Detailed Action
This is a final Office action in response to communications received on 2/21/2021.  Claims 2-4, 9-11 and 16-18 were amended. Claim 1 was cancelled via preliminary amendment, filed 7/31/2018. Claims 2-21 were previously added via preliminary amendment. Claims 2-21 are pending and are examined. 

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/12/2021 has been entered.

Response to Arguments
Applicant’s amendments, filed 2/12/2021, to claims 3, 10 and 17 correcting the claims to recite “receiving by [[to]] the client device the client login script” is sufficient to overcome the objection to the aforementioned claims.  Accordingly, the objection to 
Applicant’s arguments regarding the rejection under 35 U.S.C. 103 of the claims under Shahbazi and Kovaleski have been considered, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
The remaining arguments fail to comply with 37 C.F.R. 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Consequently, the rejection of the claims under 35 U.S.C. 103 is sustained.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 2-3, 8-10 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), further in view of Kovaleski (US 2009/0007248 A1), further in view of Olden (US 2009/0249439 A1).
 Regarding claim 2, Shahbazi teaches the limitations of claim 2 substantially as follows:
A method comprising: 
providing, by a client device on behalf of a particular user and to a server of a sign-on system, login credentials of [[a ]]the particular user for the sign-on system; (Shahbazi; Paras. [0030]-[0031] & [0045]-[0046]: Providing, by a user device (i.e. client device on behalf of a particular user) to a remote server/website (i.e. server of a sign-on system) credentials for sign-on of the user (i.e. login credentials of a particular user for the sign-on system))
providing, by the client device and to the server of the sign-on system, a request to access a particular third party application, wherein providing the request to access the particular third party application triggers the server to perform: (Shahbazi; Paras. [0030]-[0031], [0034] & [0045]-[0046]: Providing, by a user device (i.e. client device) to a remote server (i.e. server of a sign-on system) credentials for sign-on of the user for a website hosted on the server (i.e. request to access a particular third party application), which causes the system to provide services (i.e. the request to access the third party application triggers the server to perform))
identifying, by the server of the sign-on system, login credentials for the particular third party application from among a set of multiple stored login credentials based at least on both the login credentials of the particular user obtained for the sign-on system and the particular third party application that was requested, (Shahbazi; Para [0012]: Identifying, by the login server (i.e. server of the sign-on system), credentials for logging into the selected site (i.e. login credentials for the particular third party application) selected from a plurality of sites the user may log into (i.e. multiple stored login credentials) based on the user being logged into the login server (i.e. login credentials of the particular user obtained for the sign-on system) and on the system having credentials for the user to sign into the selected site (i.e. particular third party application that was requested))
the determination of whether the particular third party application prevents the server from providing the login credentials for the particular third party application triggered by the access request (Shahbazi; Paras. [0036] & [0045]-[0046]: a determination may be made that the credentials are not found (i.e. prevents the server from providing the login credentials) for a website (i.e. third party application) which is desired/selected to be accessed (i.e. triggered by the access request))
receiving, by the client device, at least one of (i) a client login script including (Shahbazi; Para. [0035]: Providing to the browser (i.e. receiving, by the client device) a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
establishing, by the client device, an authenticated session with the particular third party application requested using the login credentials for the particular third party application (Shahbazi; Paras. [0012]-[0013], [0042] & [0049]: Establishing, by a user computer (i.e. client device),  a secure session with a sign-on server, by validating login credentials, which logs into the selected website (i.e. an authenticated session with the particular third party application requested) using the user’s credentials associated with the website (i.e. using the login credentials for the particular third party application))
without providing the particular user access to the login credentials for the particular third party application (Shahbazi; Paras. [0012], [0042] & [0049]: The login server may directly perform the login function with the website without user involvement (i.e. without providing the particular user access to the login credentials for the particular third party application))
based on at least one of (i) the client login script includingthe authenticated session between the virtual web browser instantiated by the server and the third party application for the client device.  (Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
Shahbazi does not teach the limitations of claim 2 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and 
determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and 
instead requires the client device to provide login credentials; 
based at least on the determination of whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device 
However, in the same field of endeavor, Kovaleski discloses the limitations of claim 2 as follows:
determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and (Kovaleski; Paras. [0016] & [0018]-[0021]: Determining that the system cannot fill the credentials (i.e. particular third party application prevents the server from providing the login credentials) to a site (i.e. for the particular third party application) when software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server))
instead requires the client device to provide login credentials; (Kovaleski; Paras. [0018]-[0019]: A prompt is displayed for the user (i.e. client device) to input information to access the resource (i.e. requires the client to provide login credentials))
based at least on the determination of whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device (Kovaleski; Paras. [0016] & [0018]-[0019]: A prompt is displayed for the user (i.e. receiving, by the client device), based on determining that the system cannot fill the credentials(i.e. particular third party application does not permit the server to provide the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource (i.e. requires the client to provide login credentials))
Kovaleski is combinable with Shahbazi because both are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to 
Shahbazi and Kovaleski do not teach the limitations of claim 2 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and
However, in the same field of endeavor, Olden discloses the limitations of claim 2 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and (Olden; Para. [0076]: Stored credentials for a user in order to access a resource (i.e. login credentials for the particular third party application) may be established by an administrator or identity router rather than by the user (i.e. unknown to the particular user of the client device))
Olden is combinable with Shahbazi and Kovaleski because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi and Kovaleski to incorporate administrator or identity router generated user credentials for access to resources as in Olden in order to expand the functionality of the system by providing a means by which user credentials may be generated other than by requesting credentials from the user themselves.

