Detailed Action
This is a Non-final Office action in response to communications received on 12/31/2021.  Claims 1-20 are pending and are examined. 

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Drawings
The drawings, filed 12/31/2021 are accepted.

Provisional Priority
Provisional priority filing date of 3/14/2013 is acknowledged.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this or a foreign country, before the invention thereof by the applicant for a patent.


(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of application for patent in the United States.


Claims 1-2, 9-12 and 19-20 are rejected under pre-AIA  35 U.S.C. 102(a) as being anticipated by Shahbazi (US 2013/0166918 A1).
 Regarding claim 1, Shahbazi teaches the limitations of claim 1 substantially as follows:
A computer-implemented method when executed by data processing hardware of a sign-on system causes the data processing hardware to perform operations comprising: (Shahbazi; Paras. [0031] & [0056]-[0058]: The system comprises a user computer and a plurality of servers/websites which contain storage media containing executable instructions)
receiving, from an add-on of a client device, a request to access a third party application; (Shahbazi; Paras. [0030]-[0031], [0034] & [0045]-[0046]: Providing, by a user device to a remote server, credentials for sing-on of the user for a website hosted on the server (i.e. request to access a third party application))
determining whether a user associated with the client device is signed in to the sign-on system; (Shahbazi; Para. [0012]: Identifying, by the login server, credentials for logging into the selected site based on the user being logged into the login server (i.e. a user associated with the client device is signed in to the sign-on system))
when the user associated with client user device is not signed in to the sign-on system, prompting the user to provide login credentials; and (Shahbazi; Para. [0035]: Providing to the browser a registration form where a username and password is input and encrypted (i.e. prompting the user to provide login credentials))
when the user associated with the client device is signed in to the sign-on system, sending a login request to the third party application, the login request comprising an access token associated with the login credentials of the user.  (Shahbazi; Para. [0012]: Identifying, by the login server, credentials for logging into the selected site based on the user being logged into the login server (i.e. the user associated with the client device is signed in to the sign-on system) and on the system having credentials for the user to sign into the selected site (i.e. login request comprising an access token associated with the login credentials of the user))

Regarding claim 11, Shahbazi teaches the limitations of claim 11 substantially as follows:
A system comprising: data processing hardware of a sign-on system; and memory hardware in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations comprising: (Shahbazi; Paras. [0031] & [0056]-[0058]: The system comprises a user computer and a plurality of servers/websites which contain storage media containing executable instructions)
receiving, from an add-on of a client device, a request to access a third party application; (Shahbazi; Paras. [0030]-[0031], [0034] & [0045]-[0046]: Providing, by a user device to a remote server, credentials for sing-on of the user for a website hosted on the server (i.e. request to access a third party application))
determining whether a user associated with the client device is signed in to the sign-on system; (Shahbazi; Para. [0012]: Identifying, by the login server, credentials for logging into the selected site based on the user being logged into the login server (i.e. a user associated with the client device is signed in to the sign-on system))
when the user associated with client user device is not signed in to the sign-on system, prompting the user to provide login credentials; and (Shahbazi; Para. [0035]: Providing to the browser a registration form where a username and password is input and encrypted (i.e. prompting the user to provide login credentials))
when the user associated with the client device is signed in to the sign-on system, sending a login request to the third party application, the login request comprising an access token associated with the login credentials of the user.  (Shahbazi; Para. [0012]: Identifying, by the login server, credentials for logging into the selected site based on the user being logged into the login server (i.e. the user associated with the client device is signed in to the sign-on system) and on the system having credentials for the user to sign into the selected site (i.e. login request comprising an access token associated with the login credentials of the user))

Regarding claims 2 and 12, Shahbazi teaches the computer-implemented method of claims 1, and the system of claim 11.
wherein the login credentials comprise a username and password.  (Shahbazi; Para. [0035]: Providing to the browser a registration form where a username and password is input and encrypted (i.e. login credentials comprise a username and password))

Regarding claims 9 and 19, Shahbazi teaches the computer-implemented method of claims 1, and the system of claim 11.
	wherein the operations further comprise selecting the third party application from among a plurality of third party applications.  (Shahbazi; Para. [0035]: Providing to the browser a registration form where a username and password is input and encrypted for signing into all registered applications/websites (i.e. from among the plurality of third party applications))

Regarding claim 10 and 20, Shahbazi teaches the computer-implemented method of claims 1, and the system of claim 11.
	wherein the operations further comprise determining whether the client device comprises the add-on.  (Shahbazi; Para. [0012]: Identifying, by the login server, credentials for logging into the selected site based on the user being logged into the login server (i.e. determining whether the client device comprises the add-on))

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3-5 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), as applied to independent claims 1 and 11, further in view of Kovaleski (US 2009/0007248 A1).
 Regarding claims 3 and 13, Shahbazi teaches the computer-implemented method of claims 1, and the system of claim 11.
Shahbazi does not teach the limitations of claims 3 and 13 as follows:
wherein the operations further comprise determining whether the third party application allows the sign-on system to send the access token associated with the login credentials to the third party application.  
However, in the same field of endeavor, Kovaleski discloses the limitations of claims 3 and 13 as follows:
wherein the operations further comprise determining whether the third party application allows the sign-on system to send the access token associated with the login credentials to the third party application.  (Kovaleski; Paras. [0016] & [0018]-[0021]: Based on determining that the system cannot fill the credentials (i.e. whether the third party application allows the sign-on system to send the access token associated with the login credentials to the third party application) to a site when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials, to input information to access the resource which the single sign on service attempted to access)
Kovaleski is combinable with Shahbazi because both are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi to incorporate the determining that a single sign on server cannot perform a login to a service, and providing a prompt to the user for information to obtain access as in Kovaleski in order to expand the functionality of the system by providing a means for the system to respond in the case of not being able to perform single sign on functions for a desired website.

