DETAILED ACTION
Claims 1-20 are allowed.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Samir Bhavsar (Reg. No. 41617) on June 17, 2021.
The application has been amended as follows: 

1. (Currently Amended) A system for securely managing security policy data used to provide users access to third-party applications without revealing credentials to the users, the 5system comprising: 
a permission server, comprising a hardware processor, configured to store permission data comprising a list of third-party applications to which the users are currently permitted access; and 

10store security policy data, the security policy data comprising, for each user, a list of third-party applications to which the user may request access and the corresponding sign-on credentials for accessing each of the third-party applications; 
host an administration portal on the network, the administration portal 15comprising a user interface configured to be displayed on a device of an administrator; 
receive, in response to input provided by the administrator in the user interface, a selection of a first deployment to configure, the first deployment corresponding to a first third-party application and a first network address for a 20first sign-on page of the first third-party application; 
receive, in response to input provided by the administrator at the user interface, first sign-on credentials for the first deployment, wherein the first sign-on credentials provide access to the first third-party application via the first sign-on page;  
25receive, in response to input provided by the administrator in the user interface, a selection of a second deployment to configure, the second deployment corresponding to a second third-party application and a second network address for a second sign-on page of the second third-party application; 
receive, in response to input provided at the user interface of the 30administration portal, second sign-on credentials for the second 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the first sign-on credentials with 5a first user, send a first request to the permission server to confirm that the first user is permitted access to the first third-party application; 
receive a first response to the first request from the permission server, wherein the first response comprises a confirmation or denial of permission to access the first third-party application by the first user, and wherein the 10permission server is configured to generate the first response using the permission data stored therein; 
in response to the first response comprising a confirmation of permission to access the first third-party application by the first user, associate the first user with the first sign-on credentials;  
15in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the second sign-on credentials with a second user, send a second request to the permission server to confirm that the second user is permitted access to the second third-party application; 
receive a second response to the second request from the permission server, 20wherein the second response comprises a confirmation or denial of permission to access the second third-party application by the second user, and wherein the permission server is configured to generate the second response using the permission data stored therein; 

automatically update the security policy data, based on the association of the first sign-on credentials with the first user and the association of the second sign-on credentials with the second user, such that the security policy data stored in the 30access management server comprises:  40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450 (P9057-US) 31 
a first entry for the first deployment, the first entry comprising an identifier of the first user, the first sign-on credentials, and the first network address; and 
a second entry for the second deployment, the second entry 5comprising an identifier of the second user, the second sign-on credentials, and the second network address.  

2. (Original) The system of Claim 1, wherein the first sign-on credentials comprise a first password and a first username for accessing the first third-party application and 10the second sign-on credentials comprise a second password and a second username for accessing the second third-party application  

3. (Currently Amended) The system of Claim 1, wherein the access management server is further configured to store one or both of the first sign-on credentials and the second sign-on credentials in an 15encrypted format.  



205. (Currently Amended) The system of Claim 1, wherein the access management server is further configured to: 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the first sign-on credentials with the second user, send a third request to the permission server to confirm that the second user is permitted 25access to the first third-party application; 
receive a third response to the third request from the permission server, wherein the third response comprises a confirmation or denial of permission to access the first third-party application by the second user, and wherein the permission server is configured to generate the third response using the permission data stored therein;  40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450 (P9057-US) 32 
in response to the third response comprising a confirmation of permission to access the first third-party application by the second user, associate the second user with the first sign-on credentials; and 
automatically update the security policy data, based on the association of the 5first sign-on credentials with the second user, such that the security policy data comprises a third entry for the first deployment, the third entry comprising the identifier of the second user, the first sign-on credentials, and the first network address.  


the access management server is further configured to: 
determine, based on the parameter, whether the first sign-on credentials have been associated with the maximum number of users; and  
15in response to a determination that the first sign-on credentials have been associated with the maximum number of users, prevent association of the first sign-on credentials with an additional user.  

7. (Original) The system of Claim 1, wherein the access management server is further 20configured to: receive the permission data from the permission server; determine, based on the permission data, whether the first user is still permitted access to the first third-party application; and responsive to a determination that the first user is no longer permitted 25access to the first third-party application, automatically remove the first entry from the security policy data.  

