DETAILED ACTION
 	This Office Action is in response to the amendment filed on 07/26/2021 in which Claims 1, 3-9, and 11-16, are amended, claims 17-20 are canceled, and claims 21-24 are added. Claims 1-16 and 21-40 are presented for examination on the merits. Claims 1-16 and 21-40 including new claims 25-40, now re-numbered as claims 1-36 are pending.
Information Disclosure Statement
 	The information disclosure statement (IDS) submitted on 07/14/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Terminal Disclaimer
The terminal disclaimer filed on 08/09/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of Application No. 16876163 (Patent No. US 10855671 B2) and Application No. 14/954,989 (Patent No. US 10757090 B2) have been reviewed and is accepted. The terminal disclaimer has been recorded.
Notice of Pre-AIA  or AIA  Status
 	The present application is being examined under the first inventor to file provisions of the AIA . 
	Response to Arguments
1.	In view of the claim amendments filed on 07/26/2021, applicant’s arguments in pages 10-13 of the REMARKS with respect to the rejection under 35 U.S.C § 103(a) have been considered. In view of the aforesaid amendments and upon further 
					Amendment to the Claims
2.	CLAIMS:
	Please update the claims as follows:

25.	(New) One or more non-transitory computer-readable storage media, storing one or more sequences of instructions, which when executed by one or more processors cause performance of:
receiving, by a proxy server, a single-sign-on request from a user device for user access to an application program, the user device directed by an application server to a cloud network location of the proxy server, the proxy server configured to authenticate computer security validation requests for the application program, the single-sign-on request identifying a user; 
directing, by the proxy server, the user device to an identity provider by sending the user device a network location of the identity provider, the identity provider configured to authenticate computer security validation requests for the proxy server, the user device communicates directly with the identity provider using the network location of the identity provider, the identity provider redirects the user device to the cloud network location of the proxy server with a single-sign-on validation after authenticating the user; 
receiving, at the proxy server, the single-sign-on validation from the user device; 
creating, by the proxy server, a valid identification assertion; 
directing, by the proxy server, the user device to a cloud network location of an application proxy server with a valid identification assertion, the user device thereafter communicates with the application program via a URL rewritten to go through the application proxy server, 
26.	(New) The one or more non-transitory computer-readable storage media as recited in Claim 25, further comprising:
receiving, by the application proxy server, a request for the application program from the user device;
forwarding, by the application proxy server, the request to the application program.

27.	(New) The one or more non-transitory computer-readable storage media as recited in Claim 25, further comprising:
receiving, by the application proxy server, a request for the application program from the user device;
forwarding, by the application proxy server, the request to the application program;
receiving, by the application proxy server, a response from the application program;
forwarding, by the application proxy server, the response to the user device.
28.	(New) The one or more non-transitory computer-readable storage media as recited in Claim 25, further comprising:
	logging, by the proxy server, network requests from user devices to application programs;
creating a report relating to resource accesses based on the logged network requests.
29.	(New) A system, comprising:
one or more processors; and
a memory storing instructions, which when executed by the one or more processors, cause the one or more processors to perform:
receiving, by a proxy server, a single-sign-on request from a user device for user access 
directing, by the proxy server, the user device to an identity provider by sending the user device a network location of the identity provider, the identity provider configured to authenticate computer security validation requests for the proxy server, the user device communicates directly with the identity provider using the network location of the identity provider, the identity provider redirects the user device to the cloud network location of the proxy server with a single-sign-on validation after authenticating the user; 
receiving, at the proxy server, the single-sign-on validation from the user device; 
creating, by the proxy server, a valid identification assertion; 
directing, by the proxy server, the user device to a cloud network location of an application proxy server with a valid identification assertion, the user device thereafter communicates with the application program via a URL rewritten to go through the application proxy server, the URL originally addressed to the application program, the application proxy server not co-located with the application server.
30.	(New) The system as recited in Claim 29, further comprising:
receiving, by the application proxy server, a request for the application program from the user device;
forwarding, by the application proxy server, the request to the application program.
31.	(New) The system as recited in Claim 29, further comprising:

forwarding, by the application proxy server, the request to the application program;
receiving, by the application proxy server, a response from the application program;
forwarding, by the application proxy server, the response to the user device.
32.	(New) The system as recited in Claim 29, further comprising:
	logging, by the proxy server, network requests from user devices to application programs;
creating a report relating to resource accesses based on the logged network requests.
33.	(New) A system, comprising:
one or more processors; and
a memory storing instructions, which when executed by the one or more processors, cause the one or more processors to perform:
receiving, by a proxy server, a single-sign-on request from a device for user access to an application program, the device directed by an application server to a cloud network location of the proxy server, the proxy server configured to authenticate computer security validation requests for the application program, the single-sign-on request identifying a user;
directing, by the proxy server, the device to an identity provider by sending the device a network location of the identity provider, the identity provider configured to authenticate computer security validation requests for the proxy server, the device communicates directly with the identity provider using the network location of the identity provider, the identity provider redirects the device to the cloud network location of the proxy server with a single-sign-on validation after authenticating the user; 
receiving, at the proxy server, the single-sign-on validation from the device; 

