DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to the amendment filed on 02/24/2021.
Claims 1-20 are pending for examination. Applicant amends claims 1, 4-5, 9, 11, 13-15, and 17-19. The amendments have been fully considered and entered.
Amendment to claim 15 regarding the claim objection has been accepted and the claim objection has been withdrawn.
Amendment to claim 14 regarding the 35 U.S.C. § 112(b) rejection has been accepted and the 35 U.S.C. § 112(b) rejection has been withdrawn.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.
Applicant’s arguments, see Remarks, filed 02/24/2021, with respect to the rejection of claims 1, 9, and 15 under 35 U.S.C. § 103 have been fully considered but are not persuasive. The following are applicant arguments recited in the Remarks followed by Examiner's response:
a.	Regarding claims 1, 9, and 15, Applicant argues that “[t]he captive portal of Shrotri is not a directory service since it fails to control authentication of the end user 
Examiner respectfully disagrees and in response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Furthermore, Examiner maintains that Shrotri teaches a directory service that 1) generates a sign-on script including a password for an end user to use to sign-on to a web application and 2) controls authentication of the end user for access to the web application. As Applicant pointed out, Shrotri’s paragraph [0030] recites in part “the captive portal 105, RADIUS server 115A, identity server 116B, active directory 120, or combinations of these systems may be combined into a single server or device.” While Examiner agrees that this paragraph does not imply that all the components are combined into one component, Examiner submits that this paragraph does imply that all the components are combined into a “single service or device” that performs all the functions. Examiner respectfully submits that the “single server or device” reads on the claimed “directory service” because the single server or device would 1) generate a sign-on script that includes a password for an end user to use to 
b.	Regarding claim 9, Applicant argues that “Shrotri fails to disclose executing in the directory service the sign-on to the first web application in an isolation execution environment on behalf of the first end user.” (Remarks, pg. 9)
Examiner respectfully disagrees and submits that because Shrotri’s “single server or device” reads on the claimed directory service and the captive portal is a component of the “single server or device” as described above, Shrotri’s captive portal reads on the claimed “isolation execution environment”. Shrotri’s captive portal executes a redirect using the generated script (Shrotri, [0033]), thus, Shrotri reasonably reads on executing in the directory service the sign-on to the first web application in an isolation execution environment on behalf of the first end user.
c.	Applicant argues that “one of ordinary skill in the art would not be motivated to combine the browser extension of Stachura with Shrotri… the combination would alter the operational principle of Shrotri.” (Remarks, pg. 11) 
Examiner respectfully disagrees and submits that the modification to Shrotri to incorporate a browser extension of Stachura into a client device will not alter the operational principle of Shrotri. Modifying Shrotri’s single sign-on method with Stachura’s browser extension will make it convenient for users to obtain the single sign-on method by simply installing the browser extension. Furthermore, even if the proxy server of Stachura increases the difficulty for end users to access the captive portal on 

Claim Objections
Claim 1 objected to because of the following informalities:  
Regarding claim 1, the term “end-user” in line 4 should be “end user” for consistency. Appropriate correction is requested.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 9 recites the limitation "the first end user" in lines 8-9.  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 4, 5, 8, 9, 11, and 12 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Shrotri (US 20160021097 A1).
As per claim 1, Shrotri discloses: a system, comprising: 
at least one processor and a memory coupled to the at least one processor (Shrotri, Fig. 5, processors 5 and memory 10); 
wherein the at least one processor is configured to: 
generate a first sign-on script, at a directory service, for an end-user to sign-on to a web application (Shrotri, [0021], [0033], and [0078], captive portal 105 generates a JavaScript, [0035], web applications), the first sign-on script includes a password associated with the web application and the end user (Shrotri, [0078], JavaScript includes the users authentication credentials, [0032], authentication credentials include password), the directory service controls authentication of the end user for access to the web application (Shrotri, [0030], captive portal 105, RADIUS server 115A, identity server 115B, and active directory 120 may be a single server/device (i.e., directory service) that controls authentication of the end user to the web application ([0035])); 

obtain an authentication state from the execution of the first sign-on script (Shrotri, [0033], [0035], and [0079], an SSO token/cookie is generated/obtained based on the executed script); and 
return the authentication state to the end user device (Shrotri, [0033], [0035], and [0079], an SSO token/cookie is provided to the client device).  

