Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim status
This office action is in response to application filed on 01/22/2020; the provisional application date 09/19/2016 is considered.
Claims 1-23 are pending and rejected, Claims 1, 14, 20 and 21 are independent claims; Claim 23 is new claim.

Response to Arguments
Applicant's arguments filed on 08/03/2020 have been fully considered but they are not persuasive.
With respect to applicant’s argument: the proposed combination of Akula and Li does not disclose the limitation “the first application, the second application and the service application executing on the same client device;” 
Examiner respectfully disagrees with applicant argument for the following reasons: First, it is noted that the features upon which applicant relies (i.e., “the first application, the second application and the service application executing on the same client device”) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). In addition Akula discloses the recited claim limitations (see Akula Figs. 2-3 and ¶26, Each of client systems 110A-110Z represents a system such as a personal computer, workstation, mobile device, etc., used to access various resources (such as data and/or applications) provided within or external to the computing system of FIG. 1. The resources may be accessed based on HTTP requests generated by client applications, such as a browser, executing in the client system (in response to a user interaction) (i.e. browsers/client 
With respect to applicant’s argument: Akula does, “executing, on the client device [on which the first and second client applications are executed], a service application  configured to determine at least one piece of client identifying information to the first client application and to the second client application in response to respective requests” as recited in claim 1.
Examiner respectfully disagrees with applicant argument for the following reasons: Akula discloses (see Akula Figs. 2-3 and ¶60, techniques/information may be employed to uniquely identify each client system [i.e. determine at least one piece of client identifying information]; ¶86, in a scenario that the browser and device signature together can uniquely identify each client system, the unique signatures may be generated dynamically each time an unauthenticated user tries to access; ¶60 and Fig. 3 (step 360), 360, SSO block 250 identifies whether the second client system is registered (for some user) according to the registration data (maintained in step 310).), disclosing the claimed invention in claim 1.
With respect to applicant’s argument: Li taken alone or in combination with Akula fails to teach or suggest “wherein the first processing system [of the client device] is further configured to perform operations comprising: configuring the service application in accordance with the configuration information [received from the server device]”. 
Examiner respectfully disagrees with applicant argument for the following reasons: Li discloses the recited claim limitation ((see Li Fig. 5. (Step 53) and ¶89, web server 11 creates a Client Service Access Pass and integrates it into a dynamic web page (step 53)…upon receiving the dynamic web page, web browser 17 executes the dynamic web page and thereby launches the client application (step 55)… the dynamic web page may instigate an installation routine for downloading and installing the client application prior to launching it), disclosing the recited claim limitation.

With respect to applicants’ argument: the proposed combination of Akula and li does not disclose the limitation “performing a second action which includes disabling a login session for at least one of the 
Examiner respectfully disagrees with applicant’s argument for the following reason: Li teaches the recited claim limitation (see Li Fig. 5 and ¶94, the Client Service Access Pass is verified, the submitted Client Service Access Pass is destroyed (step 61). It is then determined if another session created by the same user already opened. If a there is an opened pre-existing session (step 67 returns: YES), then the pre-existing session is maintained, no new connection is created for this later session, and the connection for this later session is closed (step 63)), disclosing the recited claim limitation.
With respect to applicant’s argument in reference to Dependent claims 5, 8 and 23. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. In addition, Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Please refer to examiners response to applicant’s argument to claim 1.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1-22 are rejected under 35 U.S.C. 103 as being unpatentable over Akula et al. US Pub. No.: 2012/0210413 A1 (hereinafter Akula) in view of Li et al. US Pub. No.: 2007/0180503 A1 (hereinafter Li).