Regarding claims 4 and 14, Shahbazi and Kovaleski teach the computer-implemented method of claims 3, and the system of claim 13.
wherein when the third party application does not allow the sign-on system to send the access token associated with the login credentials to the third party application, sending a client login script comprising the access token for the third party application to the client device.  (Kovaleski; Paras. [0018]-[0021]: A prompt is received by the user (i.e. client login script), which displays, to the user, information to be provided to the resource (i.e. access token for the third party application to the client device) which, once provided, allows the user to be accepted by the particular resource)
The same motivation to combine as in claims 4 and 14 are applicable to the instant claims.

Regarding claims 5 and 15, Shahbazi and Kovaleski teach the computer-implemented method of claims 3, and the system of claim 13.
wherein, when the third party application does not allow the sign-on system to send the access token associated with the login credentials to the third party application, (Kovaleski; Paras. [0016] & [0018]-[0021]: Based on determining that the system cannot fill the credentials (i.e. whether the third party application allows the sign-on system to send the access token associated with the login credentials to the third party application) to a site when a software monitor of the single sign on service detects that a user has browsed to a website which matches stored credentials, to input information to access the resource which the single sign on service attempted to access)
sending session information of an authenticated session between a virtual web browser instantiated by the sign-on system and the third party application for the client device.  (Shahbazi; Paras. [0012]-[0013]: The browser of the single sign on server (i.e. virtual web browser) provides credentials for login to the website to be accessed, the login credentials pertaining to the user to be able to access the website (i.e. sending session information))
The same motivation to combine as in claims 5 and 15 are applicable to the instant claims.

Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), as applied to independent claims 1 and 11, further in view of Kovaleski (US 2009/0007248 A1), further in view of Purpura (US 6421768 B1).
 Regarding claims 6 and 16, Shahbazi, Kovaleski and Purpura teach the computer-implemented method of claim 5 and the system of claim 15.
Shahbazi, Kovaleski and Purpura do not teach the limitations of claim claims 5 and 15 as follows:
wherein the session information comprises a web browser cookie.  
However, in the same field of endeavor, Purpura discloses the limitations of claim claims 5, 12 and 19 as follows:
wherein the session information comprises a web browser cookie.  (Purpura; Col. 3, Lines 37-59, Col. 4 Lines 43-63: Session preferences (i.e. session information) for a user is stored in a cryptographically assured cookie to be used in a web browser (i.e. web browser cookie))
Purpura is combinable with Shahbazi and Kovaleski because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi and Kovaleski to incorporate the use of web browser cookies for session information as in Purpura in order to improve the security of the system by providing a cryptographically secure method of communicating session information. (Purpura; Col. 3, Lines 37-59, Col. 4 Lines 43-63)

Claims 7-8 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Shahbazi (US 2013/0166918 A1), as applied to independent claims 1 and 11, further in view of Kovaleski (US 2009/0007248 A1), further in view of Warren (US 2013/0304797 A1).
 Regarding claims 7 and 17, Shahbazi and Kovaleski teach the computer-implemented method of claims 1, and the system of claim 11.
Shahbazi and Kovaleski do not teach the limitations of claims 7 and 17 as follows:
wherein the operations further comprise determining whether the third party application requires an application programming interface (API).  
However, in the same field of endeavor, Warren discloses the limitations of claims 7 and 17 as follows:
wherein the operations further comprise determining whether the third party application requires an application programming interface (API).  (Warren; Para. [0039]: mapping configuration includes the application programming interface (API) commands used by the applications)
Warren is combinable with Shahbazi and Kovaleski because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi and Kovaleski to incorporate the determining that a third party service uses an API as in Warren in order to expand the functionality of the system by providing a means for the system to a software service which uses a specific API.

Regarding claims 8 and 18, Shahbazi and Kovaleski teach the computer-implemented method of claims 1, and the system of claim 11.
Shahbazi and Kovaleski do not teach the limitations of claims 8 and 18 as follows:
wherein the third party application comprises a software as a service (SaaS) application.  
However, in the same field of endeavor, Warren discloses the limitations of claims 8 and 18 as follows:
wherein the third party application comprises a software as a service (SaaS) application.  (Warren; Para. [0025]: The centralized portal is a software service made available from a server computing device)
Warren is combinable with Shahbazi and Kovaleski because all are from the same field of endeavor of user authentication for single sign on services. Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to have modified the system of Shahbazi and Kovaleski to incorporate the determining that a third party service uses an API as in Warren in order to expand the functionality of the system by providing a means for the system to a software service which uses a specific API.

Prior Art Considered But Not Relied Upon
	Ferchichi (US 2003/0012382 A1) which teaches that a single sign-on process between a mobile phone and a remote server.
	Gargaro (US 2014/0304793 A1) which teaches a system which executes a routine which loads an asynchronous engine configured to execute a login process with an authentication profiling service to retrieve login information for a back-end server.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357.  The examiner can normally be reached on Monday - Friday 0700-1700 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/B.I.N./Examiner, Art Unit 2438 

/TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438