DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 12/20/2021 has been placed of record in the file.
No claims have been amended.
Claims 29 and 30 have been added.
Claims 1-30 are now pending.
The applicant’s arguments with respect to claims 1-30 have been fully considered but they are not persuasive as discussed below.

Claim Rejections - 35 USC § 112
7.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

8.	Claims 29 and 30 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had 

Claim Rejections - 35 USC § 103
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	Claims 1-28 are rejected under 35 U.S.C. 103 as being unpatentable over Cha et al. (U.S. Patent Application Publication Number 2014/0230027), hereinafter referred to as Cha, in view of Novack et al. (U.S. Patent Application Publication Number 2011/0154452), hereinafter referred to as Novack, further in view of Marion et al. (U.S. Patent Application Publication Number 2006/0031683), hereinafter referred to as Marion.
Cha disclosed techniques for accessing services via SSO by utilizing local OpenID.  In an analogous art, Novack disclosed techniques for provisioning authenticators to users for access to services.  Also in an analogous art, Marion disclosed techniques for accessing services via SSO 
Regarding claim 1, Cha discloses a system for enabling user access to secure resources in conjunction with authentication of the user on a client device executing a remote application, the system comprising: a database of authentication data (paragraph 30, OPSF); a database of authorization information (paragraph 31, aggregation OP); a client device comprising: i. a network interface (paragraph 34, transmits and receives wireless signals); ii. a computer processor for executing software instructions of a remote application (paragraph 46, processor); iii. an authorization-request handler, executable by the computer processor, configured to: a. electronically receive a request to authenticate the user from the remote application, the remote application being an application other than a token programmer (paragraph 111, user browses to target OPSF page), b. prompt the user for authentication information in a manner consistent with the request (paragraph 111, page displayed in browsing agent), c. communicate with a hardware device in electronic communication with the client device to obtain the authentication information (paragraph 111, user submits login information), and d. cause the authentication information to be compared to authentication data in the database of authentication data to verify that the user is authorized to use the remote application (paragraph 114, target OPSF verifies assertion); and iv. a token-generation module, executable by the computer processor, configured to, only after the user is authorized to use the remote application, and before any attempt to access by the user, or any access of by the user, one or more secure resources other than the remote application: A. automatically electronically receive, from the database of authorization information, authorization information for the user related to one or more secure resources other than the remote application (paragraph 116, database finalization associated 
Cha does not explicitly state the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user.  However, provisioning separate access tokens back to the user for later use in authentication was well known in the art as evidenced by Novack.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cha by adding the ability for the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user as provided by Novack (see paragraph 60, provisions one or more authenticators, and paragraph 61, authenticators are specific to referring organizations).  One of ordinary skill in the art would have recognized the benefit that utilizing authenticators in such a way would assist authenticating users by allowing them to enroll in a secure access system only once to obtain access to multiple resources (see Novack, paragraph 30).
The combination of Cha and Novack does not explicitly state the one or more secure resources being any secure resources other than the remote application.  However, generating 
Regarding claim 2, the combination of Cha, Novack, and Marion discloses a remote host for hosting the remote application and comparing the authentication information to the database of authentication data (Cha, paragraph 25, Relying Party).
Regarding claim 3, the combination of Cha, Novack, and Marion discloses an authorization server for comparing the authentication information to the database of authentication data, wherein the authorization server does not host the remote application (Cha, paragraph 30, OPSF reachable for the RP via internet).
Regarding claim 4, the combination of Cha, Novack, and Marion discloses wherein the token programmer is configured to program at least one of a smart card, RFID tag, or soft token (Cha, paragraph 61, smart card).
Regarding claim 5, the combination of Cha, Novack, and Marion discloses wherein the authorization information specifies physical access restrictions for the user (Cha, paragraph 61, physical access).
Regarding claim 6, the combination of Cha, Novack, and Marion discloses wherein the authorization information specifies electronic access restrictions for the user (Cha, paragraph 25, RP is application service provider of network).
Regarding claim 7, the combination of Cha, Novack, and Marion discloses an authorization server for managing the database of authorization information and returning user information therefrom in response to a request from the client (Cha, paragraph 31, aggregation OP).
Regarding claim 8, Cha discloses a method for authenticating a user of a client device executing a remote application, and, in conjunction therewith, enabling access for the user to secure resources, the method comprising: electronically receiving, from the remote application, with an authentication-request handler local to the client device, an HTTP or HTTPS request to authenticate the user, the remote application being an application other than a token programmer (paragraph 111, user browses to target OPSF page, and paragraph 145, HTTP(S)); prompting the user for authentication information (paragraph 111, page displayed in browsing agent); with the handler, communicating with a hardware device in electronic communication with the client device to obtain the authentication information (paragraph 111, user submits login information); verifying, using a computer processor and the authentication information, that the user is authorized to use the remote application (paragraph 114, target OPSF verifies assertion); and only after the user is authorized to use the remote application, and before any attempt to access by the user, or any access of by the user, one or more secure resources other than the remote application, (A) automatically receiving authorization information for the user related to one or more secure resources other than the remote application from a database of authorization information (paragraph 116, database finalization associated source OID with target OPSF), and 
