DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-13 have been examined. 

Priority
Acknowledgement is made of the applicant’s claim to priority as a continuation of parent application 15/683466, now, U.S Patent No. 10931452.

Specification
The abstract of the disclosure is objected to because of grammatical errors.  For example, the sentence: “The encrypted user token is then for storage in a database” is missing the action that is performed on the encrypted user token such as transmitted or forwarded etc. Correction is required.  See MPEP § 608.01(b).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-13 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-13 of U.S. Patent No. 10931452. Although the claims at issue are not identical, they are not patentably distinct from each other because: 
Instant application 
U.S. Patent No. 10931452
1. A method of enabling single sign-on (SSO) access to an application executing in an enterprise, the application being configured for access via multiple, distinct authentication methods, comprising: 













at a connector device associated with the enterprise: during a first access to the application, and responsive to successful authentication of a user via a first authentication method, encrypting a credential associated with the successful authentication to generate an encrypted user token; 
storing the encrypted user token in a database; 





during a second, subsequent access to the application, and following a redirect that returns the user to the connector device, fetching the encrypted user token from the database; 

decrypting the encrypted user token to recover the credential; and 

performing an authentication protocol translation by using the credential so recovered to authenticate the user to the application via a second authentication method non-overlapping to the first authentication method.


2. The method as described in claim 1 wherein the first authentication method is an HTML form-based authentication initiated from a client browser.

3. The method as described in claim 2 wherein the second authentication method is NTLM or Kerberos.

4. The method as described in claim 1 wherein the credential is encrypted with a private key uniquely-associated with the connector.

5. The method as described in claim 1 wherein the first authentication method also includes a second factor of authentication.

6. The method as described in claim 1 wherein the redirect is initiated from a login server operated by a service provider.

7. The method as described in claim 6 further including the login server providing an HTML login form to facilitate the authentication using the first authentication method.

8. The method as described in claim 1 further including receiving the encrypted user token.


9. The method as described in claim 8 wherein the encrypted user token is received via an HTTP header.

10. The method as described in claim 1 wherein the second authentication method includes generating a connection, and wherein the connection is maintained in a connection pool keyed to the user.

11. The method as described in claim 10 further including using the connection to manage additional requests for the user.
1. A method of enabling single sign-on (SSO) access to an application executing in an enterprise, the application being configured for access via multiple, distinct authentication methods, comprising: configuring an enterprise-based connector in association with an enterprise infrastructure on which the application executes, the enterprise-based connector being managed by a cloud service provider to provide end users located external to the enterprise infrastructure with authorized, network-based secure access to the application without inbound open tunnels or ports to the enterprise infrastructure, thereby preventing the enterprise infrastructure from being exposed; 
during a first access to the application, and responsive to successful authentication of an end user by the cloud service provider and via a first authentication method, encrypting, at the enterprise-based connector, a credential associated with the successful authentication to generate an encrypted user token; 
forwarding the encrypted user token from the enterprise-based connector for storage in a database located externally to the enterprise infrastructure and accessible by the enterprise-based connector; 
during a second, subsequent access to the application, and following a redirect that returns the end user to the enterprise-based connector, the enterprise-based connector fetching the encrypted user token from the database; the enterprise-based connector decrypting the encrypted user token to recover the credential; and the enterprise-based connector performing an authentication protocol translation by using the credential so recovered to authenticate the user to the application via a second authentication method non-overlapping to the first authentication method.

2. The method as described in claim 1 wherein the first authentication method is an HTML form-based authentication initiated from a client browser.

3. The method as described in claim 2 wherein the second authentication method is NTLM or Kerberos.

4. The method as described in claim 1 wherein the credential is encrypted with a private key uniquely-associated with the enterprise-based connector.

5. The method as described in claim 1 wherein the first authentication method also includes a second factor of authentication.

6. The method as described in claim 1 wherein the redirect is initiated from a login server operated by the cloud service provider.

7. The method as described in claim 6 further including the login server providing an HTML login form to facilitate the authentication using the first authentication method.

8. The method as described in claim 1 further including receiving the encrypted user token at the enterprise-based connector.

9. The method as described in claim 8 wherein the encrypted user token is received via an HTTP header.

10. The method as described in claim 1 wherein the second authentication method includes generating a connection, and wherein the connection is maintained in a connection pool keyed to the end user.

11. The method as described in claim 10 further including using the connection to manage additional requests for the end user.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims U.S. Patent No. 10931452.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 6-8, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over US 20070143836 to Bowers et al (hereinafter Bowers) and US 9137131 to Sarukkai et al (hereinafter Sarukkai).
As per claims 1 and 12, Bowers teaches:
A method of enabling single sign-on (SSO) access to an application executing in an enterprise, the application being configured for access via multiple, distinct authentication methods, comprising: 
at a connector device associated with the enterprise: during a first access to the application, and responsive to successful authentication of a user via a first authentication method, encrypting a credential associated with the successful authentication to generate an encrypted user token (Bowers: [0029], [0031]. [0032] In one embodiment, legacy authentication credentials 160 are configured to be submitted from the application 150 to the authentication proxy module 210. The authentication proxy module 210 receives the authentication credential 160 from the application 150 and invokes a corresponding Kerberos authentication request 230 for the Kerberos server 240. The Kerberos server 240 returns a Kerberos ticket 260 to the authentication proxy module 210. [0037]: The authentication credential 160 may include a user name and password (first authentication method). [0039] The authenticate to Kerberos test 330 determines whether the user 110 can be authenticated to the Kerberos server 240 after submitting a Kerberos authentication request 230. If the Kerberos server 240 returns a Kerberos ticket 260 to the authentication proxy module 210, the authentication protocol translation method 300 continues with the cache Kerberos credential operation 340); 
storing the encrypted user token in a database (Bowers: [0034]. [0040] The cache Kerberos credential operation 340 associates the Kerberos ticket 260 with the authentication credential 160 corresponding to the user 110. In some embodiments, the cache Kerberos credential operation 340 enters the Kerberos ticket 260 into the table or database utilized by the legacy authentication credential operation 320. In various embodiments, the table or database may be intrinsic to the authentication proxy module 210 or may be included in the credential binding module 220. [0043]: The authentication credential 160 may be considered valid if the cached Kerberos ticket 260 can be successfully decrypted using the authentication credential 160, i.e., the Kerberos ticket 260 is encrypted with the authentication credential 160 and stored in a database); 
during a second, subsequent access to the application, fetching the encrypted user token from the database; decrypting the encrypted user token to recover the credential (Bowers: [0043] The obtain cached credential operation 370 obtains the cached Kerberos ticket 260 with the authentication credential 160 corresponding to the user 110. The authentication credential 160 may be considered valid if the cached Kerberos ticket 260 can be successfully decrypted using the authentication credential 160. [0038]: The receive legacy authentication credential operation 320 may receive the legacy authentication credential 160 from a database or user account initialization process to obtain a corresponding Kerberos ticket 260. Although the Kerberos ticket 260 may be expired when the user 110 subsequently authenticates, successfully decrypting the Kerberos ticket 260 using the authentication credential 160 submitted by the user 110 demonstrates that the authentication credential provided is correct, i.e., during a subsequent access, the authentication credential 160 of the user is used obtain the encrypted Kerberos ticket from the database and is used to decrypt the Kerberos ticket); and 
performing an authentication protocol translation by using the credential so recovered to authenticate the user to the application via a second authentication method non-overlapping to the first authentication method (Bowers: [0031]. [0039] The authenticate to Kerberos test 330 determines whether the user 110 can be authenticated to the Kerberos server 240 after submitting a Kerberos authentication request 230. If the Kerberos server 240 returns a Kerberos ticket 260 to the authentication proxy module 210, the authentication protocol translation method 300 continues with the cache Kerberos credential operation 340. [0041] The request service operation 350 submits an authentication credential 270 in accordance with the Kerberos authentication protocol to the Kerberized service provider 280 and receives any service data 290 returned by the Kerberized service provider 280. The service data 290 is then redirected to the legacy application 150. In some embodiments, the authentication protocol translation method 300 provides the cached Kerberos ticket 260 as long as the ticket remains valid, thus reducing the number of authentication requests submitted to the Kerberos server 240, i.e., the submitted authentication credential 160, specifically a username and password are translated to a Kerberos ticket to authenticate the user to the Kerberized service provider 280).
Bowers does not teach: following a redirect that returns the user to the connector device. However, Sarukkai teaches:
following a redirect that returns the user to the connector device (Sarukkai: column 4, lines 54-67: Referring to FIG. 2, a network traffic monitoring system 20 is implemented as a proxy server acting as a network intermediary between the client device 10 and the enterprise's identity provider 18 as well as the cloud service 12. Column 5, line 48-column 6, line 2: The client device 10 then communicates with the identity provider 18, through the monitor proxy server 20, to complete the authentication process. The identity provider 18 authenticates the user and responds with a redirect response containing a redirect web address, typically in the form of an URL (uniform resource locator), to redirect the user back to the cloud service 12 (e.g., abc.service1.com). The redirect web address includes an identity assertion, or an authentication token. The redirect web address sent by the identity provider 18 is received by the monitor proxy server 20. The monitor proxy server 20 intercepts the redirect response and rewrites the redirect web address to be the web address of the monitor proxy server 20 (e.g., service1.abc.com), which will serve as the network intermediary between the client device and the cloud service. Also, column 5, lines 10-26).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Sarukkai in the invention of Bowers to include the above limitations. The motivation to do so would be to enable enterprises to gain deep visibility and control over network traffic to/from these cloud-based services that was previously not feasible (Sarukkai: column 3, lines 18-21).

As per claim 2, Bowers in view of Sarukkai teaches:
The method as described in claim 1 wherein the first authentication method is an HTML form-based authentication initiated from a client browser (Bowers: [0037]: The authentication credential 160 may include a user name and password. Sarukkai: column 5, lines 10-26 and 41-55: A user, on behalf of an enterprise ABC Corp., wishes to access the services provided by the cloud service 12 ("the service provider"), such as a web application on the website "service1.com.". In this manner, when the client device 10 initiates a login request to the cloud service on behalf of ABC Corp., the client device 10 will be redirected to the monitor proxy server 20 which routes the session onto the identity provider 18. The client device 10 then communicates with the identity provider 18, through the monitor proxy server 20, to complete the authentication process. To authenticate the user, the identity provider may request information from the user, such as a user name and password. The client device 10 provides login credentials (e.g. user name and password) to the monitor proxy server 20 which forwards the credentials to the identity provider 18).

As per claim 3, Bowers in view of Sarukkai teaches:
The method as described in claim 2 wherein the second authentication method is NTLM or Kerberos (Bowers: [0032]: The Kerberos server 240 returns a Kerberos ticket 260 to the authentication proxy module 210. [0039]).

As per claim 6, Bowers in view of Sarukkai teaches:
The method as described in claim 1 wherein the redirect is initiated from a login server operated by a service provider (Sarukkai: Column 5, lines 27-50: The cloud service 12, implementing federated identity management, responds to the user login request by redirecting the client device to an identity provider (IdP) 18 associated with the enterprise. The client device 10 then communicates with the identity provider 18, through the monitor proxy server 20, to complete the authentication process.).

As per claim 7, Bowers in view of Sarukkai teaches:
The method as described in claim 6 further including the login server providing an HTML login form to facilitate the authentication using the first authentication method (Bowers: [0037]: The authentication credential 160 may include a user name and password. Sarukkai: column 5, lines 10-26 and 41-55: A user, on behalf of an enterprise ABC Corp., wishes to access the services provided by the cloud service 12 ("the service provider"), such as a web application on the website "service1.com.". In this manner, when the client device 10 initiates a login request to the cloud service on behalf of ABC Corp., the client device 10 will be redirected to the monitor proxy server 20 which routes the session onto the identity provider 18. The client device 10 then communicates with the identity provider 18, through the monitor proxy server 20, to complete the authentication process. To authenticate the user, the identity provider may request information from the user, such as a user name and password. The client device 10 provides login credentials (e.g. user name and password) to the monitor proxy server 20 which forwards the credentials to the identity provider 18).

As per claim 8, Bowers in view of Sarukkai teaches:
The method as described in claim 1 further including receiving the encrypted user token (Bowers: [0040]: In some embodiments, the cache Kerberos credential operation 340 enters the Kerberos ticket 260 into the table or database utilized by the legacy authentication credential operation 320. In various embodiments, the table or database may be intrinsic to the authentication proxy module 210 or may be included in the credential binding module 220. [0043] The obtain cached credential operation 370 obtains the cached Kerberos ticket 260 with the authentication credential 160 corresponding to the user 110. The authentication credential 160 may be considered valid if the cached Kerberos ticket 260 can be successfully decrypted using the authentication credential 160, i.e., the encrypted Kerberos ticket is received from the database).