8. (Currently Amended) A method for securely managing security policy data used to provide users access to third-party applications without revealing credentials to the users, the method comprising: 


10hosting an administration portal on the network, the administration portal comprising a user interface configured to be displayed on a device of an administrator; 
receiving, in response to input provided by the administrator in the user interface, a selection of a first deployment to configure, the first deployment 15corresponding to a first third-party application and a first network address for a first sign-on page of the first third-party application; 
receiving, in response to input provided by the administrator at the user interface, first sign-on credentials for the first deployment, wherein the first sign-on credentials provide access to the first third-party application via the first 20sign-on page; 
receiving, in response to input provided by the administrator in the user interface, a selection of a second deployment to configure, the second deployment corresponding to a second third-party application and a second network address for a second sign-on page of the second third-party application;  
25receiving, in response to input provided at the user interface of the administration portal, second sign-on credentials for the second deployment, wherein the second sign-on credentials provide access to the second third-party application via the second sign-on page; 
in response to input provided at the user interface of the administration 30portal corresponding to an attempt to associate the first sign-on credentials with40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450(P9057-US)34a first user, sending a first request to a permission server to confirm that the first user is permitted 
5receiving, from the permission server, a first response to the first request, wherein the first response comprises a confirmation or denial of permission to access the first third-party application by the first user, and wherein the permission server is configured to generate the first response using the permission data stored therein;  
10in response to the first response comprising a confirmation of permission to access the first third-party application by the first user, associating the first user with the first sign-on credentials; 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the second sign-on credentials 15with a second user, sending a second request to the permission server to confirm that the second user is permitted access to the second third-party application; 
receiving, from the permission server, a second response to the second request, wherein the second response comprises a confirmation or denial of permission to access the second third-party application by the second user, and 20wherein the permission server is configured to generate the second response using the permission data stored therein; 
in response to the second response comprising a confirmation of permission to access the second third-party application by the second user, associating the second user with the second sign-on credentials; and  
sign-on credentials with the first user and the association of the second sign-on credentials with the second user, such that the stored security policy data comprises:  40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450 (P9057-US) 35 
a first entry for the first deployment, the first entry comprising an identifier of the first user, the first sign-on credentials, and the first network address; and 
a second entry for the second deployment, the second entry 5comprising an identifier of the second user, the second sign-on credentials, and the second network address.  

9. (Original) The method of Claim 8, wherein the first sign-on credentials comprise a first password and a first username for accessing the first third-party application and 10the second sign-on credentials comprise a second password and a second username for accessing the second third-party application  

10. (Currently Amended) The method of Claim 8, further comprising storing one or both of the first sign-on credentials and the second sign-on credentials in an encrypted format.  

11. (Currently Amended) The method of Claim 8, further comprising: 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the first sign-on credentials with the second user, sending a third request to the permission server to confirm that the second user is 20permitted access to the first third-party application; 

25in response to the third response comprising a confirmation of permission to access the first third-party application by the second user, associating the second user with the first sign-on credentials; and 
automatically updating the security policy data, based on the association of the first sign-on credentials with the second user, such that the security policy data comprises a40654103ATTORNEY'S DOCKETPATENT APPLICATION015444.1450(P9057-US) 36third entry for the first deployment, the third entry comprising the identifier of the second user, the first sign-on credentials, and the first network address.  

12. (Original) The method of Claim 8, wherein the first sign-on credentials are 5associated with a parameter corresponding to a maximum number of users of the first sign-on credentials; and the method further comprising: 
determining, based on the parameter, whether the first sign-on credentials have been associated with the maximum number of users; and  
10in response to a determination that the first sign-on credentials have been associated with the maximum number of users, preventing association of the first sign-on credentials with an additional user.  

13. (Original) The method of Claim 8, further comprising:  
15receiving the permission data from the permission server; 

responsive to a determination that the first user is no longer permitted access to the first third-party application, automatically removing the first entry 20from the security policy data.  

14. (Currently Amended) A device for securely managing security policy data used to provide users access to third-party applications without revealing credentials to the users, the device comprising: 
a memory configured to store security policy data, the security policy data 5comprising, for each user, a list of third-party applications to which the user may request access and the corresponding sign-on credentials for accessing each of the third- party applications; and 
a hardware processor communicatively coupled to the memory and a network, the processor configured to:  
10host an administration portal on the network, the administration portal comprising a user interface configured to be displayed on a device of an administrator; 
receive, in response to input provided by the administrator in the user interface, a selection of a first deployment to configure, the first deployment 15corresponding to a first third-party application and a first network address for a first sign-on page of the first third-party application; 

receive, in response to input provided by the administrator in the user interface, a selection of a second deployment to configure, the second deployment corresponding to a second third-party application and a second network address for a second sign-on page of the second third-party application;  
25receive, in response to input provided at the user interface of the administration portal, second sign-on credentials for the second deployment, wherein the second sign-on credentials provide access to the second third-party application via the second sign-on page; 
in response to input provided at the user interface of the administration 30portal corresponding to an attempt to associate the first sign-on credentials with40654103ATTORNEY'S DOCKETPATENT APPLICATION015444.1450 (P9057-US)38a first user, send a first request to a permission server to confirm that the first user is permitted access to the first third-party application, wherein the permission server is configured to store permission data comprising a list of third-party applications to which the users are currently permitted access;  
5receive a first response to the first request from the permission server, wherein the first response comprises a confirmation or denial of permission to access the first third-party application by the first user, and wherein the 
10in response to the first response comprising a confirmation of permission to access the first third-party application by the first user, associate the first user with the first sign-on credentials; 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the second sign-on credentials 15with a second user, send a second request to the permission server to confirm that the second user is permitted access to the second third-party application; 
receive a second response to the second request from the permission server, wherein the second response comprises a confirmation or denial of permission to access the second third-party application by the second user, and wherein the 20permission server is configured to generate the second response using the permission data stored therein; 
in response to the second response comprising a confirmation of permission to access the second third-party application by the second user, associate the second user with the second sign-on credentials; and  
25automatically update the security policy data, based on the association of the first sign-on credentials with the first user and the association of the second sign-on credentials with the second user, such that the security policy data stored in the access management server comprises:  40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450 (P9057-US) 39 

a second entry for the second deployment, the second entry 5comprising an identifier of the second user, the second sign-on credentials, and the second network address.  

