DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 04/01/2021 has been entered.
As per instant Amendment, Claims 1, 10 and 16 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL. 

Response to Arguments
In attempt to promote compact prosecution, the Examiner has contacted the Applicants for possible amendments to move the case forward. However the Applicants and the Examiner could not come up with an agreement.
The reference Kesari et al. (US 2018/0262484) used to address newly added limitations.
The amended claims 1, 10, 12 and 16 have been addressed in rejection below.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Innes et al. (“Innes,” US 2016/0094546), published on March 31, 2016, in view of Kesari et al. (“Kesari,” US 2018/0262484), published on September 13, 2018 and Peterson et al. (“Peterson,” US 2018/0115547), published on April 26, 2018.

Regarding claim 1: Innes discloses a mobile computing device comprising:
a memory and a processor cooperating with said memory (Innes: fig. 1 item; ¶0034 a processor and memory 121) to perform the following:
launch a first native software as a service (SaaS) application based on user input (Innes: ¶0194 in step 1284, a resource launch request may be made after logon by the gateway server 1223 and/or the application store 1225; ¶0074 the data secured in the secure data container may be accessed by the secure wrapped applications 514, applications executed by a secure application launcher 522, ¶0072 the secure applications may be [...] software-as-a-service (SaaS) access applications [...] the secure applications may be secure native applications 514 [...] executed by a secure application launcher 518), 
launch a virtual private network (VPN) application in response to the first native SaaS application being launched (Innes: ¶0075 each of the wrapped applications in the secured area of the phone may access enterprise resources through an application specific VPN; ¶0072 the secure native applications 514 may be wrapped by a secure application wrapper 520),
with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the identity provider without requiring the user to login for authentication (Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a first native SaaS application access token to the VPN application upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Innes does discloses SAML tokens issued by an identity provider (IdP) but does not explicitly disclose operate the VPN application to authenticate with an identity provider (IDP), with the identity provider providing an IDP authentication token to the VPN application upon authentication, operate the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token, with the first SaaS service redirecting the first native SaaS application to the identity provider for authentication and operate the VPN application to intercept traffic from the first native 
However Kesari discloses operate the VPN application to authenticate with an identity provider (IDP), with the identity provider providing an IDP authentication token to the VPN application upon authentication (Kesari: fig. 6 step 615 authenticate VPN certificate; ¶0078 at step 615, the identity provider 206 can authenticate or validate the device certificate 225; ¶0079 at step 618, the identity provider 206 can determine that the presented device certificate 225 or calculated certificate signature is valid for the requested identity assertion; ¶0080 at step 621, if the device certificate 225 and the corresponding client device 203 can be validated, the identity assertion is generated and sent to the email client 224; ¶0042 the device certificate 225 can represent a certificate that is installed along with a VPN client 229),
operate the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token, with the first SaaS service redirecting the first native SaaS application to the identity provider for authentication (Kesari: ¶0056 network traffic destined for the email service 209 can routed by the email client 224 to the email service 209 outside of the VPN tunnel to the identity provider 206. The identity provider 206 can utilize the device certificate 225 installed by the device management service 204 in a VPN profile or with the VPN client 229 to secure network traffic to the identity provider 206. The identity provider 206 can in tum authenticate the client device 203 based upon a certificate signature or other characteristics of network traffic from the VPN client 229 or of the VPN tunnel),
Kesari: ¶0059 at step 409, the email client 224 can send an identity assertion request to the identity provider 206. The identity assertion request can be sent through the VPN tunnel by the VPN client 229; ¶0063 an identity assertion can be provided to the email client 224. The identity assertion can be provided through the VPN tunnel established by the VPN client 229).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kesari with the system and method of Innes to include first native SaaS application to access a first SaaS service the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token to provide users with a means for providing a single sign-on experience for users on mobile devices (Kesari: par. 0008).
Innes in view of Kesari does not explicitly disclose with the VPN application then providing the first SaaS application access token to the first native SaaS application and operate the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication.
However Peterson discloses with the VPN application then providing the first SaaS application access token to the first native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)), and
operate the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication (Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Peterson with the system and method of Innes and Kesari to include operate the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication to provide users with a means for using of a virtual private network appliance to provide external access to an identity provider located within a secure network (Peterson: ¶0001).