directing, by the proxy server, the device to the application server by sending the device a network location of the application server and the valid identification assertion, the device communicates directly with the application server using the network location of the application server and the valid identification assertion, the device thereafter communicates directly with the application server for subsequent accesses to the application program.
34.	(New) The system as recited in Claim 33, wherein the device is a user device.
35.	(New) The system as recited in Claim 33, wherein the device is a user device, and wherein the user device sends a request for access to the cloud-based application program to an application provider and receives the cloud network location of the proxy server from the application provider.
36.	(New) The system as recited in Claim 33, wherein the device is a user device, wherein the user device sends a request for access to the application program to an application provider and receives the cloud network location of the proxy server from the application provider, and wherein the user device sends the single-sign-on request to the proxy server using the cloud network location of the proxy server.
37.	(New) The system as recited in Claim 33, further comprising:
monitoring, by the proxy server, an operating status of the application server;
in response to the monitoring of the operating status of the application server detecting that the application server is no longer available, directing the device to an application provider by sending the device a cloud network location of the application provider to the device.
38.	(New) The system as recited in Claim 33, further comprising:
receiving, by the application server, a request for the application program from the device;
forwarding, by the application server, the request to the application program.

39.	(New) The system as recited in Claim 33, further comprising:
receiving, by the application server, a request for the application program from the device;
forwarding, by the application server, the request to the application program;
receiving, by the application server, a response from the application program;
forwarding, by the application server, the response to the device.
40.	(New) The system as recited in Claim 33, further comprising:
	logging, by the proxy server, network requests from devices to application programs;
creating a report relating to resource accesses based on the logged network requests.
 				Allowable Subject Matter
3.	  Claims 1-16 and 21-40 are allowed over prior art of record.
Reasons for Allowance
4. 	The following is an examiner’s statement of reasons for allowance:
  	Independent claims 1, 9, 21, and 25, 29, and 33 are allowed and the corresponding dependent claims depend upon one of the above-mentioned allowed claims and are therefore allowed by virtue of their dependencies.
	Bhatia et al. (US 20070101440 A1, prior art on the record) discloses for auditing of events or access of resources in a distributed system. In one embodiment, a method of auditing access of one or more resources by a client can comprise receiving from the client a request to access one or more of the resources. A sign-on identifier can be assigned to a user of the client requesting to access one or more of the resources. The sign-on identifier can be associated with a user identifier for the user of the client. The user identifier and sign-on identifier can be provided to one or more applications managing the one or more resources requested by the client. In some cases, providing 
 	Further, Bhatia et al. discloses a record of the access of the one or more resources requested by the client can be logged in a repository. The record can include the user identifier and the session identifier. In other cases, the record can further include a timestamp indicating a time said accessing the one or more resources is performed, an indication of a type of access requested to be performed on the one or more resources by the client, an indication of the one or more resources requested by the client, and/or an indication of a result of said accessing of the one or more resources requested by the client (Bhatia, Paragraph 0009).
 	Shipon (US 9367822 B2, prior art on the record)discloses a method which includes providing a plurality of information channels for communicating information to the service provider and the user and integrating the information channels to provide access to supervisory functionality for supervising the information channels of the plurality of information channels by way of a single portal. The method provides access to audio/visual functionality, to information record functionality, to diagnostic 
 	Although, the cited references above are from same or similar fields of endeavor however, the Applicant’s invention is directed towards securing data on client devices external to corporate infrastructures. The subject matters of the independent claims 1, 9, 21, and 25, 29, and 33 are not taught or fairly suggested by the prior art of record, specifically the limitations in claim 1 that recite: “..  the device communicates directly with the identity provider using the network location of the identity provider, the identity 
provider redirects the device to the cloud network location of the proxy server with a 
single-sign-on validation after authenticating the user; receiving, at the proxy server, the
single-sign-on validation from the device; creating, by the proxy server, a valid 
identification assertion; directing, by the proxy server, the device to the application 
server by sending the device a network location of the application server and the valid 
identification assertion, the device communicates directly with the application server 
using the network location of the application server and the valid identification assertion, 
the device thereafter communicates directly with the application server for subsequent 
accesses to the application program..” in combination with the rest of the limitations 
recited in the independent claim 1.

 	The claimed subject matters are novel and non-obvious in scope over the prior art of record as the prior-art references fail to teach each and every features of the independent claim(s) including the limitations set forth above.
 	In view of the foregoing, the scope of claimed subject matters renders the invention patentably distinct as none of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
 	Furthermore, the Examiner performed updated search which does not yield other specific references that reasonably, either alone or in combination, would result a proper rejection of all the claimed features presented in each of the independent claims 1, 9, 21, and 25, 29, and 33 under 35 U.S.C 102 or 35 U.S.C.103 with proper motivation. 
 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
					Conclusion	
5.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHFUZUR RAHMAN whose telephone number is (571)270-7638.  The examiner can normally be reached on Monday thru Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-88788593.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAHFUZUR RAHMAN/Primary Examiner, Art Unit 2498