As per claim 13, Bowers in view of Sarukkai teaches:
The computer program product as described in claim 12 wherein the first authentication method is an HTML form-based authentication initiated from a client browser, and the second authentication method is one of: NTLM, and Kerberos (Bowers: [0037]: The authentication credential 160 may include a user name and password. [0032]: The Kerberos server 240 returns a Kerberos ticket 260 to the authentication proxy module 210. [0039]. Sarukkai: column 5, lines 10-26 and 41-55: A user, on behalf of an enterprise ABC Corp., wishes to access the services provided by the cloud service 12 ("the service provider"), such as a web application on the website "service1.com.". In this manner, when the client device 10 initiates a login request to the cloud service on behalf of ABC Corp., the client device 10 will be redirected to the monitor proxy server 20 which routes the session onto the identity provider 18. The client device 10 then communicates with the identity provider 18, through the monitor proxy server 20, to complete the authentication process. To authenticate the user, the identity provider may request information from the user, such as a user name and password. The client device 10 provides login credentials (e.g. user name and password) to the monitor proxy server 20 which forwards the credentials to the identity provider 18).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Bowers in view of Sarukkai as applied to claim 1 above, and further in view of US 20100306547 to Fallows et al (hereinafter Fallows).
As per claim 4, Bowers in view of Sarukkai teaches encrypting the Kerberos ticket with the user’s authentication credential but does not teach wherein the credential is encrypted with a private key uniquely-associated with the connector. However, Fallows teaches:
wherein the credential is encrypted with a private key uniquely-associated with the connector (Fallows: [0039] On successful authentication in the token-store embodiment, the gateway application 126 further generates 128 a secure token containing the user credentials. In the preferred token-store embodiment of the present invention, the secure token is generated through encryption of the user credentials using a conventional private key encryption algorithm, where the private key is held securely by the gateway server application 126).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Fallows in the invention of Bowers in view of Sarukkai to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
	
Claims 5, 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Bowers in view of Sarukkai as applied to claim 1 above, and further in view of US 20150350168 to Hayton (hereinafter Hayton).
As per claim 5, Bowers in view of Sarukkai does not teach the limitations of claim 5. However, Hayton teaches:
wherein the first authentication method also includes a second factor of authentication (Hayton: [0091]: The authentication in step 501 may be single-factor or multi-factor, and may include multiple authentication steps (e.g., challenge questions), and mutual authentication techniques).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Hayton in the invention of Bowers in view of Sarukkai to include the above limitations. The motivation to do so would be to ensure the mobile application requesting access to the enterprise resource can be trusted and is not attempting to circumvent the security mechanisms used to protect those enterprise resources (Hayton: [0019]).

As per claim 10, Bowers in view of Sarukkai does not teach the limitations of claim 10. However, Hayton teaches: 
wherein the second authentication method includes generating a connection, and wherein the connection is maintained in a connection pool keyed to the user (Hayton: [0033]. [0053] The mobile device may connect to enterprise resources 304 and enterprise services 308 at an enterprise, to the public Internet 348, and the like. The mobile device may connect to enterprise resources 304 and enterprise services 308 through virtual private network connections. The virtual private network connections 352 may be specific to particular applications 350, particular devices, particular secured areas on the mobile device, and the like. [0054] The virtual private network connections may be established and managed by an access gateway 360).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Hayton in the invention of Bowers in view of Sarukkai to include the above limitations. The motivation to do so would be to ensure the mobile application requesting access to the enterprise resource can be trusted and is not attempting to circumvent the security mechanisms used to protect those enterprise resources (Hayton: [0019]).

As per claim 11, Bowers in view of Sarukkai and Hayton teaches: 
The method as described in claim 10 further including using the connection to manage additional requests for the user (Bowers: [0043]: Using the cached Kerberos ticket 260 facilitates uninterrupted access to services provided by the Kerberized service provider 280. In some embodiments, the authentication protocol translation method 300 provides the cached Kerberos ticket 260 as long as the ticket remains valid, thus reducing the number of authentication requests submitted to the Kerberos server 240).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Bowers in view of Sarukkai as applied to claim 8 above, and further in view of US 7412720 to Frey et al (hereinafter Frey).
As per claim 9, Bowers in view of Sarukkai does not teach the limitations of claim 9. However, Frey teaches: 
wherein the encrypted user token is received via an HTTP header (Frey: column 9, lines 36-45: Once the interceptor has both authenticated and authorized the user, the interceptor adds information to the user’s HTTP request and sends the request to the Web site that the user is attempting to access (in this case, Web server 310). In one implementation, this extra information is in the form of HTTP headers, and includes an encrypted security token (referred to herein as an "SSO credential") as well as additional information about the user, such as her name (step 610)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Frey in the invention of Bowers in view of Sarukkai to include the above limitations. The motivation to do so would be to enable the web server to authenticate the user using the SSO credential (Frey: column 9, lines 49-55).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20070006291 to Barari et al: A method, computer program product, authentication proxy server, and system for enabling a user to use a one-time password in conjunction with single sign-on authentication and external authentication, such as provided by the Kerberos protocol, are provided.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438