DETAILED ACTION

1.	This Office Action is in response to an application filed on Apr. 22, 2020. The original filing includes claims 1-20. Therefore, Claims 1-20 are presented for examination. Now claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Drawings
3.	The drawings filed on Apr. 22, 2020 are accepted.

Priority
4.	Applicant's claim for the benefit of a prior-filed provisional application 62/983,210 filed on
Feb. 28, 2020 under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, or 365(c) is acknowledged.
 
Oath/Declaration
5.	For the record, the Examiner acknowledges that the Oaths/Declarations submitted on Apr. 22, 2020 have been accepted.

Information Disclosure Statement
6.	No information disclosure statements (IDS) were submitted before the mailing date of a first Office Action on the merits. Accordingly, no information disclosure statements are being considered by the examiner. 

Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


9.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
10.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  .

11.	Claims 1-4, 6-10, and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Peterson et al. U.S. 2018/0115547 hereinafter “Peterson” Published Apr. 26, 2018 in view of Konda et al. US 2020/0304459 hereinafter “Konda” Filed May 06, 2019. 

Regarding claim 1, Peterson teaches: A method for an identity provider (IdP) service to interoperate with a Virtual Private Network (VPN) client (Peterson, see abstract), comprising: 
by the IdP service, receiving a login request originating from the VPN client to establish a VPN tunnel between the VPN client and a VPN host, the login request indicating a user of the VPN client (Peterson, see FIG. 2 along with ¶¶ [0005 and 0018-0021], “Authentication requests from user agent 104 (or service provider 102) can be facilitated by VPN appliance 106 on the edge of secure network 114. By having the VPN appliance 106 facilitate these authentication requests, the identity provider(s) (e.g., first identity provider 108, and/or second identity provider 110) can be located within secure network 114 but still functionally accessible from Internet 112. Because VPN appliance 106 is facilitating these authentication requests, VPN appliance 106 can store a user's credentials during a first authentication and automatically apply them for future authentications. In other words, VPN appliance 106 can enable a single login experience so that a user does not have to repeatedly input their credentials”; “User credentials can include information that identifies a user account, a user, a group of users, a user classification, etc”); and 
by the IdP service, providing a response to the login request, the response including at least both (Peterson, see FIG. 2 items 222 and 248 along with ¶¶ [0024-0026 and 0034], “First identity provider 108 can then validate the user credentials (step 210). This can include comparing the user credentials with a database to determine if the user credentials match a user account on first identity : 
first information including an indication that the user of the VPN client is an authorized user (Peterson, see ¶¶ [0021 and 0024], “First identity provider 108 can determine if the set of permissions allow the type of VPN session that is requested. First identity provider 108 can send a response to VPN appliance 106 including an authorization token allowing user agent 104 to connect to VPN appliance 106”); and
 	Peterson teaches that the send authentication form from second identity once the user
authentication that includes token is completed wherein the form is filled by the VPN appliance
and then the client will be validated by the second identity provider that is included in client VPN during VPN tunnel (see FIG. 2 and related texts along with ¶ [0034]) but there is no indication of VPN policy during the exchange
	However Konda teaches VPN policy that is utilized (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching 

Regarding claim 2, the combination of Peterson and Konda teach all the limitations of claim 1. Konda further teaches: the VPN client policy comprises at least a split tunneling policy (Konda, see ¶ [0056], then see ¶ [0536], “as part of deploying the policy, a split tunnel can be created, and traffic exchanged with the loT device can be forwarded through the tunnel”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection through the client VPN during the exchange to protect vulnerabilities, “a privacy protection policy can include any suitable privacy protection policy information … need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy (which indicates the routing configuration that needs to be deployed to forward the traffic exchanged … to protect vulnerable IoT devices, a user policy (which can allow a user to add exceptions for specific devices or override the standard privacy protection policy in place for the 

