DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 3/9/2021 has been placed of record in the file.
Claims 1 and 8 have been amended.
Claims 23-26 have been added.
Claims 1-26 are now pending.
The applicant’s arguments with respect to claims 1-26 have been fully considered but they are not persuasive as discussed below.

Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1-26 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (U.S. Patent Application Publication Number 2014/0230027), hereinafter referred to as Cha, in view of Novack et al. (U.S. Patent Application Publication Number 2011/0154452), hereinafter referred to as Novack.

Regarding claim 1, Cha discloses a system for enabling user access to secure resources in conjunction with authentication of the user on a client device executing a remote application, the system comprising: a database of authentication data (paragraph 30, OPSF); a database of authorization information (paragraph 31, aggregation OP); a client device comprising: i. a network interface (paragraph 34, transmits and receives wireless signals); ii. a computer processor for executing software instructions of a remote application (paragraph 46, processor); iii. an authorization-request handler, executable by the computer processor, configured to: a. electronically receive a request to authenticate the user from the remote application, the remote application being an application other than a token programmer (paragraph 111, user browses to target OPSF page), b. prompt the user for authentication information in a manner consistent with the request (paragraph 111, page displayed in browsing agent), c. communicate with a hardware device in electronic communication with the client device to obtain the authentication information (paragraph 111, user submits login information), and d. cause the authentication information to be compared to authentication data in the database of authentication data to verify that the user is authorized to use the remote application (paragraph 114, target OPSF verifies assertion); and iv. a token-generation module, executable by the computer processor, configured to, only after the user is authorized to use the remote application, and before any attempt to access by the user, or any access of by the user, one or more secure resources other than the remote application: A. automatically electronically receive, from the database of authorization information, authorization information for the user related to the one or more 
Cha does not explicitly state the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user.  However, provisioning separate access tokens back to the user for later use in authentication was well known in the art as evidenced by Novack.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cha by adding the ability for the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user as provided by Novack (see paragraph 60, provisions one or more authenticators, and paragraph 61, authenticators are specific to referring organizations).  One of ordinary skill in the art would have recognized the benefit that utilizing authenticators in such a way would assist authenticating users by allowing them to enroll in a secure access system only once to obtain access to multiple resources (see Novack, paragraph 30).
Regarding claim 2, the combination of Cha and Novack discloses a remote host for hosting the remote application and comparing the authentication information to the database of authentication data (Cha, paragraph 25, Relying Party).
Regarding claim 3, the combination of Cha and Novack discloses an authorization server for comparing the authentication information to the database of authentication data, wherein the authorization server does not host the remote application (Cha, paragraph 30, OPSF reachable for the RP via internet).
Regarding claim 4, the combination of Cha and Novack discloses wherein the token programmer is configured to program at least one of a smart card, RFID tag, or soft token (Cha, paragraph 61, smart card).
Regarding claim 5, the combination of Cha and Novack discloses wherein the authorization information specifies physical access restrictions for the user (Cha, paragraph 61, physical access).
Regarding claim 6, the combination of Cha and Novack discloses wherein the authorization information specifies electronic access restrictions for the user (Cha, paragraph 25, RP is application service provider of network).
Regarding claim 7, the combination of Cha and Novack discloses an authorization server for managing the database of authorization information and returning user information therefrom in response to a request from the client (Cha, paragraph 31, aggregation OP).
Regarding claim 8, Cha discloses a method for authenticating a user of a client device executing a remote application, and, in conjunction therewith, enabling access for the user to secure resources, the method comprising: electronically receiving, from the remote application, with an authentication-request handler local to the client device, an HTTP or HTTPS request to 
Cha does not explicitly state the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user.  However, provisioning separate access tokens back to the user for later use in authentication was well known in the art as evidenced by Novack.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary 
Regarding claim 9, the combination of Cha and Novack discloses wherein the step of verifying is performed by the remote application (Cha, paragraph 25, Relying Party).
Regarding claim 10, the combination of Cha and Novack discloses wherein the step of verifying is performed by an authorization server and further comprising electronically sending, to the remote application, an HTTP or HTTPS message confirming authentication of the user (Cha, paragraph 30, OPSF reachable for the RP via internet).
Regarding claim 11, the combination of Cha and Novack discloses wherein the token is a smart card, RFID tag, or soft token (Cha, paragraph 61, smart card).
Regarding claim 12, the combination of Cha and Novack discloses wherein the authorization information specifies physical access restrictions for the user (Cha, paragraph 61, physical access).
Regarding claim 13, the combination of Cha and Novack discloses wherein the authorization information specifies electronic access restrictions for the user (Cha, paragraph 25, RP is application service provider of network).
Regarding claim 14, the combination of Cha and Novack discloses wherein the token is providable by the user to access the one or more secure resources other than the remote application without use of the client device (Novack, paragraph 46, user logs into referring organization).
Regarding claim 15, the combination of Cha and Novack discloses wherein the token-generation module is configured to cause the token generator to program the token for the user only after the user presents an unprogrammed or previously programmed token to the token generator (Novack, paragraph 42, hard token FOB device).
Regarding claim 16, the combination of Cha and Novack discloses wherein the token-generation module is configured to cause the token generator to program the token for the user only after the user launches an application on a mobile device to wirelessly connect to the token generator for receipt of the token therefrom (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 17, the combination of Cha and Novack discloses wherein the mobile device is different from the client device (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 18, the combination of Cha and Novack discloses wherein the token-generation module is configured to cause the token generator to store the token on a mobile device of the user (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 19, the combination of Cha and Novack discloses wherein the mobile device is different from the client device (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 20, the combination of Cha and Novack discloses wherein the token is providable by the user to access the one or more secure resources other than the remote application only in conjunction with additional authentication information provided by the user (Novack, paragraph 48, more than one authenticator required).
Regarding claim 21, the combination of Cha and Novack discloses wherein the additional authentication information comprises a password or biometric information (Novack, paragraph 40, password or biometrics).
Regarding claim 22, the combination of Cha and Novack discloses wherein the token is a dedicated physical device configured to be carried by the user (Novack, paragraph 42, hard token FOB device).
Regarding claim 23, the combination of Cha and Novack discloses further comprising a policy handler configured to, automatically, after the user is authorized to use the remote application, determine the one or more secure resources for which the token programmer is caused to program the token (Cha, paragraph 119, store associations for Relying Parties).
Regarding claim 24, the combination of Cha and Novack discloses wherein the policy handler is configured to implement (i) a rule base specifying the secure resources and privilege levels and permissions associated therewith, and (ii) a database associating the privilege levels associated with a plurality of users, the policy handler being configured to determine the one or more secure resources for which the token programmer is caused to program the token based at least on the rule base and the database (Cha, paragraphs 158-161, access to services governed by permission policies for UE).
Regarding claim 25, the combination of Cha and Novack discloses further comprising, without any attempt to access and without any access of the one or more resources other than the 
Regarding claim 26, the combination of Cha and Novack discloses wherein the policy handler is configured to implement (i) a rule base specifying the secure resources and privilege levels and permissions associated therewith, and (ii) a database associating the privilege levels associated with a plurality of users, the policy handler being configured to determine the one or more secure resources for which the token programmer is caused to program the token based at least on the rule base and the database (Cha, paragraphs 158-161, access to services governed by permission policies for UE).

