Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
           This action is in response to the communication filed on 4/30/2021. 
Claims 1-3, 8-20 are allowed. 
Claims 4-7 are cancelled. 

Allowable Subject Matter
Claims 1-3, 8-20 are allowed. 

Information Disclosure Statement
The Information Disclosure Statement (IDS) submitted on 4/7/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the IDS statement has been considered by the Examiner.

Terminal Disclaimer
Examiner notes eTD filed on 7/20/2021 has been approved and acknowledged.  

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided 
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative, Mr. William James on 7/19/2021.  

LISTING OF THE CLAIMS

(Currently Amended)	A system, comprising:
a communication interface; and
a hardware processor coupled to the communication interface and configured to:
receive via the communication interface a request to authenticate a user to a service, wherein the request is received from a first device determined to be not connected through a virtual private network (VPN);
determine based at least in part on data comprising the request a user identity associated with the first device and a second device associated with the user identity, wherein the second device is registered to the VPN;
verify the first device including by:
instructing the second device to provide a context assurance input; and
receiving the context assurance input from an environment in which the second device is located; and
in response to verifying the first device, generate an identity assertion including by transforming the user identity to conform to a federated identity message expected by the service; and
provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated;
wherein the second device comprises an enterprise-managed mobile device and the hardware processor is further configured to receive security posture information associated with a mobile device and to generate the identity assertion based at least in part on a determination that the security posture information associated with the mobile device indicates the mobile device is in a secure state.
(Original)	The system of claim 1, wherein the request to authenticate is associated with a redirection by the service to an identity provider associated with said system.
(Previously Presented)	The system of claim 1, wherein the user identity is determined based at least in part on a credential associated the VPN.
(Canceled)
(Canceled)	
(Canceled)	
(Canceled)	
(Previously Presented)	The system of claim 1, wherein the processor is further configured to send a notification to the second device, and wherein an agent on the second device is configured to respond to the notification at least in part by prompting a user of the second device to provide an input.
(Original)	The system of claim 8, wherein the input comprises a credential.
(Previously Presented)	The system of claim 8, wherein the input comprises the context assurance input that includes receiving from an environment in which the first device is located a context assurance data and the second device is configured to send data associated with the context assurance data to the processor.
(Original)	The system of claim 10, wherein the context assurance input comprises one or more of a visual challenge that is displayed on a display of the first device and scanned using the second device; a Bluetooth or other near field emission of or communication from the first device to the second device; or other data displayed or otherwise provided as output by the first device and received by the second device via a direct path within a physical space within which both the first device and the second device are collocated.
(Previously Presented)	The system of claim 1, wherein the second device is associated with a second user having an approval authority with respect to the request, and 
(Original)	The system of claim 3, wherein the credential comprises a certificate.
(Original)	The system of claim 13, wherein the certificate includes a user attribute data associated with the service.
(Original)	The system of claim 14, wherein generating the identity assertion includes reading said user attribute data from the certificate and using at least a portion of said user attribute data read from the certificate to populate a data value of the identity assertion.
(Original)	The system of claim 15, wherein the processor is further configured to obtain from an enterprise user directory additional user attributes to be included in the identity assertion.
(Currently Amended)	A method, comprising:
receiving a request to authenticate a user to a service, wherein the request is received from a first device determined to be not connected through a virtual private network (VPN);
determining based at least in part on data comprising the request a user identity associated with the first device and a second device associated with the user identity, wherein the second device is registered to the VPN;
verifying the first device 
instructing the second device to provide a context assurance input; and
receiving the context assurance input from an environment in which the second device is located; and
in response to verifying the first device, generating an identity assertion including by transforming the user identity to conform to a federated identity message expected by the service; and
providing the identity assertion to a requesting node with which the request to authenticate is associated;
wherein the second device comprises an enterprise-managed mobile device and the hardware processor is further configured to receive security posture information associated with a mobile device and to generate the identity assertion based at least in part on a determination that the security posture information associated with the mobile device indicates the mobile device is in a secure state.
(Previously Presented)	The method of claim 17, wherein the user identity is determined based at least in part on a credential associated with the VPN.
(Currently Amended)	A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for:
receiving a request to authenticate a user to a service, wherein the request is received from a first device determined to be not connected through a virtual private network (VPN);
determining based at least in part on data comprising the request a user identity associated the first device and a second device associated with the user identity, wherein the second device is registered to the VPN;
verifying the first device including by:
instructing the second device to provide a context assurance input; and
receiving the context assurance input from an environment in which the second device is located; and
in response to verifying the first device, generating an identity assertion including by transforming the user identity to conform to a federated identity message expected by the service; and
providing the identity assertion to a requesting node with which the request to authenticate is associated;
wherein the second device comprises an enterprise-managed mobile device and the hardware processor is further configured to receive security posture information associated with a mobile device and to generate the identity assertion based at least in part on a determination that the security posture information associated with the mobile device indicates the mobile device is in a secure state.
(Previously Presented) The computer program product of claim 19, wherein the user identity is determined based at least in part on a credential associated with the VPN. 



REASONS FOR ALLOWANCE
The reason for allowance for applicant’s proposed amended claim(s) is as follows : 
Claims 1, 17 and 19 - ‘ . receive via the communication interface a request to authenticate a user to a service, wherein the request is received from a first device determined to be not connected through a virtual private network (VPN);
determine based at least in part on data comprising the request a user identity associated with the first device and a second device associated with the user identity, wherein the second device is registered to the VPN;
verify the first device including by:
instructing the second device to provide a context assurance input; and
receiving the context assurance input from an environment in which the second device is located; and
in response to verifying the first device, generate an identity assertion including by transforming the user identity to conform to a federated identity message expected by the service; and
provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated;
wherein the second device comprises an enterprise-managed mobile device and the hardware processor is further configured to receive security posture information associated with a mobile device and to generate the identity assertion based at least in part on a determination that the security posture information associated with the mobile device indicates the mobile device is in a secure state’ . 

Therefore, amended claims are persuasive in indication of allowable subject matter where none of the prior art of record alone or in combination teaches nor suggest applicant’s claim limitation as described above, further updated search does not teach or fairly suggest the claimed limitation(s).

Prior Art of Record
	
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Maheshwari et al US Patent 9,692,748 discloses secure access to enterprise system with configuration and connection by remote device. 
Mohamad Abdul et al US Patent 9,535,675 discloses enrolling services for devices associated with user for authentication and enrollment of user devices within secure enterprise system.  
Ford et al US Patent 9,613,190 discloses automatic dependent surveillance broadcast architecture with aircraft and traffic information via secure telemetry communication. 
Verzin et al US Patent 9,998,434 discloses secure DRM (digital rights management) with secure access to protected content in secure computer / devices based on entity access rights. 
Vetter et al US Patent 9,819,593 discloses secure enrolling of mobile device in enterprise system with access rights and limitated functions. 
Dufour et al US Patent 10,019,532 discloses automatic messaging via webpage with automatic merger and message identifier for secure enrollment of device with enterprise system. 
The prior art of record does not explicitly disclose in light of the other features recited in the independent claims as described in Reason of allowance section.  




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIRAL S LAKHIA whose telephone number is (571)270-3363.  The examiner can normally be reached on 8 am - 6 pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/VIRAL S LAKHIA/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431