Regarding claim 3, the combination of Peterson and Konda teach all the limitations of claim 1. Peterson further teaches: by the IdP service, providing an indication of the user to a policy manager service (Peterson teaches VPN appliance on an edge of a secure network that manage the network request by client device that can send synthetic service authentication request to identity provider in the secure network, see ¶ [0010], “edge protection for internal identity providers. The method includes receiving a service authentication request at a virtual private networking (VPN) appliance on an edge of a secure network. A client device external to the secure network can send the service authentication request. The VPN appliance can then send a synthetic service authentication request to an identity provider in the secure network”); and 
determining the indication of the VPN policy based on data provided by the policy manager service corresponding to the user
Peterson teaches that VPN application send the synthetic service request to identity provider from the user authentication request but there is no indication of VPN policy 
	However Konda teaches determining indication of VPN policy (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson 

Regarding claim 4, the combination of Peterson and Konda teach all the limitations of claim 1. Peterson further teaches: wherein: the first information and the second information are included in a single message, formatted according to at least one Security Assertion Markup Language (SAML) protocol (Peterson, first see ¶ [0013], then see ¶ [0017], “First identity provider 108 and second identity provider 110 can provide different identity services. For example, first identity provider can provide at least one of active directory, OAuth, security assertion markup language (SAML), OpenID, or any other identity service while second identity provider 110 can provide a different selection of identity service(s)”).

Regarding claim 6, the combination of Peterson and Konda teach all the limitations of claim 4. Peterson further teaches: wherein: the first information is included in an authorization portion of the single message, the authorization portion signed in accordance with a key associated with the IdP service (Peterson, see FIG. 2 items 218, 222, and 232 along with  ¶¶ [0019 and 0028], “Authentication requests from user agent 104 (or service provider 102) can be facilitated by VPN appliance 106 on the edge of secure network 114. By having the VPN appliance 106 facilitate these authentication requests, the identity provider(s) (e.g., first identity provider 108, and/or second identity 

Regarding claim 7, Peterson teaches: A method for a Virtual Private Network (VPN) client to form a VPN tunnel with a VPN host, (Peterson, see abstract along with ¶ [0015] and claim 9), comprising: 
by the VPN client, originating a login request to establish the VPN tunnel between the VPN client and the VPN host, the login request indicating a user of the VPN client (Peterson, see FIG. 2 along with ¶¶ [0005 and 0018-0021], “Authentication requests from user agent 104 (or service provider 102) can be facilitated by VPN appliance 106 on the edge of secure network 114. By having the VPN appliance 106 facilitate these authentication requests, the identity provider(s) (e.g., first identity provider 108, and/or second identity provider 110) can be located within secure network 114 but still functionally accessible from Internet 112. Because VPN appliance 106 is facilitating these authentication requests, VPN appliance 106 can store a user's credentials during a first authentication and automatically apply them for future authentications. In other words, VPN appliance 106 can enable a single login experience so that a user does not have to repeatedly input their credentials”; “User credentials can include information that identifies a user account, a user, a group of users, a user classification, etc”); and 
by the VPN client, receiving a response to the login request, the response including at least both: (Peterson, see FIG. 2 items 222 and 248 along with ¶¶ [0024-0026 and 0034], “First identity provider 108 can then validate the user credentials (step 210). This can include comparing the user credentials with a database to determine if the user credentials match a user account on first identity provider 108. The user account can match a set of permissions. First identity provider 108 can determine if the set of permissions allow the type of VPN session that is requested. First identity provider 108 can : 
first information including an indication that the user of the VPN client is an authorized user (Peterson, see ¶ [0024], “First identity provider 108 can determine if the set of permissions allow the type of VPN session that is requested. First identity provider 108 can send a response to VPN appliance 106 including an authorization token allowing user agent 104 to connect to VPN appliance 106”); and 
by the VPN client, providing at least an indication of the VPN host policy to the VPN host (Peterson does not teach the BOLD limitation, see FIG. 2 items 250 and 252 along with ¶ [0035]); and
Peterson teaches that the send authentication form from second identity once the user
authentication that includes token is completed wherein the form is filled by the VPN appliance
and then the client will be validated by the second identity provider that is included in client VPN during VPN tunnel (see FIG. 2 and related texts along with ¶ [0034]) but there is no indication of VPN policy during the exchange
	However Konda teaches VPN policy that is utilized (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching 

