a concurrent user license is assigned) [Omshehe, para.0012], 
Hayton in view of Omshehe further discloses: said pre-generated [Omeshehe] set of login credentials being unknown to the user (i.e. without the user even knowing that access tokens are being used ) [Hayton, para.0110], (i.e. The additional sets of user credentials stored in 605 also may be encrypted) [Hayton, para.0120]; by the usage proxy, logging into the selected SaaS application on behalf of the user using the assigned set of login credentials (i.e. the access gateway 360 may retrieve a second set of valid user credentials from the authentication credentials stored in step 605, and may inject the second set of credentials into the request before forwarding the request to the resource 304 or service 308……….the requested enterprise resource 304 or service 308 receives and validates the request from the access gateway 360. Since the access gateway 360 injected the second set of valid user credentials into the request, the resource 304 or service 308 may successfully verify the user using the second set of credentials just as though the credentials had been entered directly by the user at the client device 302. The validation in step 608 may involve multiple authentication steps and/or one or more challenge-response verifications. However, because the access gateway 360 has the request from the client device 302 and the proper authentication credentials for the user to access the resource 304 or service 308, the gateway 360 may handle all authentication challenges without the involvement of the user or the client device) [Hayton, para.0124], without exposing the set of login credentials to the user (i.e. without the user even knowing that access tokens are being used) [Hayton, para.0110]; 
 	Hayton in view of Omshehe does not explicitly disclose whereas Hayton in view Omshehe and Sarukkai does: and while the usage proxy is logged into the SaaS application on behalf of the user, monitoring, by the usage proxy, usage of the SaaS application by the user and monitoring, by the usage proxy, usage of the SaaS application by the user (i.e. the network traffic monitoring system and method realizes seamless layering of a network proxy between the client device and the cloud-based service.  The network traffic monitoring system and method enables enterprises to gain deep visibility and control over network traffic to/from these cloud-based services) [Sarukkai, col.3, ll.15-21], 
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Hayton with Omshehe allows equitable assessment of compensation to a service provider for use of the services.  The server includes many resources, some of which require a license for access while others do not.  The services of premium value are the only ones for which customers are expected to obtain/claim a license [Omshehe, Abstract]. 
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Hayton in view of Omshehe with Sarukkai because Sarukkai enables enterprises to gain deep visibility and control over network traffic to/from these cloud-based services [Sarukkai, col.3, ll.15-21, see also col.6]. 

Re Claim 22. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Hayton further discloses: wherein the set of login credentials includes a login ID and a password (i.e. The login request in step 601 may be similar to the first authentication request (step 501) described above in FIG.5) [Hayton, para.0115], (i.e. For instance, the user may use a keyboard or touch screen to input a user identifier and password into the client device 302) [Hayton, para.0090].  

Re Claim 23. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Hayton in view of Omeshehe and Sarukkai does not explicitly disclose: wherein the pre-generated set of login credentials is randomly generated. However it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to have the pre-generated set of login credentials disclosed by Omshehe and the tokens of Hayton be randomly generated because Hayton teaches that  an access token may include a cryptographic key (e.g., an encryption or decryption key) generated by the authentication device 358 or received from a key generator,) [Hayton, para.0097]. Therefore randomly generating such tokens yields an expected result of obtaining secure keys.
Re Claim 24. Hayton in view of Omshehe and Sarukkai discloses the features of claim 22, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, enters the login ID and password into login and password fields of the SaaS application based on instructions that specify, to the usage proxy, locations of said login and password fields  (i.e. the access gateway 360 may retrieve and inject the appropriate set of authentication credentials into the request…………………………. the user's first set of authentication credentials are the user's enterprise system username and password….. Since the access gateway 360 injected the second set of valid user credentials into the request, the resource 304 or service 308 may successfully verify the user using the second set of credentials just as though the credentials has been entered directly by the user at the client device 302) [Hayton, para.0123-0124].
Re Claim 25. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, uses an application programming interface of the SaaS application to communicate with the SaaS application (i.e. In step 608, the requested enterprise resource 304 or service 308 receives and validates the request from the access gateway 360. Since the access gateway 360 injected the second set of valid user credentials into the request, the resource 304 or service 308 may successfully verify the user using the second set of credentials just as though the credentials had been entered directly by the user at the client device……. the gateway 360 may handle all authentication challenges without the involvement of the user or the client device) [Hayton, para.0124].  