15. (Original) The device of Claim 14, wherein the first sign-on credentials comprise a first password and a first username for accessing the first third-party application and 10the second sign-on credentials comprise a second password and a second username for accessing the second third-party application  

16. (Currently Amended) The device of Claim 14, wherein the processor is further configured to store one or both of the first sign-on credentials and the second sign-on credentials in an encrypted 15format.  

17. (Currently Amended) The device of Claim 14, wherein the processor and the memory are implemented as a virtual server hosted on the network.  

2018. (Currently Amended) The device of Claim 14, wherein the processor is further configured to: 
in response to input provided at the user interface of the administration portal corresponding to an attempt to associate the first sign-on credentials with the second 
25receive a third response to the third request from the permission server, wherein the third response comprises a confirmation or denial of permission to access the first third-party application by the second user, and wherein the permission server is configured to generate the third response using the permission data stored therein;  40654103ATTORNEY'S DOCKETPATENT APPLICATION 015444.1450 (P9057-US) 40 
in response to the third response comprising a confirmation of permission to access the first third-party application by the second user, associate the second user with the first sign-on credentials; and 
automatically update the security policy data, based on the association of the 5first sign-on credentials with the second user, such that the security policy data comprises a third entry for the first deployment, the third entry comprising the identifier of the second user, the first sign-on credentials, and the first network address.  

19. (Original) The device of Claim 14, wherein the first sign-on credentials are 10associated with a parameter corresponding to a maximum number of users of the first sign-on credentials; and 
the processor is further configured to: 
determine, based on the parameter, whether the first sign-on credentials have been associated with the maximum number of users; and  
15in response to a determination that the first sign-on credentials have been associated with the maximum number of users, prevent association of the first sign-on credentials with an additional user.  

20. (Original) The device of Claim 14, wherein the processor is further configured to:  
20receive the permission data from the permission server; 
determine, based on the permission data, whether the first user is still permitted access to the first third-party application; and 
responsive to a determination that the first user is no longer permitted access to the first third-party application, automatically remove the first entry 25from the security policy data.

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “10store security policy data, the security policy data comprising, for each user, a list of third-party applications to which the user may request access and the corresponding sign-on credentials for accessing each of the third-party applications; host an administration portal on the network, the administration portal 15comprising a user interface configured to be displayed on a device of an administrator; receive, in response to input provided by the administrator in the user interface, a selection of a first deployment to configure, the first deployment corresponding to a first third-party application and a first network address for a 20first sign-on page of the first third-party application; receive, in response to input provided by the administrator at the user interface, first sign-on credentials for the first deployment, wherein the first sign-on credentials provide access to the first third-party application via the first sign-on page; 25receive, in response to input provided by the 
The following is considered to be the closest prior art of record:
Bones (US 7260838) – teaches an administrator specifying a security policy in a single sign-on system to control when user passwords can be changed and what the content of the changed target password should be in relation to the original password.
He (US 5944824) – teaches that the user selected password must comply with a requirement that is set up by the administrator.
Henderson (US 2010/0218233) – teaches the administrator setting up a password policy.
Allababidi (US 9558341) – teaches an administrator resetting a password for an application type.
Liu (US 2010/0154046) – teaches a single sign-on methodology across web sites to give the user single sign-on access using a Service Provider and Identity Provider.
Winner (US 2016/0065541) – teaches a single sign-on database that stores user credentials and permissions for third-party applications.
Belapurkar (US 2003/0070069) – teaches storing user credentials for third-party applications.
Anderson (US 2008/0263629) – teaches an administrator interface in a single sign-on system.
Chaplik (US 2014/0130136) – teaches an administrator portal.
Doshi (US 9338007) – teaches sending data to a third-party application at a specific network address.
However, the concept of an administrator selecting user credentials for a plurality of users and third-party applications using a permission server and access management server as claimed cannot be found in the prior art of record.
None of the prior art of record, either taken by itself or in any combination, would have reasonably anticipated or made obvious the invention of the present application at or before the time it was effectively filed. The concepts and features, as claimed, are considered to be a non-obvious combination of limitations not taught in the prior art. Therefore, claims 1-20 are considered to be allowable.
According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/John B King/
Primary Examiner, Art Unit 2498