Regarding claim 8, the combination of Peterson and Konda teach all the limitations of claim 7. Peterson further teaches: configuring the VPN client in accordance with at least the VPN client policy (Peterson does not teach the BOLD limitation of VPN policy whether VPN client policy or any VPN policy, see FIG. 1 along with ¶ [0011]), but Peterson does not teach VPN policy
However Konda teaches VPN policy (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection 

Regarding claim 9, the combination of Peterson and Konda teach all the limitations of claim 7. Peterson further teaches by the VPN client, communicating in accordance with at least the VPN client policy (Peterson does not teach the BOLD limitation of VPN policy whether VPN client policy or any VPN policy, see FIG. 2 item 218 along with ¶ [0026]), but Peterson does not teach VPN policy
However Konda teaches VPN policy (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection through the client VPN during the exchange to protect vulnerabilities, “a privacy protection policy 

Regarding claim 10, the combination of Peterson and Konda teach all the limitations of claim 7. Peterson further teaches: wherein the response received by the VPN client includes the first information and the second information in a single message, formatted according to at least one Security Assertion Markup Language (SAML) protocol (Peterson, first see ¶ [0013], then see ¶ [0017], “service provider can receive tokens or credentials provided by an OAuth (1.0 or 2.0) provider, a security assertion markup language (SAML) provider, an active directory service, etc. Service provider can also accept authentication credentials provided by a user (e.g., via user agent 104)”).

Regarding claim 13, the combination of Peterson and Konda teach all the limitations of claim 7. Konda further teaches: the VPN client policy comprises at least a split tunneling policy (Konda, see ¶ [0056], then see ¶ [0536], “as part of deploying the policy, a split tunnel can be created, and traffic exchanged with the loT device can be forwarded through the tunnel”).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection through the client VPN during the exchange to protect vulnerabilities, “a privacy protection policy can include any suitable privacy protection policy information … need to be sent from the VPN 

Regarding claim 14, the combination of Peterson and Konda teach all the limitations of claim 7. Peterson further teaches: receiving a single sign-on (SSO) redirect message that includes at least an IdP service as an indicated destination for the login request (Peterson, see ¶¶ [0002 and 0019], “Identity providers (IdPs) help networks manage identities and user accounts. Many services can utilize an identity provider to authenticate and keep track of users. Fully utilizing identity providers can allow a federated single-sign-on (SSO) experience.”).

Regarding claim 15, this claim defines a method claim that corresponds to method claim 7 and does not define beyond limitations of claim 7. Therefore, claim 15 is rejected with the same rational as in the rejection of claim 7. 

Regarding claim 16, the combination of Peterson and Konda teach all the limitations of claim 15. Peterson further teaches processing the VPN host policy includes configuring the VPN host in accordance with at least the VPN host policy (Peterson does not teach the BOLD limitation of VPN policy whether VPN host policy or any VPN policy, see FIG. 2 items 226 and 252 along with ¶¶ [0028, 0030, and 0035]), but Peterson does not teach VPN policy
VPN policy (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection through the client VPN during the exchange to protect vulnerabilities, “a privacy protection policy can include any suitable privacy protection policy information … need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy (which indicates the routing configuration that needs to be deployed to forward the traffic exchanged … to protect vulnerable IoT devices, a user policy (which can allow a user to add exceptions for specific devices or override the standard privacy protection policy in place for the loT device), and/or any other suitable information for protecting the loT device from being compromised” (Konda, ¶ [0055]). 