Re Claim 26. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, uses a set of instructions that specify to the usage proxy how to log into the SaaS application, said instructions being specific to the SaaS application (i.e. cloud gateway 406 may identify managed native applications 410 that are allowed to have access to highly classified data requiring strong authentication, and ensure that access to these applications is only permitted after performing appropriate authentication) [Hayton, para.0068, see also para.0085].  

Re Claim 27. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Omshehe further discloses: wherein the usage proxy assigns the set of pre-generated login credentials for the selected SaaS application to the user in response to a request by the user to access the selected SaaS application (i.e. a concurrent user license is not required, and thus not consumed, by a client of the portal server until the client seeks access, via the portal server, to a resource that requires possession of one of the concurrent user licenses.  In a particular implementation of this delayed grant approach to concurrent user licensing, scripts for Web pages associated with licensed resources include a call to a "get license" function executed by a license management facility.  In response to receiving a get license function call the license management facility grants (if available) a concurrent user license to the identified session with which the request is associated) [Omshehe, para.0026].  
The same motivation to modify with Omshehe, as in claim 21, applies.

Re Claim 28. Hayton in view of Omshehe and Sarukkai discloses the features of claim 21, Hayton in view of Omshehe further discloses: wherein the usage proxy assigns the pre-generated set of login credentials for the SaaS application to the user as a temporary assignment (i.e. A user's session license is ensured to persist until explicitly released or lost through an extended period of inaction,) [Omeshehe, para.0030], and the method further comprises, by the usage proxy, reassigning the pre-generated set of login credentials to a different user after the user finishes using the SaaS application (i.e. This data structure (e.g., a string) is traversed in response to each request to get or release a concurrent user license based upon an identified sessionID.  An ActiveLicenses structure 132 stores a value representing the number of currently granted licenses.  A TotalLicenses structure 134 stores a value containing the maximum number of licenses that can be concurrently granted to distinct sessions.  The ActiveLicenses structure 132 and TotalLicenses structure 134 facilitate the license management system's decision of whether to grant an additional license) [Omshehe, para.0035, Fig.3], (i.e. If, at step 424, licenses are available, then control passes to step 428 wherein the value stored in the ActiveLicenses structure 132 is incremented to reflect granting of a concurrent user license) [Omshehe, para.0053].
The same motivation to modify with Omshehe, as in claim 21, applies.

Re Claim 29. In a similar manner as in the rejection of claim 21, Hayton in view of Omshehe and Sarukkai discloses: usage tracking system, comprising: non-transitory computer storage that stores mapping data that maps an enterprise account of a user to at least a plurality of SaaS applications the user is authorized to access; and a usage proxy comprising a hardware processor programmed with executable code, the usage proxy configured to at least: log the user into the enterprise account using enterprise login credentials supplied by the user, said enterprise login credentials being distinct from the login credentials for the SaaS applications; receive an indication of a selection made by the user of one of the SaaS applications, said selection made while the user is logged into the enterprise account; assign pre-generated login credentials for the selected SaaS application to the enterprise account of the user, said pre-generated login credentials being unknown to the user; log into the selected SaaS application on behalf of the user using the assigned login credentials for the selected SaaS application; and while logged into the SaaS application on behalf of the user, track usage by the user of the SaaS application.  

Re Claim 30. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, in a manner similar to the rejection of claim 28, Omshehe further discloses wherein the usage proxy after the user finishes accessing the selected SaaS application, is configured to reassign the login credentials for the selected SaaS application to an enterprise account of a different user.  

Re Claim 31. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, Hayton further discloses: wherein the login credentials for the selected SaaS application includes a login ID and a password (i.e. In step 606, the user at a client device 302 initiates a request to an enterprise resource 304 or service 308 within the enterprise system, using the same first set of credentials used for the login request in step 601) [Hayton, para.0121], (i.e. For instance, the user may use a keyboard or touch screen to input a user identifier and password into the client device 302) [Hayton, para.0090].  .  

Re Claim 32. Hayton in view of Omshehe and Sarukkai discloses the features of claim 31, in a manner similar to the rejection of claim 23, Hayton further discloses: wherein the login ID and password are randomly generated values generated by the usage proxy.  

Re Claim 33. Hayton in view of Omshehe and Sarukkai discloses the features of claim 31, in a manner similar to the rejection of claim 24, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, is configured to enter the login ID and password into login and password fields of the selected SaaS application based on instructions that specify locations of said login and password fields.  