Cha does not explicitly state the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user.  However, provisioning separate access tokens back to the user for later use in authentication was well known in the art as evidenced by Novack.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cha by adding the ability for the token being (i) providable by the user to access the one or more secure resources other than the remote application, (ii) distinct from the authentication information obtained by the authorization-request handler, and (iii) not based on authentication information received from the user as provided by Novack (see paragraph 60, provisions one or more authenticators, and paragraph 61, authenticators are specific to referring organizations).  One of ordinary skill in the art would have recognized the benefit that utilizing authenticators in such a way would assist authenticating users by allowing them to enroll in a secure access system only once to obtain access to multiple resources (see Novack, paragraph 30).
The combination of Cha and Novack does not explicitly state the one or more secure resources being any secure resources other than the remote application.  However, generating tokens in such a fashion was well known in the art as evidenced by Marion.  Since the inventions 
Regarding claim 9, the combination of Cha, Novack, and Marion discloses wherein the step of verifying is performed by the remote application (Cha, paragraph 25, Relying Party).
Regarding claim 10, the combination of Cha, Novack, and Marion discloses wherein the step of verifying is performed by an authorization server and further comprising electronically sending, to the remote application, an HTTP or HTTPS message confirming authentication of the user (Cha, paragraph 30, OPSF reachable for the RP via internet).
Regarding claim 11, the combination of Cha, Novack, and Marion discloses wherein the token is a smart card, RFID tag, or soft token (Cha, paragraph 61, smart card).
Regarding claim 12, the combination of Cha, Novack, and Marion discloses wherein the authorization information specifies physical access restrictions for the user (Cha, paragraph 61, physical access).
Regarding claim 13, the combination of Cha, Novack, and Marion discloses wherein the authorization information specifies electronic access restrictions for the user (Cha, paragraph 25, RP is application service provider of network).
Regarding claim 14, the combination of Cha, Novack, and Marion discloses wherein the token is providable by the user to access the one or more secure resources other than the remote application without use of the client device (Novack, paragraph 46, user logs into referring organization).
Regarding claim 15, the combination of Cha, Novack, and Marion discloses wherein the token-generation module is configured to cause the token generator to program the token for the user only after the user presents an unprogrammed or previously programmed token to the token generator (Novack, paragraph 42, hard token FOB device).
Regarding claim 16, the combination of Cha, Novack, and Marion discloses wherein the token-generation module is configured to cause the token generator to program the token for the user only after the user launches an application on a mobile device to wirelessly connect to the token generator for receipt of the token therefrom (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 17, the combination of Cha, Novack, and Marion discloses wherein the mobile device is different from the client device (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 18, the combination of Cha, Novack, and Marion discloses wherein the token-generation module is configured to cause the token generator to store the token on a mobile device of the user (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 19, the combination of Cha, Novack, and Marion discloses wherein the mobile device is different from the client device (Novack, paragraph 42, software loaded on mobile device).
Regarding claim 20, the combination of Cha, Novack, and Marion discloses wherein the token is providable by the user to access the one or more secure resources other than the remote application only in conjunction with additional authentication information provided by the user (Novack, paragraph 48, more than one authenticator required).
Regarding claim 21, the combination of Cha, Novack, and Marion discloses wherein the additional authentication information comprises a password or biometric information (Novack, paragraph 40, password or biometrics).
Regarding claim 22, the combination of Cha, Novack, and Marion discloses wherein the token is a dedicated physical device configured to be carried by the user (Novack, paragraph 42, hard token FOB device).
Regarding claim 23, the combination of Cha, Novack, and Marion discloses further comprising a policy handler configured to, automatically, after the user is authorized to use the remote application and before any attempt to access and before any access by the user of any secure resources other than the remote application, determine the one or more secure resources for which the token programmer is caused to program the token (Cha, paragraph 119, store associations for Relying Parties).
Regarding claim 24, the combination of Cha, Novack, and Marion discloses wherein the policy handler is configured to implement (i) a rule base specifying the secure resources and privilege levels and permissions associated therewith, and (ii) a database associating the privilege levels associated with a plurality of users, the policy handler being configured to determine the one or more secure resources for which the token programmer is caused to program the token based at least on the rule base and the database (Cha, paragraphs 158-161, access to services governed by permission policies for UE).
Regarding claim 25, the combination of Cha, Novack, and Marion discloses further comprising, without any attempt to access and without any access of any secure resources other than the remote application by the user, and before the authorization information is received and before the token is programmed, automatically determining, with a policy handler, the one or more secure resources for which the token programmer is automatically caused to program the token (Cha, paragraph 119, store associations for Relying Parties).
Regarding claim 26, the combination of Cha, Novack, and Marion discloses wherein the policy handler is configured to implement (i) a rule base specifying the secure resources and privilege levels and permissions associated therewith, and (ii) a database associating the privilege levels associated with a plurality of users, the policy handler being configured to determine the one or more secure resources for which the token programmer is caused to program the token based at least on the rule base and the database (Cha, paragraphs 158-161, access to services governed by permission policies for UE).
Regarding claim 27, the combination of Cha, Novack, and Marion discloses wherein the token is not usable to access the remote application (Novack, paragraph 61, authenticators are specific to referring organizations).
Regarding claim 28, the combination of Cha, Novack, and Marion discloses wherein the token is not usable to access the remote application (Novack, paragraph 61, authenticators are specific to referring organizations).