Regarding claim 17, the combination of Peterson and Konda teach all the limitations of claim 15. Peterson further teaches by the VPN host, communicating in accordance with the VPN host policy (Peterson does not teach the BOLD limitation of VPN policy whether VPN host policy or any VPN policy, see FIG. 2 item 218 along with ¶ [0026]), but Peterson does not teach VPN policy
VPN policy (Konda, see ¶ [0055], “a privacy protection policy can include any suitable privacy protection policy information, such as a padding policy (determines the length of padding that needs to be added) (e.g., block length padding, full/maximum length padding, random length padding, random block length padding, etc.) to induce stable traffic patterns, a traffic flow continuity policy (which indicates the interval and frequency in which dummy packets (packets with all padding characters) need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy”)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Peterson with the teaching of Konda because the use of Konda’s idea (Konda, see abstract) could provide Peterson (Peterson, abstract) the ability to perform privacy protection policy by including policy protection through the client VPN during the exchange to protect vulnerabilities, “a privacy protection policy can include any suitable privacy protection policy information … need to be sent from the VPN clients to ensure evenly spread traffic flow patterns), an encryption policy and/or tunneling policy (which indicates the routing configuration that needs to be deployed to forward the traffic exchanged … to protect vulnerable IoT devices, a user policy (which can allow a user to add exceptions for specific devices or override the standard privacy protection policy in place for the loT device), and/or any other suitable information for protecting the loT device from being compromised” (Konda, ¶ [0055]). 

Regarding claim 18, the combination of Peterson and Konda teach all the limitations of claim 15. Peterson further teaches: receiving by the VPN host, second information originating from the VPN client, an indication that a user of the VPN client is an authorized user (Peterson, see FIG. 2 items 232 and 234 along with ¶¶ [0021 and 0030-0031], “VPN appliance 106 can determine the appropriate destination for the authentication request. For example, the authentication request can Second identity provider 110 can then receive the authentication request (step 232).”).

Regarding claim 19, the combination of Peterson and Konda teach all the limitations of claim 18. Peterson further teaches: the first information and the second information are received by the VPN host in a single message, formatted according to at least one Security Assertion Markup Language (SAML) protocol (Peterson, first see ¶ [0013], then see ¶ [0017], “First identity provider 108 and second identity provider 110 can provide different identity services. For example, first identity provider can provide at least one of active directory, OAuth, security assertion markup language (SAML), OpenID, or any other identity service while second identity provider 110 can provide a different selection of identity service(s)”).

Regarding claim 20, the combination of Peterson and Konda teach all the limitations of claim 15. Peterson further teaches: by the VPN host, receiving a login request originating from the VPN client; and providing to the VPN client a single sign-on (SSO) redirect message that includes at least an Identity Provider (IdP) service as an indicated destination for the login request (Peterson, see FIG. 2 items 202, 208, 210, and 218 ¶¶ [0002, 0016 and 0019], “VPN appliance 106 can provide a portal to access secure applications. For example, VPN appliance 106 can host a web-based portal. A user agent 104 can log into VPN appliance 106 and be presented with available applications. An application ( or other resource) may be selected via the web-based portal, and VPN appliance 106 can facilitate authenticating the user and establishing an application session with the user”; “Identity providers (IdPs) help networks manage identities and user accounts. Many services can utilize .

Allowable subject matter
12.	Claims 5 and 11-12 are objected to as being dependent upon a rejected base claim, but would be allowable (in view of other limitations of the independent claims) if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and further overcoming other rejections or objections that might have been rendered above. The detail reason for allowance will be furnished upon allowance of the application.
 
Examiner note:
13.	In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.131(b), (c), (d), and (h) and therefore held not fully responsive. Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.

Conclusion
14.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Janardhanan Jawahar US 9,948,612 discloses implementing single sign on (SSO)
and/or conditional access for client applications are described herein. a secure communication tunnel may be established between the client application and the identity provider gateway, and the secure communication tunnel may use, for example, a client certificate.
Lapidous et al. US 2016/0218978 discloses a virtual private router (VPR) intercepts DNS requests and returns a pseudo IP address to the requesting application and 
the pseudo IP address is mapped to a domain name in the request.
Goldschlag et al. US 2020/0162431 discloses reducing the complexity of endpoint configurations by offloading most of the connection and endpoint validation, policy enforcement, information leakage management, and routing decisions from the endpoints to an ARS.
Thanh et al. 2013 IEEE ICOIN, “Implementation of Open Two-Factor Authentication
Service applied to Virtual Private Network” discloses introducing the method to build the customizable, reliable, low-cost TFAS for the VPN infrastructure in enterprise.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALIL NAGHDALI whose telephone number is (571) 272-9884. The examiner can normally be reached on M-F 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, KRISTINE L KINCAID can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
/KHALIL NAGHDALI/Primary Examiner, Art Unit 2437