Re Claim 34. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, in a manner similar to the rejection of claim 25, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, is configured to use an application programming interface of the SaaS application to communicate with the SaaS application.  

Re Claim 35. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, in a manner similar to the rejection of claim 26, Hayton further discloses: wherein the usage proxy, in logging into the selected SaaS application on behalf of the user, is configured to use a set of instructions that specify to the usage proxy how to log into the SaaS application, said instructions being specific to the SaaS application.  

Re Claim 36. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, Hayton further discloses: wherein the usage tracking system is configured to generate a plurality of sets of login credentials for the SaaS application, and to assign said sets of login credentials to respective enterprise accounts (i.e. Further, if a single client device (e.g., desktop computer or mobile device) is shared by multiple users, then multiple access tokens (or multiple sets of access tokens) may be stored in the memory of the client device 302. In these examples, the client application (e.g., receiver 404 or application 410) may be configured to retrieve and transmit the access token associated with the current user of the device) [Hayton, para.0113], (i.e. FIGS. 5 and 6 relate to authentication and resource access control by an enterprise system for users accessing the system via remote client devices. For example, a user at a mobile device 302 or 402 may communicate with an enterprise system through an access gateway 360 or 406, provide authentication credentials to validate the user's identity, and then may request and access the various resources and services of the enterprise system………………….. increased flexibility may be provided for user authentication and resource access control functionality, whereby specific authentication credentials and/or authentication requests may be associated with specific enterprise services and resources)[Hayton, para.0087-0088].  

Re Claim 37. Hayton in view of Omshehe and Sarukkai discloses the features of claim 29, in a manner similar to the rejection of claim 27, Omshehe further discloses: wherein the usage proxy is configured to assign the pre-generated login credentials to the enterprise account of the user in response to a request by the user to access the selected SaaS application.  

Re Claim 39. As presented in the following paragraphs, Hayton in view Sarukkai discloses the features of claim 38, Hayton in view of Sarukkai does not explicitly disclose, however in a manner similar to the rejection of claim 28, Omshehe further discloses: comprising, by the usage proxy, after the user finishes using the SaaS application, reassigning the set of login credentials to a different user.  
 	The same motivation to modify with Omshehe, as in claim 21, applies.

Claims 38 and 40-41 are rejected under 35 U.S.C. 103 as being unpatentable over Hayton (US Pub.No. 2014/0331060) in view of Sarukkai et al (US Patent No. 9,137,131)

Re Claim 38. In a similar manner as presented in the rejection of claims 21 and 24, Hayton in view Sarukkai discloses a computer-implemented method, comprising: receiving, by a usage proxy, enterprise credentials supplied by a user via a client on an electronic device, the enterprise credentials corresponding to an enterprise account of a user; causing, by the usage proxy, the enterprise credentials to be authenticated by an authentication component associated with an enterprise, to thereby authenticate the user; receiving, by the usage proxy, a selection by the user of a SaaS application, said selection made by the user after said authentication of the user; assigning to the user a set of login credentials for the selected SaaS application, said set of login credentials comprising a login ID and password that are unknown to the user; by the usage proxy, logging into the selected SaaS application on behalf of the user using the assigned set of login credentials, without exposing the set of login credentials to the user, wherein logging into the selected SaaS application on behalf of the user comprises, by the usage proxy, locating login ID and password fields of the SaaS application; and while the usage proxy is logged into the SaaS application on behalf of the user, monitoring, by the usage proxy, usage of the SaaS application by the user.  

Re Claim 40. Hayton in view of Sarukkai discloses the features of claim 38, Hayton further discloses: by the usage proxy, using instructions that are specific to the SaaS application to locate the login ID and password fields (i.e. cloud gateway 406 may identify managed native applications 410 that are allowed to have access to highly classified data requiring strong authentication, and ensure that access to these applications is only permitted after performing appropriate authentication) [Hayton, para.0068, see also para.0085].  

Re Claim 41. Hayton in view of Sarukkai discloses the features of claim 38, in a similar manner to the rejection of claims 32 and 36, Hayton further discloses: comprising, by the usage proxy, generating the login ID and password using a random value generator, and storing the login ID and password in association with both an enterprise account identifier of the user and an identifier of the SaaS application.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434