DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/13/2025 has been entered. Claims 1-20 have been examined.
Response to Arguments
Applicant’s arguments with respect to claim 1, 8, 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Objections
Claims 1,2,4,9,11,16,18 are objected to because of the following informalities:
With regards to claims 1,2,4,9,11,16,18, the claims recite “ the application” examiner suggests amending the claim to recite “ the additional application” for consistency.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-5, 7-12, 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sanin et al. Patent No.US 8,832,787 B1 ( Sanin hereinafter) in view of Fleck et al. Publication No. US 20200145383 A1 (Fleck hereinafter)
Regarding claim 1,
Sanin teaches a method comprising:
receiving, by a processing device, authentication information based upon authentication of security credentials of a user [..]; launching, by the processing device, a distributed [..]session based upon the authentication information ( Col.1, lines 54-60 - The client then submits the credentials to the server, and the server validates the credentials ( e.g., by verifying that 55 the submitted credentials match previously-established credentials known to the server) - A successful authentication establishes an application session for the user);
receiving, by the processing device, an input requesting access to an additional application launched outside of the distributed [..] session, wherein the additional application has been previously authenticated via the distributed [..] session ( Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a 15 persistent authenticated session established by a non-browser program of the access device.- Abstract - Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – See Also Claim 1);
determining, by the processing device and based on the additional application being previously authenticated via the distributed [..] session, the application authorizes use of an alternative authentication process different from an authentication process associated with the additional application, blocking, by the processing device and based on determining the application authorizes use of an alternative authentication process, the authentication process associated with the application (Abstract - determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – Col. 3, lines 60-70 - leveraging authenticated access to a first CLC-enabled client to enable subsequent authenticated access to other CLC-enabled clients without requiring the user to provide credentials to obtain the subsequent access - Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system – Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
executing, by the processing device, the alternative authentication process for the additional application, providing, by the processing device, access to the additional application based upon successful completion of the alternative authentication process (Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system, and the token generating system being different from the access device and the application server system; Col.2, lines 5-10 - leveraged authentication may be used to obtain
access without manual entry of authentication criteria – Col.7,lines 20-50 - The CLC 165 submits the application identification and the CLC master authentication token to the CAW 170 and requests an application token from the CAW 170 (525). The CAW 170 verifies the CLC master authentication token and the application identification (530). If the CLC master authentication token and the application identification are valid, the CAW 170 generates an encrypted application token (535) and passes the application token to 30 the CLC 165 (540) [..] The associated server 135 decrypts the application token to extract user authentication 35 data (555), and uses this data to establish an authenticated session for the user (560). Thus, the session is established without requiring the user to enter credentials to establish the session. Claim 1 - in response to the application validating the application token, establishing, by the application server system, an authenticated session with the access device. Col. 6,lines 15-20 - The server 130 then establishes an authenticated session to permit the user to access the client 120).
Sanin does not explicitly teach that the distributed session is a distributed workspace session.
receiving, by a processing device, authentication information based upon authentication of security credentials of a user of distributed workspace;
However, Fleck teaches
the distributed session is a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) – ¶0039 – The browser is sometimes referred to as an embedded browser , and the client application with embedded browser ( CEB ) is sometimes referred to as a workspace application -See ¶0041, ¶0043).
receiving, by a processing device, authentication information based upon authentication of security credentials of a user of distributed workspace ¶0042 -This present systems and methods can ensure that traffic associated with a network application is channeled through a CEB By way of illustration , when a user accesses a SaaS web service with security assertion markup language ( SAML ) enabled for instance , the corresponding access request can be forwarded to a designated gateway service that determines , checks or verifies if the CEB was used to make the access request Responsive to determining that a CEB was used to make the access request , the gateway service can perform or provide authentication and single sign - on ( SSO ) , and can allow the CEB to connect directly to the SaaS web service Encryption ( e.g. , standard encryption ) can be used for the application session between the CEB and the SaaS web service ; ¶0043 - The CEB ( sometimes referred to as workspace application or receiver can interoperate with one or more gateway services, intermediaries and / or network servers ( sometimes collectively referred to as cloud services or Citrix Cloud ) to provide access to a network application - See ¶0091);
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 2,
Sanin further teaches
wherein the input requesting access to the additional application launched outside of the distributed [..] session comprises a request to launch the application in a system browser distinct from the distributed [..] session ( Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a 15 persistent authenticated session established by a non-browser program of the access device)
Sanin does not explicitly teach that the distributed session is a distributed workspace session.