Regarding claim 2: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Innes further discloses launch a second native SaaS application based on user input (Innes: ¶0194 in step 1284, a resource launch request may be made after logon by the gateway server 1223 and/or the application store 1225; ¶0074 the data secured in the secure data container may be accessed by the secure wrapped applications 514, applications executed by a secure application launcher 522, ¶0072 the secure applications may be [...] software-as-a-service (SaaS) access applications [...] the secure applications may be secure native applications 514 [...] executed by a secure application launcher 518);
operate the second native SaaS application to access a second SaaS service, with the second SaaS service redirecting the second native SaaS application to the identity provider for authentication (Innes: ¶0161 cloud services may include enterprise controlled user authentication to access software as a service (SaaS) products and/or data as a service (DaaS) where cloud desktop is used to access enterprise resources. A next generation enterprise security model may include an identity provider (IdP) as a central point for user authentication, for SaaS and on-prem resources), with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the identity provider without requiring the user to login for authentication (Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a second SaaS application access token to the VPN upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Peterson further discloses operate the VPN application to intercept traffic from the second native SaaS application to the identity provider (Peterson: ¶0032 VPN appliance 106 can then intercept the authentication form (step 236). For example, second identity provider 110 can send the authentication form to user agent 104 via VPN appliance 106 (e.g., the authentication form can be addressed to user agent 104). VPN appliance can analyze traffic coming from second identity provider 110 and determine that the traffic includes the authentication form), with the VPN application then providing the second SaaS application access token to the second native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)), and
operate the second native SaaS application to provide the second SaaS application access token to the second SaaS service to complete authentication (Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
The motivation is the same that of claim 1 above.

Regarding claim 3: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Innes further discloses re-launch the first native SaaS application based on user input (Innes: ¶0097 an inactivity timeout may be implemented, wherein after a policy-defined period of inactivity, a user session is terminated; ¶0194 the user session may already exist if this is a reconnection event, or may be about to be created if this is a first time launch event; ¶0235 a user may reconnect to a remote session);
operate the first native SaaS application to access the first SaaS service (Innes: ¶0158 a user may authenticate to an external component/service/device, such as an Identity Provider (IdP), using any type of credential and/or authentication protocol that is appropriate; ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) to a named Relying Party (RP) or Service Provider, which may be used to process a service access request from the user), with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a new first SaaS application access token to the VPN upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Kesari further discloses the first SaaS service redirecting the first native SaaS application to the identity provider for authentication (Kesari: ¶0056 the email service 209 can routed by the email client 224 to the email service 209 outside of the VPN tunnel to the identity provider 206); and
operate the VPN application to intercept traffic from the first native SaaS application to the identity provider (Kesari: ¶0059 at step 409, the email client 224 can send an identity assertion request to the identity provider 206. The identity assertion request can be sent through the VPN tunnel by the VPN client 229).
The motivation is the same that of claim 1 above.
 Peterson further discloses with the VPN application then providing the new first SaaS application access token to the first native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)); and
Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
The motivation is the same that of claim 1 above.

Regarding claim 4: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Kesari further discloses wherein the VPN application uses a client certificate to authenticate with the identity provider so as to receive the IDP authentication token (Kesari: ¶0061 the identity provider 206 can communicate with the device management service 204 to obtain a copy of the device certificate 225 issued to the client device 203 or a signature of the device certificate 225. In this way, the identity provider 206 can validate not only the credentials of the user but also the client device 203 on which the email client 224 is installed).
The motivation is the same that of claim 1 above.

Regarding claim 5: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Peterson further discloses wherein the VPN application uses the user's login information to authenticate with the identity provider so as to receive the IDP authentication token (Peterson: ¶0023 VPN appliance 106 can then send user credentials to first identity provider (step 206). This can be for the purposes of authorizing the VPN session request; ¶0024 first identity provider 108 can then validate the user credentials (step 210) [...] first identity provider 108 can send a response to VPN appliance 106 including an authorization token allowing user agent 104 to connect to VPN appliance 106; ¶0021 user credentials can include a username, password, email address, phone number, account identifier, biometric data [...] etc.).
The motivation is the same that of claim 1 above.

Regarding claim 6: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Kesari further discloses wherein said processor operates the VPN application so that the VPN application only intercepts traffic directed to the identity provider while passing traffic for other destinations as is (Kesari: ¶0056 the per-app VPN profile, in some examples, can cause only network traffic destined for certain network addresses, such as a network address corresponding to the identity provider 206, to be routed through a VPN tunnel established by the VPN client 229 to the identity provider 206).
The motivation is the same that of claim 1 above.

Regarding claim 7: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Innes further discloses wherein the VPN application presents a server certificate when intercepting traffic from the first SaaS service (Innes: ¶0095 SSL certificate validation may be operable so the application specifically validates the server SSL certificate).

Regarding claim 8: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Innes further discloses wherein the traffic is based on a secure sockets layer (SSL) protocol (Innes: ¶0049 a Secure Sockets Layer (SSL) VPN server).

Regarding claim 9: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Kesari further discloses wherein the mobile computing device is enrolled with a mobile device management (MDM) service (Kesari: ¶0021 the device management service 204 can establish a secure communications channel with the client devices 203 (e.g., a mobile device management channel, or MDM channel)).
The motivation is the same that of claim 1 above.

