DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                     EXAMINER’S AMENDMENT

Authorization for the Examiner’s Amendment was given in an interview with the
Applicant’s representative, Kanchan Sripathy (Reg. No. 65,741) on November 5, 2021.

Claims 1, 3, 5, 8, 10, 12, 17, and 19 have been amended by the Applicant, and claims 2, 4, 11, 13, 18, and 20 have been canceled by the Applicant, and claims 21-26 newly added.
The following Examiner’s amendment is listed below:

Claims
1. (Currently Amended) A method comprising: 
receiving, by a computer system, a request from a client application, the request requesting access by a user to a protected resource, the request comprising a client application identifier identifying the client application, a client public encryption key and a session identifier; 

based on the determining, obtaining, by the computer system, an encrypted session identifier stored in the data store and associated with the client application identifier, wherein the encrypted session identifier is generated by encrypting the session identifier using the client public encryption key; 
transmitting, by the computer system, the encrypted session identifier to the client application; 
responsive to the transmitting, receiving, by the computer system from the client application, a response from the client application, the response including information related to the valid session, the information related to the valid session including a second encrypted session identifier generated by the client application; 
determining, by the computer system, a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; 
determining, by the computer system, that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; 
decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling, by the computer system, the user to access the protected resource; and
upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying, by the computer system, the user access to the protected resource. 

2. (Cancelled) 

3. (Currently Amended) The method of claim 1, wherein the second encrypted session identifier 
decrypting the encrypted session identifier received from the computer system using a client private encryption key generated by client application; and 
encrypting the decrypted session identifier using a public encryption key generated by the computer system to generate the second encrypted session identifier. 

4. (Cancelled) 

5. (Currently Amended) The method of claim [[3]] 1, further comprising: 

determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store; and
 based upon the determining, denying, by the computer system, the user access to the protected resource. 

8. (Currently Amended) The method of claim 6, wherein establishing, by the computer system, the session for the user comprises: 
associating, by the computer system, a session identifier with the session; 
encrypting, by the computer system, the session identifier with the client public encryption key to generate the encrypted session identifier; and 
associating, by the computer system, the client application identifier to the session identifier, the encrypted session identifier and session data associated with the session.

10. (Currently Amended) A system comprising: 
a memory storing session data associated with a session; 
and one or more processors configured to perform processing, the processing comprising:  
receiving a request from a client application, the request requesting access by a user to a protected resource, the request comprising a client application identifier identifying the client application, a client public encryption key and a session identifier; 
determining, based on information stored in a data store, that the client application identifier is associated with the session identifier identifying a valid session for the user; 
based on the determining, obtaining an encrypted session identifier stored in the data store and associated with the client application identifier, wherein the encrypted session identifier is generated by encrypting the session identifier using the client public encryption key;   
transmitting the encrypted session identifier to the client application; 
responsive to the transmitting, receiving from the client application, a response from the client application, the response including information related to the valid session, the information related to the valid session including a second encrypted session identifier generated by the client application; 
wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; 
determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; 
upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling the user to access the protected resource; and 
upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying the user access to the protected resource.

11. (Cancelled)

12. (Currently Amended) The system of claim 10, wherein the second encrypted session identifier 
decrypting the encrypted session identifier received from the computer system using a client private encryption key generated by client application; and 
encrypting the decrypted session identifier using a public encryption key generated by the computer system to generate the second encrypted session identifier. 

13. (Cancelled)

17. (Currently Amended) A non-transitory computer-readable medium having program code that is stored thereon, the program code executable by one or more processing devices for performing operations comprising: 
receiving a request from a client application, the request requesting access by a user to a protected resource, the request comprising a client application identifier identifying the client application, a client public encryption key and a session identifier; 
determining, based on information stored in a data store, that the client application identifier is associated with the session identifier identifying a valid session for the user; 
based on the determining, obtaining an encrypted session identifier stored in the data store and associated with the client application identifier, wherein the encrypted session identifier is generated by encrypting the session identifier using the client public encryption key; 
transmitting the encrypted session identifier to the client application;
responsive to the transmitting, receiving from the client application, a response from the client application, the response including information related to the valid session, the information related to the valid session including a second encrypted session identifier generated by the client application; 
determining a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; 
determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; 
decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling the user to access the protected resource; and 
upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying the user access to the protected resource.

18. (Cancelled)

19. (Currently Amended) The non-transitory computer-readable medium of claim 17 
decrypting the encrypted session identifier received from the computer system using a client private encryption key generated by client application; and 
encrypting the decrypted session identifier using a public encryption key generated by the computer system to generate the second encrypted session identifier. 