Regarding claim 9, Shahbazi teaches the limitations of claim 9 substantially as follows:
A system comprising: 
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: (Shahbazi; Paras. [0031] & [0056]-[0058]: The system comprises a user computer and a plurality of servers/websites (i.e. one or more computers) which contain storage media (i.e. storage devices) containing computer executable instructions (i.e. instructions that are operable) which when executed by the computer, causes the computer to perform tasks)
providing, by a client device on behalf of a particular user and to a server of a sign- on system, login credentials of[[ a]] the particular user for the sign-on system; (Shahbazi; Paras. [0030]-[0031] & [0045]-[0046]: Providing, by a user device (i.e. client device on behalf of a particular user) to a remote server/website (i.e. server of a sign-on system) credentials for sign-on of the user (i.e. login credentials of the particular user for the sign-on system))
providing, by the client device and to the server of the sign-on system, a request to access a particular third party application, wherein providing the request to access the particular third party application triggers the server to perform: (Shahbazi; Paras. [0030]-[0031], [0034] & [0045]-[0046]: Providing, by a user device (i.e. client device) to a remote server (i.e. server of a sign-on system) credentials for sign-on of the user for a website hosted on the server (i.e. request to access a particular third party application), which causes the system to provide services (i.e. the request to access the third party application triggers the server to perform))
identifying, by the server of the sign-on system, login credentials for the particular third party application from among a set of multiple stored login credentials based at least on both the login credentials of the particular user obtained for the sign-on system and the particular third party application that was requested, (Shahbazi; Para [0012]: Identifying, by the login server (i.e. server of the sign-on system), credentials for logging into the selected site (i.e. login credentials for the particular third party application) selected from a plurality of sites the user may log into (i.e. multiple stored login credentials) based on the user being logged into the login server (i.e. login credentials of the particular user obtained for the sign-on system) and on the system having credentials for the user to sign into the selected site (i.e. particular third party application that was requested))
receiving, by the client device, at least one of (i) a client login script including(Shahbazi; Para. [0035]: Providing to the browser (i.e. receiving, by the client device) a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
establishing, by the client device, an authenticated session with the particular third party application requested using the login credentials for the particular third party application (Shahbazi; Paras. [0012]-[0013], [0042] & [0049]: Establishing, by a user computer (i.e. client device),  a secure session with a sign-on server, by validating login credentials, which logs into the selected website (i.e. an authenticated session with the particular third party application requested) using the user’s credentials associated with the website (i.e. using the login credentials for the particular third party application))
without providing the particular user access to the login credentials for the particular third party application (Shahbazi; Paras. [0012], [0042] & [0049]: The login server may directly perform the login function with the website without user involvement (i.e. without providing the particular user access to the login credentials for the particular third party application))
based on at least one of (i) the client login script including(Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
Shahbazi does not teach the limitations of claim 9 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and 
determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and 
instead requires the client device to provide login credentials; 
based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device 
However, in the same field of endeavor, Kovaleski discloses the limitations of claim 9 as follows:
determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and (Kovaleski; Paras. [0016] & [0018]-[0021]: Determining that the system cannot fill the credentials (i.e. particular third party application prevents the server from providing the login credentials) to a site (i.e. for the particular third party application) when software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server))
instead requires the client device to provide login credentials; (Kovaleski; Paras. [0018]-[0019]: A prompt is displayed for the user (i.e. client device) to input information to access the resource (i.e. requires the client to provide login credentials))
based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device (Kovaleski; Paras. [0016] & [0018]-[0021]: A prompt is displayed for the user (i.e. receiving, by the client device), based on determining that the system cannot fill the credentials(i.e. particular third party application does not permit the server to provide the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource (i.e. requires the client to provide login credentials))
Kovaleski is combinable with Shahbazi because both are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi to incorporate the determining that a single sign on server cannot perform a login to a service, and providing a prompt to the user for information to obtain access as in Kovaleski in order to expand the functionality of the system by providing a means for the system to respond in the case of not being able to perform single sign on functions for a desired website.
Shahbazi and Kovaleski do not teach the limitations of claim 9 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and 

wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and (Olden; Para. [0076]: Stored credentials for a user in order to access a resource (i.e. login credentials for the particular third party application) may be established by an administrator or identity router rather than by the user (i.e. unknown to the particular user of the client device))
Olden is combinable with Shahbazi and Kovaleski because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi and Kovaleski to incorporate administrator or identity router generated user credentials for access to resources as in Olden in order to expand the functionality of the system by providing a means by which user credentials may be generated other than by requesting credentials from the user themselves.

Regarding claim 16, Shahbazi teaches the limitations of claim 16 substantially as follows:
A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising: (Shahbazi; Paras. [0031] & [0056]-[0058]: The system comprises a user computer and a plurality of servers/websites which contain storage media (i.e. non-transitory computer-readable medium) containing computer executable instructions (i.e. storing software comprising instructions executable by one or more computers) which when executed by the computer, causes the computer to perform tasks)
providing, by a client device on behalf of a particular user and to a server of a sign-on system, login credentials of[[ a]]the particular user for the sign-on system; (Shahbazi; Paras. [0030]-[0031] & [0045]-[0046]: Providing, by a user device (i.e. client device on behalf of a particular user) to a remote server/website (i.e. server of a sign-on system) credentials for sign-on of the user (i.e. login credentials of the particular user for the sign-on system))
providing, by the client device and to the server of the sign-on system, a request to access a particular third party application, wherein providing the request to access the particular third party application triggers the server to perform: (Shahbazi; Paras. [0030]-[0031], [0034] & [0045]-[0046]: Providing, by a user device (i.e. client device) to a remote server (i.e. server of a sign-on system) credentials for sign-on of the user for a website hosted on the server (i.e. request to access a particular third party application), which causes the system to provide services (i.e. the request to access the third party application triggers the server to perform))
identifying, by the server of the sign-on system, login credentials for the particular third party application from among a set of multiple stored login credentials based at least on both the login credentials of the particular user obtained for the sign-on system and the particular third party application that was requested, (Shahbazi; Para [0012]: Identifying, by the login server (i.e. server of the sign-on system), credentials for logging into the selected site (i.e. login credentials for the particular third party application) selected from a plurality of sites the user may log into (i.e. multiple stored login credentials) based on the user being logged into the login server (i.e. login credentials of the particular user obtained for the sign-on system) and on the system having credentials for the user to sign into the selected site (i.e. particular third party application that was requested))
receiving, by the client device, at least one of (i) a client login script including (Shahbazi; Para. [0035]: Providing to the browser (i.e. receiving, by the client device) a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
establishing, by the client device, an authenticated session with the particular third party application requested using the login credentials for the particular third party application (Shahbazi; Paras. [0012]-[0013], [0042] & [0049]: Establishing, by a user computer (i.e. client device),  a secure session with a sign-on server, by validating login credentials, which logs into the selected website (i.e. an authenticated session with the particular third party application requested) using the user’s credentials associated with the website (i.e. using the login credentials for the particular third party application))
without providing the particular user access to the login credentials for the particular third party application (Shahbazi; Paras. [0012], [0042] & [0049]: The login server may directly perform the login function with the website without user involvement (i.e. without providing the particular user access to the login credentials for the particular third party application))
based on at least one of (i) the client login script including (Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
Shahbazi does not teach the limitations of claim 16 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and 
determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and 
instead requires the client device to provide login credentials; 
based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device 

determining whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and (Kovaleski; Paras. [0016] & [0018]-[0021]: Determining that the system cannot fill the credentials (i.e. particular third party application prevents the server from providing the login credentials) to a site (i.e. for the particular third party application) when software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server))
instead requires the client device to provide login credentials; (Kovaleski; Paras. [0018]-[0019]: A prompt is displayed for the user (i.e. client device) to input information to access the resource (i.e. requires the client to provide login credentials))
based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, receiving, by the client device (Kovaleski; Paras. [0016] & [0018]-[0021]: A prompt is displayed for the user (i.e. receiving, by the client device), based on determining that the system cannot fill the credentials(i.e. particular third party application does not permit the server to provide the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource (i.e. requires the client to provide login credentials))
Kovaleski is combinable with Shahbazi because both are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi to incorporate the determining that a single sign on server cannot perform a login to a service, and providing a prompt to the user for information to obtain access as in Kovaleski in order to expand the functionality of the system by providing a means for the system to respond in the case of not being able to perform single sign on functions for a desired website.
Shahbazi and Kovaleski do not teach the limitations of claim 16 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and 
However, in the same field of endeavor, Olden discloses the limitations of claim 16 as follows:
wherein the login credentials for the particular third party application are unknown to the particular user of the client device; and (Olden; Para. [0076]: Stored credentials for a user in order to access a resource (i.e. login credentials for the particular third party application) may be established by an administrator or identity router rather than by the user (i.e. unknown to the particular user of the client device))


Regarding claims 3, 10 and 17, Shahbazi, Kovaleski and Olden teach the method of claim 2, the system of claim 9 and the non-transitory computer-readable medium of claim 16.
Shahbazi, Kovaleski and Olden teach the limitations of claims 3, 10 and 17 as follows:
wherein receiving, by the client device and based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, (Kovaleski; Paras. [0016] & [0018]-[0021]: A prompt is displayed for the user (i.e. receiving, by the client device), based on determining that the system cannot fill the credentials(i.e. particular third party application prevents the server from providing the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource (i.e. requires the client to provide login credentials))
at least one of (i) the client login script including(Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted (i.e. obscuring) for signing into all registered applications/websites (i.e. for the particular third party application))
in response to the server determining that the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials that are identified by the server, (Kovaleski; Paras. [0016] & [0018]-[0021]: Based on determining that the system cannot fill the credentials (i.e. particular third party application prevents the server from providing the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource which the single sign on service attempted to access (i.e. requires the client to provide login credentials that are identified by the server))
receiving by[[ to]] the client device the client login script that includes the login credentials for the particular third party application, (Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input and encrypted for signing into all registered applications/websites (i.e. for the particular third party application))
wherein receipt of the client login script by the client device causes the client device to execute the client login script and establish the authenticated session with the particular third party application without further input from the particular user after the request to access the particular third party application is obtained by the server.  (Kovaleski; Paras. [0018]-[0021]: A prompt is received by the user (i.e. receipt of the client login script by the client device), which displays, to the user, information to be provided to the resource (i.e. causes the client device to execute the client login script) which, once provided, allows the user to be accepted by the particular resource (i.e. establish an authenticated session with the particular third party application) and the input prompt is removed and no longer displayed to the user (i.e. without further input from the particular user) occurring after the user has requested access through the single sign on service (i.e. after the request to access the particular third party application is obtained by the server))
The same motivations to combine as in claims 2, 9 and 16 are applicable to claims 3, 10 and 17, respectively.