Akula teaches:
As to claim 1, a system comprising: 
a client device comprising a first processing system having at least one processor (see Akula Fig. 1, client device),
wherein the first processing system is configured to perform operations comprising: 
executing, on the client device, a first client application within a web browser, the first client application providing a first client-side portion of a web application (see Akula Fig. 2, client Browser (210)); 
executing, on the client device, a second client application providing a second client-side portion of the web application (see Akula Fig. 2, client browser (290)); and 
executing, on the client device, a service application configured to determine at least one piece of client identifying information of the client device and to provide the determined at least one piece of client identifying information to the first client application and to the second client application in response to respective requests (see Akula Fig. 2 and ¶60, techniques/information may be employed to uniquely identify each client system) , 
wherein  the first client application and the second client application, obtain the determined at least one piece of client identifying information from the service application (see Akula ¶86, in a scenario that the browser and device signature together can uniquely identify each client system, the unique signatures may be generated dynamically each time an unauthenticated user tries to access) , 
wherein the first client application, transmits a first request with the obtained at least one piece of client identifying information (see Akula ¶100, in step 570, the (same) user using browser 290 
wherein the second client application, transmits a second request with the obtained at least one piece of client identifying information (see Akula ¶100, in step 570, the (same) user using browser 290 (executing in client system 110H) is shown sending a request for accessing a protected application (e.g. one of application blocks 240A-240B) to agent 260 executing in server system 160C); and 
at least one server device comprising a second processing system having at least one processor (see Fig. 1, server system), 
wherein the second processing system is configured to execute a server-side process of the web application (see Akula ¶33, Each of server systems 160A and 160C is shown providing a corresponding set of user applications operating based on web pages)  and to perform operations comprising:  
receiving the first request from the first client application and the second request from the second client application, the first request including a first client identifying information and the second request including second client identifying information (see Akula ¶60, registration data/list indicates the corresponding set of client systems registered by users, and accordingly, the client system may be identified as being not registered only if the client system is not included in any of the sets); 
determining whether the second client identifying information corresponds to the first client identifying information (see Akula ¶60, registration data/list indicates the corresponding set of client systems registered by users, and accordingly, the client system may be identified as being not registered only if the client system is not included in any of the sets); and 
performing a first action which includes enabling the first and second client applications to share a login session if the determining determines that the second client identifying information corresponds to the first client identifying information (see Akula ¶63, SSO block 250 allows access to the requested (in step 350) protected application based on the previously created SSO session (based on an assumption that the same user has sent the request of step 350 as well). In other words, the same user is 
wherein the first processing system is further configured to perform operations comprising: receiving the configuration information; and configuring the service application in accordance with the configuration information (see Akula ¶¶41, 98, the information in the database may further indicate various user attributes (e.g., complete user name, user specific configurations, etc.), which are also retrieved and sent along with confirmation of successful authentication to agent 220/260 (e.g. on path 218).; and 
Akula does not explicitly teach but the related art Li teaches:
transmitting configuration information to the client device (see Li Fig. 5. (Step 53) and ¶89, web server 11 creates a Client Service Access Pass and integrates it into a dynamic web page (step 53).);
performing a second action which includes disabling a login session for at least one of the first and second client applications if the determining determines that the second client identifying information does not correspond to the first client identifying information (see Li Fig. 5 and ¶94, the Client Service Access Pass is verified, the submitted Client Service Access Pass is destroyed (step 61). It is then determined if another session created by the same user already opened. If a there is an opened pre-existing session (step 67 returns: YES), then the pre-existing session is maintained, no new connection is created for this later session, and the connection for this later session is closed (step 63));
wherein the first processing system is further configured to perform operations comprising: receiving the configuration information (see Li Fig. 5. (Step 53) and ¶89, web server 11 creates a Client Service Access Pass and integrates it into a dynamic web page (step 53)); and configuring the service application in accordance with the configuration information (see Li Fig. 5. (Step 55) and ¶89, Upon receiving the dynamic web page, web browser 17 executes the dynamic web page and thereby launches the client application (step 55)… the dynamic web page may instigate an installation routine for downloading and installing the client application prior to launching it).
 . 
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify Facilitating single sign-on across multiple browser instance systems disclosed by Akula to include the session control and authentication, as thought by Li, in order to disabling/closing/destroying of second client login session if the second client identifying information already exist. It would have been obvious to one of ordinary skill in the art to include disabling of one client login session if there is multiple single sign on session of the same client.

As to claim 2, the combination of Akula and Li teaches the system, wherein the second processing system is further configured to: in response to the first request, return a session identifier to the first client application (see Akula ¶56, the request may be received on path 217 after being redirected by agent 220, in response to receiving the request on path 215 from browser 210 (executing in client system 110A) and agent 220 identifying that the request is from an unauthenticated (or not yet authenticated) user); 
in response to the second request, (A) provide the session identifier to the second client application if the determining determines that the second client identifying information corresponds to the first client identifying information, or (B) not provide the session identifier to the second client application if the determining determines that the second client identifying information does not correspond to the first client identifying information (see Akula ¶60, the client system may be identified as being not registered only if the client system is not included in any of the sets. Any techniques/information may be employed to uniquely identify each client system. For example, any combination of one or more of the MAC address (e.g., Ethernet address assuming the local area network is based on IEEE 802.3 standard) and IP address (assuming a static IP addressing scheme is employed) may be employed to uniquely identify each client system). 

As to claim 3, the combination of Akula and Li teaches the system, wherein the second processing system is further configured to provide for disabling a session represented by the session identifier if the determining determines that the second client identifying information does not correspond to the first client identifying information (see Li ¶94, It is then determined if another session created by the same user already opened. If a there is an opened pre-existing session (step 67 returns: YES), then the pre-existing session is maintained, no new connection is created for this later session, and the connection for this later session is closed (step 63)). 