Regarding claim 10: Innes discloses a method for operating a mobile computing device comprising:
launching a first native software as a service (SaaS) application based on user input (Innes: ¶0194 in step 1284, a resource launch request may be made after logon by the gateway server 1223 and/or the application store 1225; ¶0074 the data secured in the secure data container may be accessed by the secure wrapped applications 514, applications executed by a secure application launcher 522, ¶0072 the secure applications may be [...] software-as-a-service (SaaS) access applications [...] the secure applications may be secure native applications 514 [...] executed by a secure application launcher 518);
launching a virtual private network (VPN) application in response to the first native SaaS application being launched (Innes: ¶0075 each of the wrapped applications in the secured area of the phone may access enterprise resources through an application specific VPN; ¶0072 the secure native applications 514 may be wrapped by a secure application wrapper 520);
with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the identity provider without requiring the user to login for authentication (Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a first native SaaS application access token to the VPN application upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Innes does discloses SAML tokens issued by an identity provider (IdP) but does not explicitly disclose operating the VPN application to authenticate with an identity provider (IDP), with the identity provider providing an IDP authentication token to the VPN application upon authentication, operating the first native SaaS application to access a 
However, Kesari discloses operating the VPN application to authenticate with an identity provider (IDP), with the identity provider providing an IDP authentication token to the VPN application upon authentication (Kesari: fig. 6 step 615 authenticate VPN certificate; ¶0078 at step 615, the identity provider 206 can authenticate or validate the device certificate 225; ¶0079 at step 618, the identity provider 206 can determine that the presented device certificate 225 or calculated certificate signature is valid for the requested identity assertion; ¶0080 at step 621, if the device certificate 225 and the corresponding client device 203 can be validated, the identity assertion is generated and sent to the email client 224; ¶0042 the device certificate 225 can represent a certificate that is installed along with a VPN client 229),
operating the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token, with the first SaaS service redirecting the first native SaaS application to the identity provider for authentication (Kesari: ¶0056 network traffic destined for the email service 209 can routed by the email client 224 to the email service 209 outside of the VPN tunnel to the identity provider 206. The identity provider 206 can utilize the device certificate 225 installed by the device management service 204 in a VPN profile or with the VPN client 229 to secure network traffic to the identity provider 206. The identity provider 206 can in tum authenticate the client device 203 based upon a certificate signature or other characteristics of network traffic from the VPN client 229 or of the VPN tunnel),
operating the VPN application to intercept traffic from the first native SaaS application to the identity provider after the first native SaaS application has been redirected to the identity provider (Kesari: ¶0059 at step 409, the email client 224 can send an identity assertion request to the identity provider 206. The identity assertion request can be sent through the VPN tunnel by the VPN client 229; ¶0063 an identity assertion can be provided to the email client 224. The identity assertion can be provided through the VPN tunnel established by the VPN client 229).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kesari with the system and method of Innes to include first native SaaS application to access a first SaaS service the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token to provide users with a means for providing a single sign-on experience for users on mobile devices (Kesari: par. 0008).
Innes in view of Kesari does not explicitly disclose with the VPN application then providing the first SaaS application access token to the first native SaaS application and operating the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication.
However Peterson discloses with the VPN application then providing the first SaaS application access token to the first native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)); and
Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Peterson with the system and method of Innes to include the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication to provide users with a means for using of a virtual private network appliance to provide external access to an identity provider located within a secure network (Peterson: ¶0001).

Regarding claim 11: Claim 11 is similar in scope to claim 2, and is therefore rejected under similar rationale.

Regarding claim 12: Innes in view of Kesari and Peterson discloses the mobile computing device according to Claim 1.
Innes further discloses re-launching the first native SaaS application based on user input (Innes: ¶0097 an inactivity timeout may be implemented, wherein after a policy-defined period of inactivity, a user session is terminated; ¶0194 the user session may already exist if this is a reconnection event, or may be about to be created if this is a first time launch event; ¶0235 a user may reconnect to a remote session);
Innes: ¶0158 a user may authenticate to an external component/service/device, such as an Identity Provider (IdP), using any type of credential and/or authentication protocol that is appropriate; ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) to a named Relying Party (RP) or Service Provider, which may be used to process a service access request from the user), with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the identity provider without requiring the user to login for authentication (Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a new first SaaS application access token to the VPN upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Kesari further discloses the first SaaS service redirecting the first native SaaS application to the identity provider for authentication (Kesari: ¶0056 the email service 209 can routed by the email client 224 to the email service 209 outside of the VPN tunnel to the identity provider 206); and
operating the VPN application to intercept traffic from the first native SaaS application to the identity provider after the first native SaaS application has been Kesari: ¶0059 at step 409, the email client 224 can send an identity assertion request to the identity provider 206. The identity assertion request can be sent through the VPN tunnel by the VPN client 229; ¶0063 an identity assertion can be provided to the email client 224. The identity assertion can be provided through the VPN tunnel established by the VPN client 229).
The motivation is the same that of claim 1 above.
 Peterson further discloses with the VPN application then providing the new first SaaS application access token to the first native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)); and
operating the first native SaaS application to provide the new first SaaS application access token to the first SaaS service to complete re-authentication (Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
The motivation is the same that of claim 1 above.