Regarding claim 8, Shahbazi, Kovaleski and Olden teach the limitations of claim 2.
Shahbazi and Kovaleski teach the limitations of claim 8 as follows:
The method of claim 2, further comprising providing a prompt for the particular user to provide login credentials for the sign-on system.  (Kovaleski; Paras. [0018]-[0021]: A prompt is received by the user (i.e. providing a prompt for the particular user) for inputting the credentials for accessing the site (i.e. to provide login credentials for the sign-on system))
The same motivation to combine as in claim 2 is applicable to claim 8.

Claims 4, 6-7, 11, 13-15, 18 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), further in view of Kovaleski (US 2009/0007248 A1), further in view of Olden (US 2009/0249439 A1), as applied to claims 2, 9 and 16, further in view of Metke (US 2014/0189840 A1).
 Regarding claims 4, 11 and 18, Shahbazi, Kovaleski and Olden teach the method of claim 2, the system of claim 9 and the non-transitory computer-readable medium of claim 16.
Shahbazi, Kovaleski and Olden teach the limitations of claims 4, 11 and 18 as follows:
wherein receiving, by the client device and based at least on the determination whether the particular third party application prevents the server from providing the login credentials for the particular third party application that are identified by the server and instead requires the client device to provide login credentials, (Kovaleski; Paras. [0016] & [0018]-[0019]: A prompt is displayed for the user (i.e. receiving, by the client device), based on determining that the system cannot fill the credentials (i.e. particular third party application does not permit the server to provide the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource which the single sign on service attempted to access (i.e. requires the client to provide login credentials that are identified by the server))
at least one of (i) the client login script including (Shahbazi; Para. [0035]: Providing to the browser a registration form (i.e. client login script) where a username and password (i.e. login credentials) is input (i.e. including) and encrypted for signing into all registered applications/websites (i.e. for the particular third party application)) 
in response to the server determining that the particular third party application permits the server to provide the login credentials for the particular third party application that are identified by the server and does not require the client device to provide login credentials that are identified by the server: (Kovaleski; Paras. [0016] & [0018]-[0021]: Based on determining that the system cannot fill the credentials (i.e. particular third party application does not permit the server to provide the login credentials) to a site (i.e. for the particular third party application) when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials (i.e. identified by the server), to input information to access the resource which the single sign on service attempted to access (i.e. requires the client to provide login credentials that are identified by the server))
for the authenticated session between the virtual web browser on the server and the third party application (Shahbazi; Paras. [0012]-[0013], [0042] & [0049]: A secure session (i.e. authenticated session) with a user with a sign-on server (i.e. virtual web browser on the server), by validating login credentials, which logs into the selected website (i.e. third party application))
Shahbazi and Kovaleski do not teach the limitations of claim claims 4, 11 and 18 as follows:
receiving, by the client device and from the server, session information for the authenticated session for the client device to use to establish the authenticated session with the particular third party application.  
However, in the same field of endeavor, Metke discloses the limitations of claim claims 4, 11 and 18 as follows:
receiving, by the client device and from the server, session information for the authenticated session for the client device to use to establish the authenticated session with the particular third party application.  (Metke; Paras. [0012]-[0013] & [0025]: Receiving, by a first device (i.e. client device), from the server a collaboration credential based on a first identity token which authenticates the device for a secure session (i.e. session information for the authenticated session) with a service provider (i.e. establish the authenticated session with the particular third party application))
Metke is combinable with Shahbazi, Kovaleski and Olden because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi, Kovaleski and Olden to incorporate providing collaboration credentials to the user device from the server as in Metke in order to expand the functionality of the system by providing a means for the client device to create a secure session with the third party website without necessitating a connection through the server, if desired.