Fleck teaches
a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) ¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 3,
Sanin further teaches
wherein blocking an authentication process associated with the additional application comprises: determining, by the processing device, whether the communication information comprises information related to launching the additional application; and blocking, by the processing device, the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
monitoring, by the processing device, communication information exchanged between the system browser and a remote computing device;
Fleck teaches
blocking an authentication process associated with the additional application comprises: monitoring, by the processing device, communication information exchanged between the system browser and a remote computing device; determining, by the processing device, whether the communication information comprises information related to launching the additional application; and blocking, by the processing device, the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and/or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Regarding claim 4,
Sanin further teaches
wherein the input requesting access to the additional application comprises a request to launch the application in a [..] browser distinct from the distributed [..] session and operated in accordance with a [..] browsing service (Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a
persistent authenticated session established by a non-browser program of the access device).
However, Sanin does not explicitly teach
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service
Fleck teaches
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service (¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 5,
Sanin further teaches
wherein blocking an authentication process associated with the additional application comprises: determining, by the processing device, if the communication information comprises information related to launching the additional application; and blocking, by the processing device, the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
monitoring, by the processing device, communication information exchanged between the secure browser and a remote computing device;
Fleck teaches
monitoring, by the processing device, communication information exchanged between the secure browser and a remote computing device; determining, by the processing device, if the communication information comprises information related to launching the additional application; and blocking, by the processing device, the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and / or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Regarding claim 7,
Sanin further teaches
perform the previously blocked authentication process associated with an additional application based upon an unsuccessful completion of the alternative authentication process (Col. 6, lines 3545 - the CLC 165 is launched and responds that no session is 40 available ( or the CLC does not respond or the operating system 110 responds that the CLC is not running) – the browser 115 requests a login form from the CAW 170 (432), the CAW provides a login form (434), and the browser renders the login form (440). Col.8, lines 50-55- If any of the checks fail, the CAW 170 responds with an error message and a login form with which the user can manually enter login credentials)
Regarding claim 8,
Fleck teaches a computing device comprising:
a computer readable memory; at least one processor operably coupled to the memory and configured to: receive authentication information based upon authentication of security credentials of a user [..]; launch a distributed [..]session based upon the authentication information ( Col.1, lines 54-60 - The client then submits the credentials to the server, and the server validates the credentials ( e.g., by verifying that 55 the submitted credentials match previously-established credentials known to the server) - A successful authentication establishes an application session for the user);
receive an input requesting access to an additional application launched outside of the distributed [..] session, wherein the additional application has been previously authenticated via the distributed [..] session ( Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a 15 persistent authenticated session established by a non-browser program of the access device.- Abstract - Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – See Also Claim 1).
determine and based on the additional application being previously authenticated via the distributed [..] session, the application authorizes use of an alternative authentication process different from an authentication process associated with the additional application, blocking, by the processing device and based on determining the application authorizes use of an alternative authentication process, the authentication process associated with the application (Abstract - determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – Col. 3, lines 60-70 - leveraging authenticated access to a first CLC-enabled client to enable subsequent authenticated access to other CLC-enabled clients without requiring the user to provide credentials to obtain the subsequent access - Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system – Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
execute the alternative authentication process for the additional application, provide access to the additional application based upon successful completion of the alternative authentication process (Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system, and the token generating system being different from the access device and the application server system; Col.2, lines 5-10 - leveraged authentication may be used to obtain access without manual entry of authentication criteria – Col.7,lines 20-50 - The CLC 165 submits the application identification and the CLC master authentication token to the CAW 170 and requests an application token from the CAW 170 (525). The CAW 170 verifies the CLC master authentication token and the application identification (530). If the CLC master authentication token and the application identification are valid, the CAW 170 generates an encrypted application token (535) and passes the application token to 30 the CLC 165 (540) [..] The associated server 135 decrypts the application token to extract user authentication 35 data (555), and uses this data to establish an authenticated session for the user (560). Thus, the session is established without requiring the user to enter credentials to establish the session. .Claim 1 - in response to the application validating the application token, establishing, by the application server system, an authenticated session with the access device. Col. 6,lines 15-20 - The server 130 then establishes an authenticated session to permit the user to access the client 120).
Sanin does not explicitly teach that the distributed session is a distributed workspace session.
receiving authentication information based upon authentication of security credentials of a user of distributed workspace;
However, Fleck teaches
the distributed session is a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) – ¶0039 – The browser is sometimes referred to as an embedded browser , and the client application with embedded browser ( CEB ) is sometimes referred to as a workspace application -See ