DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 12/10/2020. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/12/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Notes
Analysis under 35 U.S.C. 101, Double Patenting, and 35 U.S.C. 112 have been conducted, but no issues are found.

Claim Objections
Claims 10 and 20 are objected to because of the following informalities: 
Claim 10 recites “The computer-implemented method of claim 1, further comprising.” According to MPEP § 608.01(m), each claim begins with a capital letter and ends with a period. Periods may not be used elsewhere in the claims except for abbreviations.
Claim 20 recites “A kiosk device shared among a plurality of users of an organization and containing federated identity credentials for each of the plurality of users, the kiosk device comprising: a computer processor; and a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium storing instructions that when executed by a computer processor perform actions comprising:” The second term “a computer processor” has already been defined previously and should therefore be referred to using a definite article.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton (US 20080021997 A1) in view of Cybrarian (NPL, https://www.cybrarian.com/, dated 2019) and Agarwal (US 20110225426 A1).

Regarding claim 1, Hinton teaches a computer-implemented method for providing federated identity services for a device shared among a plurality of users of an organization and containing federated identity credentials for each of the plurality of users, the method comprising: 
accessing, at the device by a user of the organization, a third-party application; ([0009] A request by the user to access a protected resource that is managed by the service provider is received by the service provider.)
receiving, at the device from the user, credentials of the user; ([0009] after which a federated single-sign-on operation for the user is performed between the service provider and the first identity provider.) Here Hinton discloses “The new identity provider may then prompt the user to provide authentication credentials” in ¶157.

Hinton teaches a federated computational environment, but does not explicitly teach device used being kiosk device. This aspect of the claim is identified as a difference.
However, Cybrarian in an analogous art explicitly teaches
providing federated identity services for a kiosk device shared among a plurality of users of an organization and containing federated identity credentials for each of the plurality of users, ([https://www.cybrarian.com/] Public Patron Computers: Shared public computers are used by multiple patrons in public libraries, academic libraries, law libraries, workforce development centers, and government agencies. How To Secure Shared Public Computers: Authenticate patrons with your ILS database system.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “federated single-sign-on operation” concept of Hinton, and the “public computer management” approach of Cybrarian. One of ordinary skill in the art would have been motivated to perform such a modification so that shared public computers are used by multiple patrons in any organization with session time limits, patron authentication, waiting lists, PC reservations, and PC remote control, to secure the public computer while providing proper resource usage ([https://www.cybrarian.com]).

Hinton in view of Cybrarian teaches providing federated identity services for a kiosk device, but does not explicitly teach unlocking, using the kiosk credentials, federated identity credentials of the user stored on the kiosk device; and using the unlocked federated identity credentials to authenticate the user with an identity provider (IdP) system and to cause the IdP system to begin application sessions for the user on the kiosk device with the third-party application and with a plurality of other third-party applications. This aspect of the claim is identified as a difference.
However, Agarwal in an analogous art explicitly teaches
unlocking, using the kiosk credentials, federated identity credentials of the user stored on the kiosk device; and using the unlocked federated identity credentials to authenticate the user with an identity provider (IdP) system and to cause the IdP system to begin application sessions for the user on the kiosk device with the third-party application and with a plurality of other third-party applications. ([0007] the single sign-on (SSO) applications can join together and create a trust group that associates various devices in a federated logical trusted relationship with common control. Credentials between devices are shared to allow mutual unlock/lock of each other. For example, in the case of a personal computer, the SSO application on the phone will have the credentials for the personal computer and the phone can integrate the personal computer login service, such that the phone can direct the personal computer to unlock. This method is the case for cross network or dissimilar system configurations between devices. The SSO application is a trusted application for all devices on the system and can unlock any device without requiring additional authorization.) In addition, Hinton discloses a federated environment supporting federated single-sign-on operations by “a federated environment allows a user to authenticate at a first entity, [analogous to claim limitation “kiosk device with kiosk credentials”] which may act as an issuing party to issue an authentication assertion about the user for use at a second entity. [analogous to claim limitation “IdP system with federated identity credentials”] The user can then access protected resources at a second, distinct entity, termed the relying party, by presenting the authentication assertion that was issued by the first entity without having to explicitly re-authenticate at the second entity” (¶52) with detail example in ¶110. Therefore the combination discloses the entire limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “federated single-sign-on operation” concept of Hinton, and the “single sign on secure authentication” approach of Agarwal. One of ordinary skill in the art would have been motivated to perform such a modification so that devices on networks can unlock/lock and authenticate bilaterally as well as user can set policies or settings for how to lock, unlock, authenticate, and/or complete timeout coordination of the various devices (Agarwal [0007-0008]).

