Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on the combinations of the references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
In response to applicant's argument on page 12 that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., [0056] “which includes the examples of how the session data may be modified to indicate how a user was authenticated, what time the user was authenticated, how secure the user’s password was, or the like.”) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-10, 12-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cho (US 2018/0351944, hereinafter Cho) and in view of Schneider (US 2009/0199276, hereinafter Schneider) and in view of Gangawane (US 2018/0077144, hereinafter Gangawane) and in view of Shah (US 2016/0087957, hereinafter Shah).
With respect to claim 1, Cho discloses  A system comprising: 
a first identity provider application executing on a first computing device (fig. 1, one of the plurality of authentication servers (FIDO authentication server, OTP authentication server, Password authentication server… etc.); and 
a second identity provider application executing on a second computing device (fig. 1, one of the plurality of authentication servers (FIDO authentication server, OTP authentication server, Password authentication server… etc.);
wherein the first identity provider application is configured to: 
receive an indication of an authentication request ([0044], client device performs authentication process by transmitting the generated or received authentication information to one of the plurality of authentication servers); 
retrieve, from a storage device, session information associated with the authentication request ([0051], authentication devices may compare the recognized biometric information with biometric information already stored in advance by the user to authenticate the user); 
receive, from a third computing device, authentication credentials ([0054]-[0055], authentication server receives client device authentication factor identification information.); 
authenticate, based on the session information, based on the authentication credentials, and by performing one or more first functions, a user ([0052]-[0056], authentication server receives authenticator factor identification information from the client device and authenticates the user request.);
wherein the second identity provider application is configured to: 
authenticate, based on the modified session information and by performing one or more second functions different than the one or more first functions, the user ([0058-[0059], two authentication processes based on two authentication factors.  Access token is transmitted to the client when first authentication process is successful.  If the access token is valid, the authentication system relays a second authentication process). 
While Cho discloses generating an access token including identification of the authentication factors used when authentication is successful, Cho does not clearly disclose however Schneider discloses modify, in response to the authenticating, the session information, ([0050]-[0055], upon first session identifier successfully authenticated itself, receiving the authenticate message and generates a second session identifier for the second session which includes the token and authentication credentials ( username, user password, one-time password (OTP), certificate, organization ID, etc., [0027].).  Cho and Schneider are analogous art because they disclose utilizing multiple authentication servers.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Cho with a modify, in response to the authenticating, the session information as disclosed in Schneider in order to forward relevant session information.  One of ordinary skill in the art would have been motivated to incorporate the teachings with one another in order to establish a more efficient system by being able to identify the user’s identification information through multiple authentication factors.
While Schneider discloses modifying the sessions to include the session tokens and session identifiers, Cho and Schneider do not clearly disclose however Gangawane discloses modifying the session information stores identification of the one or more first functions used to authenticate the user ([0202], once the user is authenticated, the global session is populated with various user information such as user ID, preferences, locale, time zone, the factors or modules it got authenticated to, the time of the authentication).  Cho, Schneider, and Gangawane are analogous art because they disclose user authentication
It would have been obvious for one of ordinary skill in the art before the date the current invention was effectively filed to have modified the teachings of Cho and Schneider by the system of Gangawane to populate the global session with various user information.  One of ordinary skill in the art would have been motivated to incorporate the teachings with one another in order to provide a more secure system by having information about the authentication readily available.
However, Cho, Schneider, and Gagawane does clearly disclose however Shah discloses determine a level of security based on the identification of the one or more first functions of the first authentication protocol stored in the session information ([0048], [0049], [0057], [0079], determine if an authentication meets an assurance level) ; determine, based on the level of security, one or more second functions of a different authentication protocol for authenticating the user, and authenticate by performing the one or more second function ([0048], [0049], [0057], [0079], determine if desired assurance levels are met or if one or more authentication factors should be carried out to achieve the required level of assurance.  Check to determine if a previous authentication result may be re-used without repeating the authentication process based on the assurance level of the authentication).  Cho, Schneider, Gangawane and Shah are analogous art because they disclose user authentication
It would have been obvious for one of ordinary skill in the art before the date the current invention was effectively filed to have modified the teachings of Cho, Schneider’s session information and Gangawane by the system of Shah to include in the session information the authentication information needed to determine the assurance level of the authentication.  One of ordinary skill in the art would have been motivated to incorporate the teachings with one another in order to provide a more efficient security system by checking if the previous authentication satisfies the current assurance level to potentially avoid having to repeat an authenticating process.

With respect to claim 3, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho, Schneider, and Gangawane for the same reasons identified in the rejection of claim 1,  In addition, Shah discloses wherein the first authentication protocol authenticate comprises a different version of the different authentication protocol ([0057], [0079], freshness of the authentication, if it is stale, it would need a more fresh version of the authentication). 