20. (Cancelled) 

21. (New) The non-transitory computer-readable medium of claim 17, wherein the operations further comprise performing an authentication of the user to access the protected resource, the authentication performed in response to receiving an initial request from the client application prior to the request and based on determining that the session identifier for the client application identifier specified in the initial request is not valid. 

22. (New) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise based upon successful authentication, establishing a session for the user and enabling the user to access the protected resource. 

23. (New) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise: transmitting a credential information request to the client application; receiving credential information associated with the user from the client application; and based on the validating, performing the authentication of the user.

24. (New) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise: associating a session identifier with the session; encrypting the session identifier with the client public encryption key to generated generate the encrypted session identifier; and associating the client application identifier to the session identifier, the encrypted session identifier and session data associated with the session. 
25. (New) The non-transitory computer-readable medium of claim 24, wherein the operations further comprise storing client application identifier, the session identifier, the encrypted session identifier and the session data associated with the session in the data store. 

26. (New) The non-transitory computer-readable medium of claim 21, wherein the operations further comprise determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store and based upon the determining, denying the user access to the protected resource.


Examiner’s Statement of Reasons for Allowance

1, 3, 5-10, 12, 14-17, 19, and 21-26 are allowable.
The following is an Examiner’s statement of reasons for allowance:
The present invention is directed to existing access management systems typically rely on cookies for maintaining a user’s session by storing the user’s session information as a cookie on the user’s device. After successful user authentication, session state information associated with the user’s session is encrypted and stored in a cookie on the user’s device. When the user (e.g., via a client application) connects to the access management system to gain access to a resource protected by the access management system, the cookie information is exchanged with the access
management system to verify the validity of the user’s session. If the user’s session is valid, the
access management system provides the user with SSO access to the protected resource using session information stored in the cookie without re-authenticating the user. However, the use of
cookies in client applications (e.g., web browsers) can pose security or privacy concerns for an
enterprise since the information stored by these cookies can be accessed by third party
applications visited by the user. In many instances, the enterprise may disable or block cookies
on their client applications to respond to such security or privacy considerations. However, this
causes problems for web applications that require information about a user’s session to provide
the user access to protected resources within an enterprise.  The present invention is directed to access management systems. An access management system that includes SSO capabilities for providing users with secure access to protected resources within an enterprise using encryption keys generated by a client application.


Yin does not disclose or suggest, “determining, by the computer system, a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; determining, by the computer system, that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling, by the computer system, the user to access the protected resource; and upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying, by the computer system, the user access to the protected resource”.

Pryor does not disclose or suggest, “determining, by the computer system, a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; determining, by the computer system, that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling, by the computer system, the user to access the protected resource; and upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying, by the computer system, the user access to the protected resource”.
The Non-patent literature of Thakur (Title: User Identity and Access Management Trends in IT Infrastructure-An Overview) teaches Web services are considered as a potential technology in the field of Internet which provide heterogeneous integration of devices and help to creates cross-layer communication. Web application requires user name and password to login in the web services. This result that user have to keep multiple user name and password to access multiple resource or call web services. Single sign-on (SSO) is functionality can be easily integrated with Access Management system. Which help to provide strong authentication mechanism that enables a legal user to enter with a single credential to be authenticated by multiple service providers in a distributed computer network.  Single sign-on (SSO) is a part of access control system but it act as the separate part or mechanism. The Single sign-on (SSO) mechanism ask the user to put or login once to the system and provide access to all the back end system. Single Provider, or SP) provide service to the users. This Identity Provider and Service Provider are connected with each other through web-based employee benefits portal. In this instead of maintaining duplicate user identity information by each Service Provider organization, here Identity Provider keeps the user identity information. When user want to access any 
Thakur does not teach or suggest, “determining, by the computer system, a second session identifier from the response received from the client application, wherein determining the second session identifier comprises decrypting, by the computer system, the second encrypted session identifier using a private encryption key generated by the computer system to generate a decrypted second session identifier; determining, by the computer system, that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store; upon determining that the decrypted second session identifier matches the session identifier associated with the client application identifier stored in the data store, enabling, by the computer system, the user to access the protected resource; and upon determining that the decrypted second session identifier does not match the session identifier associated with the client application identifier stored in the data store, denying, by the computer system, the user access to the protected resource”.
Therefore the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later than the
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for
Allowance."


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






11/5/2021
AU 2439
/JJ/


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439