As per claim 4, claim 1 is incorporated and Shrotri discloses: wherein the first sign-on script performs a single sign-in to the web application (Shrotri, [0033], singe sign on (SSO) process is executed for access to one or more enterprise applications).  

As per claim 5, claim 1 is incorporated and Shrotri discloses: wherein the at least one processor is further configured to obtain the password of the end user for the web application from a credential vault of the directory service (Shrotri, [0043] and [0046], performing a lookup (i.e., obtaining) of the user against an active directory that stores credentials associated with access to the web applications).  

As per claim 8, claim 1 is incorporated and Shrotri discloses: wherein the authentication state is a browser cookie (Shrotri, [0035], SSO token/cookie is obtained after executing script).  

As per claim 9, Shrotri discloses: a method performed on a computing device having at least one processor and a memory (Shrotri, Fig. 5, processors 5 and memory 10), the method comprising: 
hosting a directory service to perform single sign-on to one or more web applications, wherein the directory service controls authentication to the one or more web applications (Shrotri, [0030], captive portal 105, RADIUS server 115A, identity server 115B, and active directory 120 may be a single server/device (i.e., directory service) that controls authentication of the end user to a remote web application via single sign-on); 
storing, in the directory service, one or more credentials associated with access to the one or more web applications (Shrotri, [0043] and [0046], active directory stores credentials associated with access to the web applications); 
receiving, at the directory service, a request to sign-on to a first web application by the first end user (Shrotri, [0035], client device can utilize this SSO token to access the enterprise application(s) (i.e., first web application));
executing in the directory service the sign-on to the first web application in an isolation execution environment on behalf of the first end user (Shrotri, [0033], captive portal 105 (i.e., isolation execution environment) executes a redirect using the generated script on behalf of the end user), the sign-on including a credential associated with the first end user obtained from the directory service (Shrotri, [0078], JavaScript includes the users authentication credentials obtained from the captive portal of the single server/device, [0032], authentication credentials include password); 

enabling the first end user to sign-on to the first web application through access to the browser cookie (Shrotri, [0033], [0035], and [0079], an SSO token/cookie is provided to the client device to allow user to access one or more enterprise applications).

As per claim 11, claim 9 is incorporated and Shrotri discloses: generating, in the directory service, a first sign-on script including the credential associated with the first web application and the first end user (Shrotri, [0021], [0033], and [0078], captive portal 105 generates a JavaScript which includes the users authentication credentials, [0032], authentication credentials include password); and 
executing the first sign-on script in the isolation execution environment (Shrotri, [0033], captive portal 105 (i.e., isolation execution environment) executes a redirect using the generated script, the captive portal 105 being separate from the client device (see Fig. 1)).  

As per claim 12, claim 11 is incorporated and Shrotri discloses: receiving the browser cookie from the execution of the first sign-on script (Shrotri, [0033], [0035], and [0079], an SSO token/cookie is generated and received based on the executed script).  



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 6, and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shrotri in view of Stachura et al. (US 20150134956 A1; hereinafter “Stachura”).
As per claim 2, claim 1 is incorporated and Shrotri does not disclose, however, Stachura teaches or suggests: wherein the at least one processor is configured to embed the authentication state in a second sign-on script that is transmitted to the end user device (Stachura, [0107], cookie is provided to client by insertion of cookie into a response (i.e., script) sent from the remote server or by the proxy server inserting a cookie into a redirect response (i.e., script) provided by the proxy server).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri to include embedding the cookie in a response sent from the remote server or embedding the cookie into a redirect response provided by the proxy server as taught by Stachura so that the client device is able to receive the cookie for accessing web applications securely.