Response to Arguments
10.	In the remarks, the applicant has argued:
<Argument 1>
The combination of Cha and Novack does not disclose the features of independent claim 1 because it does not disclose the authorization information being received and the token being programmed “before any attempt to access by the user, or any access of by the user, the one or more secure resources other than the remote application” as recited in claim 1.



<Argument 2>
The combination of Cha and Novack does not disclose the features of independent claim 1 because it does not disclose the token being “not based on authentication information received from the user” as recited in claim 1.
11.	In response to argument 1, the combination of Cha and Novack does disclose the features as recited in independent claim 1.  The rejection cites Cha, paragraph 116, which shows that after association of the source OID with the target OPSF, the user may authenticate to associated relying parties in the target domain.  This is seen to meet the limitation at hand because the user does not attempt to authenticate to or access any additional relying parties in the target domain until after the association of the source OID with the target OPSF.  The applicant argues that “the user attempts to access the target domain”, but the applicant fails to consider that access to the target domain is different and distinct from access to additional individual relying parties in that domain.
12.	In response to argument 2, the combination of Cha and Novack does disclose the features as recited in independent claim 1.  The rejection cites Cha, paragraph 116, which shows that after association of the source OID with the target OPSF, the user may authenticate to associated relying parties in the target domain.  This is seen to meet the limitation at hand because the source OID has been enrolled such that it can be used for authentication in the target domain without requiring an additional authentication process.  The system effectuates this by associating the source domain OID with a target domain OPSF and/or target domain OID.  This processing occurs at the server side, ie. no additional authentication information is required from the user.  The applicant argues that “when Cha’s user attempts to authenticate in the target domain using the source-domain OID, Cha’s system enrolls the same source-domain OID to be 
13.	The rejection also cites Novack, paragraph 60, which shows the provisioning of a new authenticator for further user authentication.  This is seen to meet the limitation at hand because the new authenticator may be of varying types (PIN, password, voice, soft token, fob token, fingerprint, etc.), many of which (PIN, soft token, fob token, etc.) are not based on authentication information received from the user, but instead generated on the server side in the creation of the authenticator.  The applicant has not addressed the statements regarding Novack made in the response to arguments in the previous rejection dated 12/9/2020.

Conclusion
14.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493