Regarding claims 13-15: Claims 13-15 are similar in scope to claims 4-6, respectively, and are therefore rejected under similar rationale.

Regarding claim 16: Innes discloses a non-transitory computer readable medium for operating a mobile computing device, and with the non-transitory computer readable 
launching a first native software as a service (SaaS) application based on user input (Innes: ¶0194 in step 1284, a resource launch request may be made after logon by the gateway server 1223 and/or the application store 1225; ¶0074 the data secured in the secure data container may be accessed by the secure wrapped applications 514, applications executed by a secure application launcher 522, ¶0072 the secure applications may be [...] software-as-a-service (SaaS) access applications [...] the secure applications may be secure native applications 514 [...] executed by a secure application launcher 518);
launching a virtual private network (VPN) application in response to the first native SaaS application being launched (Innes: ¶0075 each of the wrapped applications in the secured area of the phone may access enterprise resources through an application specific VPN; ¶0072 the secure native applications 514 may be wrapped by a secure application wrapper 520);
operating the VPN application to authenticate with an identity provider (IDP), with the identity provider providing an IDP authentication token to the VPN application upon authentication (Innes: ¶0158 a user may authenticate to an external component/service/device, such as an Identity Provider (IdP), using any type of credential and/or authentication protocol that is appropriate; ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token));
with the VPN application modifying the traffic by inserting the IDP authentication token to be presented to the identity provider without requiring the user to login for authentication (Innes: ¶0075 the virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504), with the identity provider providing a first native SaaS application access token to the VPN application upon authentication (Innes: ¶0159 after the authentication with the IdP, the IdP may issue a confirmation token (e.g., a SAML token) [...] which may be used to process a service access request from the user).
Innes does discloses SAML tokens issued by an identity provider (IdP) but does not explicitly disclose operating the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token, with the first SaaS service redirecting the first native SaaS application to the identity provider for authentication and operating the VPN application to intercept traffic from the first native SaaS application to the identity provider.
However Kesari discloses operating the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token, with the first SaaS service redirecting the first native SaaS application to the identity provider for authentication (Kesari: ¶0056 network traffic destined for the email service 209 can routed by the email client 224 to the email service 209 outside of the VPN tunnel to the identity provider 206. The identity provider 206 can utilize the device certificate 225 installed by the device management service 204 in a VPN profile or with the VPN client 229 to secure network traffic to the identity provider 206. The identity provider 206 can in tum authenticate the client device 203 based upon a certificate signature or other characteristics of network traffic from the VPN client 229 or of the VPN tunnel), and
operating the VPN application to intercept traffic from the first native SaaS application to the identity provider (Kesari: ¶0059 at step 409, the email client 224 can send an identity assertion request to the identity provider 206. The identity assertion request can be sent through the VPN tunnel by the VPN client 229; ¶0063 an identity assertion can be provided to the email client 224. The identity assertion can be provided through the VPN tunnel established by the VPN client 229).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kesari with the system and method of Innes to include first native SaaS application to access a first SaaS service the first native SaaS application to access a first SaaS service after the VPN application has received the IDP authentication token to provide users with a means for providing a single sign-on experience for users on mobile devices (Kesari: par. 0008).
Innes in view Kesari does not explicitly disclose with the VPN application then providing the first SaaS application access token to the first native SaaS application and operating the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication.
However Peterson discloses with the VPN application then providing the first SaaS application access token to the first native SaaS application (Peterson: ¶0025 VPN appliance 106 can store the user credentials in memory. VPN appliance 106 can then generate a user access token associated with the user credentials (step 214)); and
Peterson: ¶0035 user agent 104 can then retrieve the target resource based on the authentication response (step 250) [...] service provider 102 can provide the target resource based on the authentication response (step 252)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Peterson with the system and method of Innes to include operate the first native SaaS application to provide the first SaaS application access token to the first SaaS service to complete authentication to provide users with a means for using of a virtual private network appliance to provide external access to an identity provider located within a secure network (Peterson: ¶0001).
Regarding claim 17: Claim 17 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claims 18-20: Claims 18-20 are similar in scope to claims 4-6, respectively, and are therefore rejected under similar rationale.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857.  The examiner can normally be reached on Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FAHIMEH MOHAMMADI/    Examiner, Art Unit 2439                                                                                                                                                                                         

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439