As per claim 6, claim 2 is incorporated and the modified Shrotri does not disclose, however, Stachura teaches or suggests: wherein the password is not included in the second sign-on script (Stachura, [0107], cookie is provided to client by insertion of cookie into a response sent from the remote server or by the proxy server inserting a cookie into a redirect response provided by the proxy server, Abstract, cookie contains no password as the cookie is used to allow the client device access without having to authenticate and use any credentials).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri to include a script without a password as taught by Stachura so that the user’s credentials are prevented from being exposed to malicious parties.
  
As per claim 13, claim 12 is incorporated and Shrotri does not disclose, however, Stachura teaches or suggests: generating a second sign-on script including the browser cookie to enable the first end user access to the first web application, the second sign-on script void of the credential (Stachura, [0107], cookie is provided to client by insertion of cookie into a response sent from the remote server or by the proxy server inserting a cookie into a redirect response provided by the proxy server, Abstract, cookie contains no password as the cookie is used to allow the client device access without having to authenticate and use any credentials).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri to include embedding the cookie in a response sent from the remote server or 
  
As per claim 14, claim 13 is incorporated and Shrotri does not disclose, however, Stachura teaches or suggests: transmitting the second sign-on script to the end user device for use by a browser of the end user device to obtain a signed-on web page of the first web application (Stachura, [0107], cookie is provided to client by insertion of cookie into a response sent from the remote server or by the proxy server inserting a cookie into a redirect response provided by the proxy server, [0089], permitting client device to access resources on the remote server).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri to include embedding the cookie in a response sent from the remote server or embedding the cookie into a redirect response provided by the proxy server as taught by Stachura so that the client device is able to access web applications securely and to prevent the user’s credentials from being exposed to malicious parties.
  
As per claim 15, Shrotri discloses: a device, comprising: 
at least one processor coupled to a memory (Shrotri, Fig. 5, processors 5 and memory 10); 

submit at least one HyperText Transfer Protocol (HTTP) request to a directory service for single sign-on authentication to a web application (Shrotri, [0045], client device 110A transmits to the captive portal 105 an HTTP request for network access), wherein the directory service authenticates access to the web application using a user credential (Shrotri, [0030], captive portal 105, RADIUS server 115A, identity server 115B, and active directory 120 may be a single server/device (i.e., directory service) that controls authentication of the end user to a remote web application, [0078], captive portal 105 generates a JavaScript that includes the users authentication credentials to authenticate access to the web application); 
receive a browser cookie from the directory service, the browser cookie representing an authentication state obtained from the web application (Shrotri, [0033], [0035], and [0079], an SSO token/cookie is provided to the client device); 
set the browser cookie in the browser (Shrotri, [0035], store cookie in browser); and 
transmit the browser cookie in one or more HTTP requests to obtain access to the web application, wherein the one or more HTTP requests are without the user credential and without user intervention (Shrotri, [0035], client device utilizes the SSO token/cookie to access the enterprise application(s), wherein the SSO token/cookie does not include the user credential, [0094], using HTTP requests, [0045], without user intervention).  

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri to include a browser extension to perform single sign-on functions as taught by Stachura for the benefit of performing single sign-on functions securely using a specific communication protocol between the browser extension and the proxy server.

As per claim 16, claim 15 is incorporated and the modified Shrotri, discloses: wherein the browser cookie is obtained in a sign-on script from the directory service (Shrotri, [0035], SSO token/cookie is obtained after executing script).  

As per claim 17, claim 15 is incorporated and modified Shrotri discloses: generate an HTTP request to sign-on to the web application using the browser cookie without a user credential (Shrotri, [0035], client device utilizes the SSO token/cookie to access the enterprise application(s), wherein the SSO token/cookie does not include the user credential, [0094], using HTTP requests, [0045], without user intervention).  
The modified Shrotri does not disclose, however, Stachura teaches or suggests that the functions are executed by a browser extension (Stachura, [0071], client device 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Shrotri to include a browser extension to perform single sign-on functions as taught by Stachura for the benefit of performing single sign-on function securely using a specific communication protocol between the browser extension and the proxy server.