Regarding claim 2, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 1, as outlined above. The combination further teaches
detecting a session end trigger; and responsive to the detecting, causing revocation of the application sessions with the third-party application and with the plurality of other third-party applications. ([Agarwal 0030] Each device 108, 110, and/or 112 may, as part of its security system, execute systems that lock or unlock the device. For example, the device 108, 110, and/or 112 may use a screen saver or other program that has a password protection or other authentication requirement that will activate upon non-use of the device 108, 110, and/or 112 after a predetermined period of time (e.g. one minute, five minutes, etc.). Other devices 108, 110, and/or 112 may have similar lock or unlock systems that prevent access to the device 108, 110, and/or 112 during states of inactivity or during certain events either conducted by a user or that may occur automatically.)

Regarding claim 3, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 2, as outlined above. The combination further teaches
responsive to the detecting, locking the unlocked federated identity credentials. ([Agarwal 0057] After some time, an inactivity timeout occurs on the desktop computer and locks the desktop computer.)

Regarding claim 4, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 2, as outlined above. The combination further teaches
wherein detecting the session end trigger comprises identifying an elapse of a threshold period of inactivity. ([Agarwal 0057] After some time, an inactivity timeout occurs on the desktop computer and locks the desktop computer.)

Regarding claim 5, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 2, as outlined above. The combination further teaches
wherein detecting the session end trigger comprises identifying a user interface action of the user. ([Agarwal 0004] The trust federation or trust group allows for the capabilities of user identity determination, network and authentication/security discovery, device discovery, proximity determination, activity detection, user presence detection to allow Single Sign On, single device lock/unlock, coordinated inactivity time out (or other power saving time out provisions).) Here Agarwal discloses examples of “identified user interface action of the user” in ¶30 that “each device 108, 110, and/or 112 may, as part of its security system, execute systems that lock or unlock the device. For example, the device 108, 110, and/or 112 may use a screen saver or other program that has a password protection or other authentication requirement that will activate upon non-use of the device 108, 110, and/or 112 after a predetermined period of time (e.g. one minute, five minutes, etc.). Other devices 108, 110, and/or 112 may have similar lock or unlock systems that prevent access to the device 108, 110, and/or 112 during states of inactivity or during certain events either conducted by a user or that may occur automatically.”

Regarding claim 6, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 2, as outlined above. The combination further teaches
wherein detecting the session end trigger comprises: determining that the user is no longer within a period of time in which the user is scheduled to using the kiosk device. ([https://www.cybrarian.com/Solutions/PC_Reservations.htm & Patron_Session_Time_Limits.htm] Patron Computer Reservation: CYBRARIAN public computer reservation allows patrons to reserve a computers or meeting rooms during library hours at a kiosk computer station or from your website online. Schedule time slots for reservations. Session Time Limits: Set session limits for each patron logged on to your public computer workstations. Patron Time Limits: Automatically shutdown, lock down, or reboot public workstations based on hours of operation. Display a custom warning message prior to session end. Close running applications after each session.) In addition, Agarwal discloses similar design “if a desktop computer is left unattended for a period of time, the desktop computer may lock” (¶3).

Regarding claim 7, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 1, as outlined above. The combination further teaches
wherein the kiosk credentials comprise at least one of a personal identification number (PIN) or biometric data. ([Hinton 0043] An authentication credential is a set of challenge/response information that is used in various authentication protocols. For example, a username and password combination is the most familiar form of authentication credentials. Other forms of authentication credential may include various forms of challenge/response information, Public Key Infrastructure (PKI) certificates, smartcards, biometrics, etc.)

Regarding claim 8, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 1, as outlined above. The combination further teaches
wherein the federated identity credentials comprise a <public key, private key> keypair. ([Hinton 0042-0043] Authentication is the process of validating a set of credentials that are provided by a user or on behalf of a user. Authentication is accomplished by verifying something that a user knows, something that a user has, or something that the user is, i.e. some physical characteristic about the user. Something that a user knows may include a shared secret, such as a user's password, or by verifying something that is known only to a particular user, such as a user's cryptographic key. An authentication credential is a set of challenge/response information that is used in various authentication protocols. For example, a username and password combination is the most familiar form of authentication credentials. Other forms of authentication credential may include various forms of challenge/response information, Public Key Infrastructure (PKI) certificates, smartcards, biometrics, etc.)

Regarding claim 9, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 8, as outlined above. The combination further teaches
wherein using the unlocked federated identity credentials to authenticate the user with the IdP system comprising generating a signature using the private key. ([Hinton 0115] The types of tokens that are accepted, the signatures that are required on tokens, and other requirements are all pre-established as part of the federation's business agreements. [Agarwal 0046] The self-signed credential can be any type of authentication information that can be verified through different encryption methods, including, for example, pretty good privacy (PGP) or other public or private key encryption methods.)

Regarding claim 10, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 1, as outlined above. The combination further teaches
receiving, at the kiosk device from a second user of the organization, kiosk credentials of the second user; determining that a session of the user on the kiosk device has not yet ended; responsive to the determining, refraining from causing the IdP system to begin application sessions for the second user on the kiosk device. ([http://cybrarian.com/Solutions/Waiting_List.htm] Automate your shared public computer waiting lists for patrons and provide fair and equitable distribution of all your workstations. Patron Waiting List Queue: Patrons add their name or barcode to a queue that registers their request for the next available shared computer: Provides a grace period for patron login when their computer is assigned, Prevent other users from logging into an assigned computer while grace period is in effect,) In addition, Agarwal discloses similar design “Other devices 108, 110, and/or 112 may have similar lock or unlock systems that prevent access to the device 108, 110, and/or 112 during states of inactivity or during certain events either conducted by a user or that may occur automatically” (¶30).

Regarding claim 11, Hinton in view of Cybrarian and Agarwal teaches all the features with respect to claim 1, as outlined above. The combination further teaches
wherein authenticating the user with the IdP system comprising sending to the IdP system an indicator that the kiosk device is operating in kiosk mode. ([https://www.cybrarian.com/] Public Patron Computers: Shared public computers are used by multiple patrons in public libraries, academic libraries, law libraries, workforce development centers, and government agencies. How To Secure Shared Public Computers: Authenticate patrons with your ILS database system. [https://www.cybrarian.com/Solutions/Remote_Control.htm] The CYBRARIAN remote control monitors your public computer stations from multiple remote desktops. Remote Control also provides access to all workstations on the system and enables administrative actions to be performed. Any staff desktop can send a message to one or more users, remotely logon users, or even reboot a machine from a remote PC. Multiple features listed in page.) It is prima facie obvious to one of ordinary skill in the art that an indicator showing kiosk mode (patron starts using a shared computer) is sent when authenticating the patron; in order to achieve the remote control and monitor features described above.

Regarding claims 12-20, the scope of the claims are similar to that of claims 1-8, respectively. Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20220210156 A1, "Digital signature injection for user authentication across multiple independent systems", by Shah, teaches enrolling user on client device, the enrollment comprising: generating a public key and a private key for the user; registering the public key with IdP system in association with the user and the client device; and using the private key to generate the signature corresponding to the user; wherein the IdP uses the registered public key to authenticate the user via the injected signature.
US 20220173890 A1, "Smart card and associated methods for initiating virtual sessions at kiosk device", by Momchilov, teaches a smart card including a memory configured to store a user connection lease and user interface (UI) cache for a user and a private/public key pair of the smart card, with the user connection lease being bound to the private/public key pair of the smart card. The smart card may further include a processor coupled to the memory and configured to establish a communications link with a kiosk device to be shared by a plurality of different users, initiate a virtual session for the user at the kiosk device based upon the user connection lease and the private key responsive to establishing the communications link, and cause the kiosk device to launch the virtual session based upon the user UI cache.
US 9548976 B2, "Facilitating single sign-on to software applications", by Belote, teaches that after an initial user sign-on with an identity provider, and in response to an intention of the user to use a third-party application executing on a client device of the user and requiring user sign-on, the identity provider provides a client script to the third-party application. The client script facilitates user and application authentication and invokes a trusted broker application that interacts with the identity provider to enable the user to use the third-party application. The use of the trusted broker application provided by the identity provider frees the authors of third-party applications from the need to modify their applications to explicitly sign in with the identify provider.
US 10396985 B1, "Federated identity management based on biometric data", by Nagelberg, teaches cryptographic key generation based on biometric data associated with a user. Biometric data, such as fingerprint(s) and/or heartbeat data, may be collected using one or more sensors in proximity to the user. The biometric data may be analyzed to generate a cryptographic key. In some implementations, the key may be employed by the user to access data, access certain (e.g., secure) feature(s) of an application, authenticate the user, digitally sign document(s), and/or for other purpose(s). In some implementations, the key may be re-generated for each access request or authentication instance, based on the user's fingerprint or other biometric data.
US 20090217367 A1, "Sso in volatile session or shared environment", by Norman, teaches utilizing a single-sign-on (SSO) framework on one or more physical or virtual computing devices. During use, it is determined whether SSO credentials are for use in a volatile session and/or for use amongst an application suite or a plurality of applications.
US 20080235361A1, "Management layer method and apparatus for dynamic assignment of users to computer resources", by Crosbie, teaches dynamically assigning computer users to remote computer resources according to predetermined rules and irrespective of remote viewer protocol utilized by the user.
"What Is Federated Identity?", by Okta, teaches that federated identity is a method of linking a user’s identity across multiple separate identity management systems. It allows users to quickly move between systems while maintaining security. Topics include building on SSO techniques, federated identity & authentication, how does federated authentication work, the government's role in identity federation, benefits of federated access, and misconceptions about federated access.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493