With respect to claim 4, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein the first identity provider application is configured to modify the session information by: determining user information associated with the user ([0024]-[0027], authentication credentials such as  username, user password, one-time password (OTP), certificate, organization ID, etc. are provided for authentication.);  and adding, to the session information, the user information ([0050]-[0055], upon first session identifier successfully authenticated itself, receiving the authenticate message and generates a second session identifier for the second session which includes the token and username, user password, one-time password (OTP), certificate, organization ID, etc., [0027]).
With respect to claim 5, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein the second identity provider application is configured to authenticate the user based on the user information ([0050]-[0055], upon first session identifier successfully authenticated itself, receiving the authenticate message and generates a second session identifier for the second session which includes the token and username, user password, one-time password (OTP), certificate, organization ID, etc., [0027].).
With respect to claim 6, Cho discloses wherein the second identity provider application is configured to authenticate the user by: sending, to the user, a token, wherein the token comprises at least a portion of the session information ([0058]-[0059], access token including identification information used in the first and second authentication process is transmitted to the client device upon successful second authentication process).
With respect to claim 13, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein the indication of the authentication request corresponds to access, by the user, of a Uniform Resource Locator (URL) (authenticating credentials to a web application in which the session identifier is included in a URL).
With respect to claim 14, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses transmitting, to the second computing device, a second indication of a URL associated with the second identity provider, wherein access, by the second computing device, of the URL causes the second identity provider to authenticate the user ([0050]-[0055], upon first session identifier successfully authenticated itself, receiving the authenticate message and generates a second session identifier for the second session which includes the token and username, user password, one-time password (OTP), certificate, organization ID, etc., [0027]).  
With respect to claim 15, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein the second identity provider application executes on a third computing device ([0036], the client device authenticates itself with the web application and the authentication proxy in which is utilized with the client device).
With respect to claim 18, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein authenticating the user comprises: generating, based on the session information, a token (fig. 1, 2, [0013]-[0014], personal computer used to visit a website on a web browser and is prompted to enter a user name and password which creates a QR code, an output or signal which is instructed to the personal computer); and 
sending, to the second computing device, the token (fig. 1, 2, [0013]-[0014], web server produces a QR code, an output or signal which is instructed to the personal computer after it receives login information).
With respect to claim 20, one of ordinary level of skill in the art would have been compelled to make the proposed modification to Cho for the same reasons identified in the rejection of claim 1.  In addition, Schneider discloses wherein sending the first indication of the authentication request comprises: storing, based on the authentication request, the session information in the storage device, wherein the second identity provider application is configured to modify the session information after authenticating the user based on the second authentication protocol ([0038], Establishment of the second session may include generating a session identifier and/or session token for the second session. [0047] If the authentication credentials match stored authentication information (e.g., as 
stored in data store 248).
With respect to claims 7-10, 12, and 16-17, they are of similar claims as claims 1, 3-6, and 14 and therefore are rejected for the same reasons above.
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Cho in view of Schneider in view of Gangawane in view of Shah and in view of Redberg (US 2017/0279795, hereinafter Redberg).
With respect to claim 2, Cho discloses wherein the second identity provider application is further configured to: 
receive the authentication request ([0058]; two authentication factors, second authentication process is started after first successful authentication process).
In addition, Schneider discloses cause storage, by the storage device, of session information associated with the authentication request ([0047], If the authentication credentials match stored authentication information (e.g., as stored in data store 248).
However, Cho, Schneider, Gangawane, and Shah does not clearly disclose wherein the second identity provider application transmit, to the first identity provider application, the indication of the authentication request.  
In the same field of endeavor, Redberg discloses wherein the second identity provider application transmit, to the first identity provider application, the indication of the authentication request ([0044], authentication server 108 generates a one-time password and sends the OTP associated with the access request back to the application server).  Cho, Schneider, Gangawane, Shah and Redberg are analogous art because they disclose utilizing multiple authentication servers.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Cho, Schneider, Gangawane, and Shah with wherein the second identity provider application transmit, to the first identity provider application, the indication of the authentication request as disclosed in Redberg in order to forward relevant session information.  One of ordinary skill in the art would have been motivated to incorporate the teachings with one another in order to establish a more secure system by being able to send from one authentication server to another authentication server access attributes to prevent fraudulent attempts by someone other than the user associated with the user credentials.

Claims 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Cho in view of Schneider in view of Gangawane in view of Shah and in view of Hito (US 2011/0219427, hereinafter Hito).
With respect to claims 11 and 19, Cho, Schneider, Gangawane, and Shah does not clearly disclose deleting, in response to determining that the second identity provider application authenticated the user, the modified session information from the storage device.  
In the same field of endeavor, Hito discloses deleting, in response to determining that the second identity provider application authenticated the user, the modified session information from the storage device ([0016]-[0020], onetime unique identifier for the session as part of the login request.  Upon positive verification, login request is automatically removed.).  Cho, Schneider, Gangawane, Shah and Hito are analogous art because they disclose utilizing multiple authentication servers.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Cho, Schneider, Gangawane, and Shah with deleting, in response to determining that the second identity provider application authenticated the user, the modified session information from the storage device as disclosed in Hito in order to remove requests that have been successfully authenticated.  One of ordinary skill in the art would have been motivated to incorporate the teachings with one another in order to establish a more efficient system by being able to remove from the authentication queue, authentication requests that have already been completed.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HO T SHIU whose telephone number is (571)270-3810. The examiner can normally be reached Mon-Fri (9:00am - 5:00pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3089. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HO T SHIU/Examiner, Art Unit 2443                                                                                                                                                                                                        
HO T. SHIU
Examiner
Art Unit 2443



/NICHOLAS R TAYLOR/Supervisory Patent Examiner, Art Unit 2443