As per claim 18, claim 15 is incorporated and Shrotri does not disclose, however, Stachura teaches or suggests: wherein the browser extension includes instructions that when executed by the at least one processor includes actions that: use a sign-on script without the user credential to sign-on to the web application (Stachura, [0107], cookie is provided to client by insertion of cookie into a response sent from the remote server or by the proxy server inserting a cookie into a redirect response provided by the proxy server, Abstract, cookie contains no password as the cookie is used to allow the client device access without having to authenticate and use any credentials, [0071], client device has a custom browser software, custom browser, custom plug-in, or browser add-ins to communicate with proxy server and implement single sign-on functions)).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Shrotri to include embedding the cookie in a response sent from the remote server or embedding the cookie into a redirect response provided by the proxy server as 

As per claim 19, claim 15 is incorporated and the modified Shrotri discloses: instruct the browser to refresh a current display with a signed-on web page from the web application (Shrotri, [0059], client device is granted access to the enterprise application, thus the browser will be refreshed to display the signed-on web page of the application).
The modified Shrotri does not disclose, however, Stachura teaches or suggests: that the functions are executed by a browser extension (Stachura, [0071], client device has a custom browser software, custom browser, custom plug-in, or browser add-ins to communicate with proxy server and implement single sign-on functions). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Shrotri to include a browser extension to perform single sign-on functions as taught by Stachura for the benefit of performing single sign-on function securely using a specific communication protocol between the browser extension and the proxy server.

As per claim 20, claim 15 is incorporated and the modified Shrotri discloses: wherein the user credential includes a password (Shrotri, [0032], authentication credentials include password).

Claims 3 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Shrotri in view of Lucovsky et al. (US 20110265168 A1; hereinafter “Lucovsky”).
As per claim 3, claim 1 is incorporated and Shrotri does not disclose, however, Lucovsky teaches or suggests: wherein the isolation execution environment includes a container having a dedicated OS kernel (Lucovsky, [0013]-[0014], container virtual machines can be Hyper-V containers which are known to operate on a dedicated kernel, [0022], containers can execute script files).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri system to include a Hyper-V container to execute the scripts as taught by Lucovsky for the benefit of providing an isolated environment for Shrotri’s single sign-on script to execute so that sensitive credentials are not exposed to malicious parties.

As per claim 10, claim 9 is incorporated and Shrotri does not disclose, however, Lucovsky teaches or suggests: configuring the isolation execution environment in the directory service with a Hyper-V container (Lucovsky, [0013]-[0014], container virtual machines can be Hyper-V containers, [0022], containers can execute script files).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri system to include a Hyper-V container to execute the scripts as taught by Lucovsky for the benefit of providing an isolated environment for Shrotri’s single sign-on script to execute so that sensitive credentials are not exposed to malicious parties.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Shrotri in view of Child et al. (US 20110265168 A1; hereinafter “Child”).
As per claim 7, claim 1 is incorporated and Shrotri does not disclose, however, Child teaches or suggests: wherein the first sign-on script is executed in the isolation execution environment with a headless browser (Child, [0039], remote login services logs the user in to the third party application using a headless browser executing on the server 100). 
 It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Shrotri system to include executing a sign-on script with a headless browser as taught by Child for the benefit of executing single sign-on functions without the risk of exposing user sensitive credentials, thereby preventing security vulnerabilities (Child, [0004]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.	
Doitch et al. (US 20170142094 A1) discloses the use of local directory services and cloud-based directory services for posting, via Java scripts, authentication service tickets/information which avoids prompting users for authentication credentials associated with a second sign-on ([0050]).
.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437    

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437