Regarding claims 6, 13 and 20, Shahbazi, Kovaleski, Olden and Metke teach the method of claim 4, the system of claim 11 and the non-transitory computer-readable medium of claim 18.
Shahbazi, Kovaleski, Olden and Metke teach the limitations of claims 6, 13 and 20 as follows:
wherein the session information is obtained by the server in response to submitting a login form (Metke; Paras. [0012]-[0013] & [0025]: A collaboration credential (i.e. session information) is generated by the server (i.e. obtained by the server) based on a first identity token/user authentication (i.e. in response to submitting a login form))
in response to the virtual web browser submitting a login form of the particular third party application with the login credentials for the particular third party application supplied in the login form. (Shahbazi; Paras. [0012]-[0013]: The browser of the single sign on server (i.e. virtual web browser) provides credentials for login to the website to be accessed (i.e. submitting a login form of the particular third party application), the login credentials pertaining to the user to be able to access the website (i.e. the login credentials for the particular third party application supplied in the login form))
The same motivations to combine Metke as in claims 4, 11 and 18 are applicable to claims 6, 13 and 20, respectively.

Regarding claims 7, 14 and 21, Shahbazi, Kovaleski, Olden and Metke teach the method of claim 6, the system of claim 13 and the non-transitory computer-readable medium of claim 20.
Shahbazi, Kovaleski, Olden and Metke teach the limitations of claims 7, 14 and 21 as follows:
wherein the virtual web browser submitting a login form of the particular third party application with the login credentials for the particular third party application supplied in the login form (Shahbazi; Paras. [0012]-[0013]: The browser of the single sign on server (i.e. virtual web browser) provides credentials for login to the website to be accessed (i.e. submitting a login form of the particular third party application), the login credentials pertaining to the user to be able to access the website (i.e. the login credentials for the particular third party application supplied in the login form))
is in response to the server determining that the third party application fails to require login through a specific application programming interface.  (Shahbazi; Paras. [0012]-[0013], [0042] & [0049]: The website may be accessed either through the client device or through the single sign on server (i.e. does not require login through a specific application programming interface))

Regarding claim 15, Shahbazi, Kovaleski, Olden and Metke teach the limitations of claim 11.
Shahbazi, Kovaleski, Olden and Metke teach the limitations of claim 15 as follows:
The system of claim 11, wherein the operations further comprise providing a prompt for the particular user to provide login credentials for the sign-on system.  (Kovaleski; Paras. [0018]-[0021]: A prompt is received by the user (i.e. providing a prompt for the particular user) for inputting the credentials for accessing the site (i.e. to provide login credentials for the sign-on system))
The same motivation to combine Kovaleski as in claim 9 is applicable to claim 15.

Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), further in view of Kovaleski (US 2009/0007248 A1), further in view of Olden (US 2009/0249439 A1), as applied to claims 2, 9 and 16, further in view of Metke (US 2014/0189840 A1), further in view of Purpura (US 6421768 B1).
Regarding claims 5, 12 and 19, Shahbazi, Kovaleski, Olden and Metke teach the method of claim 4, the system of claim 11 and the non-transitory computer-readable medium of claim 18.
Shahbazi, Kovaleski, Olden and Metke do not teach the limitations of claim claims 5, 12 and 19 as follows:
wherein the session information comprises a web browser cookie.  
However, in the same field of endeavor, Purpura discloses the limitations of claim claims 5, 12 and 19 as follows:
wherein the session information comprises a web browser cookie.  (Purpura; Col. 3, Lines 37-59, Col. 4 Lines 43-63: Session preferences (i.e. session information) for a user is stored in a cryptographically assured cookie to be used in a web browser (i.e. web browser cookie))
Purpura is combinable with Shahbazi, Kovaleski, Olden and Metke because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi, Kovaleski, Olden and Metke to incorporate the use of web browser cookies for session information as in Purpura in order to improve the security of the system by providing a cryptographically secure method of communicating session information. (Purpura; Col. 3, Lines 37-59, Col. 4 Lines 43-63)

Prior Art Considered But Not Relied Upon
	Ferchichi (US 2003/0012382 A1) which teaches that a single sign-on process between a mobile phone and a remote server.
	Gargaro (US 2014/0304793 A1) which teaches a system which executes a routine which loads an asynchronous engine configured to execute a login process with an authentication profiling service to retrieve login information for a back-end server.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357.  The examiner can normally be reached on Monday - Friday 0700-1700 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/B.I.N./Examiner, Art Unit 2438 

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498