Allowable Subject Matter
12.	Claims 29 and 30 are considered allowable over the prior art, yet remain rejected under 35 U.S.C. 112 as discussed above.

Response to Arguments
13.	In the remarks, the applicant has argued:
<Argument 1>
There is no motivation to combine the teachings of Marion with those of Cha and Novack.
14.	In response to argument 1, it is maintained that the combination of Cha, Novack, and Marion does disclose the features as recited in the independent claims and that there is sufficient motivation to combine the teachings of Marion with those of Cha and Novack.  Here the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Marion explicitly recites motivation to combine the references.  As stated in the rejection, Marion recites the benefit of increasing the efficiency of a user’s access to multiple services.  Clearly, establishing a number of services that a user may or may not access in advance, and then presenting the user with allowed services, would increase the efficiency of the user’s access.  As such, one of ordinary skill in the art would have been motivated to modify the combination of Cha and Novack as described in the rejection.
15.	Further, when considering the rejection, it is noted that Cha has already been shown to teach programming of the token only after the user is authorized to use the remote application, one or more secure resources other than the remote application.  Marion has been added simply to show that the token may be programmed in this way relevant to any of these resources.
16.	To the applicant’s statements about the incompatibility of Marion’s teachings with Cha and Novack, it is noted that neither Cha nor Novack makes any explicit argument against the incorporation and use of previous knowledge of the services a user is allowed to access.  For example, because Cha’s system is used to access a target domain, this does not mean that relevant services could not also be otherwise determined.  The applicant’s assertion that “in order for Marion’s scheme to properly function in this framework, it would have to issue a token to Cha’s user that is usable at all possible work conference locations and domains” is not persuasive as it limits the teachings of the prior art to a narrow embodiment where one of ordinary skill in the art could use these teachings in multiple different ways.  When considering the ability to incorporate and use previous knowledge of the services a user is allowed to access, it is important to note that modifying access management functionality on the authorization side is a separate issue from user-initiated access.

Conclusion
17.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
18.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493