As to claim 4, the combination of Akula and Li teaches the system, wherein the determined at least one piece of client identifying information comprises information unique to the first processing system (see Akula ¶60, techniques/information may be employed to uniquely identify each client system). 

As to claim 5, the combination of Akula and Li teaches the system, wherein the service application obtains the information unique to the first processing system from an operating system of the first processing system, and wherein at least one of the first client application or the second client application has insufficient access privileges to obtain the information unique to the first processing system directly from the operating system (see Akula ¶83, the browser signature includes information such as browser version, name, operating system, User-Agent (received as a part of User agent header in the client request)) . 

As to claim 6,  the combination of Akula and Li teaches the system, wherein the determined at least one piece of identifying information is at least partly based upon a unique identifier of a hardware element or a software element in the first processing system (see Akula ¶60, any combination of one or more of the MAC address (e.g., Ethernet address assuming the local area network is based on IEEE 802.3 standard) and IP address (assuming a static IP addressing scheme is employed) may be employed to uniquely identify each client system). 

As to claim 7, the combination of Akula and Li teaches the system, wherein the determined at least one piece of client identifying information is at least partly based upon a unique identifier associated with a software element in the first processing system (see Akula ¶76, determines a unique signature for the combination of the client system and the specific browser instance executing in the client system). 

As to claim 8, the combination of Akula and li teaches the system, wherein the service application executes with a privilege level different from privilege levels of at least one of the first client application or the second client application (see Akula ¶43, any session identifier, authentication level (identifying the class/set of resources the user is permitted to access)) . 

As to claim 9, the combination of Akula and Li teaches the system, wherein the service application is a HTTP server process, and wherein communication between the service application and the first client application is based upon HTTP and JSON (see Li ¶11,  HTML login page is simply an HTML form page that contains username and password fields. The actual identification names and passwords are stored in a table on the server. This information is typically brought to the sever through a CGI script, or other type of database middleware, for lookup in a user identification database).

As to claim 10, the combination of Akula and Li teaches the system, wherein, upon startup, the service application automatically binds to a first available port by sequentially searching from a predetermined port (see Li ¶68, computing devices communicate with a network using one of many available software network ports) . 

As to claim 11, the combination of Akula and Li teaches the system, wherein the communication includes a HTTP query which includes a request portion having included therein a timestamp (see Akula ¶¶42-43, Other information such as time stamp, lifetime of the authentication (validity duration), the resources/domains the authentication is valid for). 

As to claim 12, the combination of Akula and Li teaches the system, wherein the first client application is further configured to, upon receiving a response to the HTTP query, compare a timestamp returned with the response against a current time and accept the response only if the time difference between the returned timestamp and the current time is less than a predetermined interval (see Akula ¶¶42-43, Other information such as time stamp, lifetime of the authentication (validity duration), the resources/domains the authentication is valid for).

As to claim 13, the combination of Akula and Li teaches the system, wherein a request parameter of the HTTP query is encrypted, and a command identifier in the HTTP query is not encrypted (see Akula ¶42, the authentication confirmation message is received in the form of a string, containing the URL of the requested resource and parameters including authentication result, and the user name, in encrypted form. Other information such as time stamp, lifetime of the authentication (validity duration), the resources/domains the authentication is valid for, etc., may also be included in the message). Transcript 
As to claim 23, the system according to claim 1, wherein the first processing system is further configured to periodically receive configuration information from the server device, wherein the service application is further configured to provide, in response to the respective requests, the configuration information to the first and second applications in association with the first and second client identifying information ((see Li Fig. 5. (Step 53) and ¶89, web server 11 creates a Client Service Access Pass and integrates it into a dynamic web page (step 53)…upon receiving the dynamic web page, web browser 17 executes the dynamic web page and thereby launches the client application (step 55)… the dynamic web page may instigate an installation routine for downloading and installing the client application prior to launching it).
As to independent claim 14, this claim directed to a method executed by the system of claim 1; therefore it is rejected along similar rationale.
As to independent claim 20, this claim directed to a non-transitory computer-readable storage device having stored therein instructions executed by the system of claim 1; therefore it is rejected along similar rationale.
As to independent claim 21, this claim directed to a method performed by a server-side process of a web application executed by the system of claim 1; therefore it is rejected along similar rationale.
As to dependent claims 15-19 and 22, these claims contain substantially similar subject matter as claim 2-13; therefore they are rejected along the same rationale.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478.  The examiner can normally be reached on Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NEGA WOLDEMARIAM/Examiner, Art Unit 2433                           

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433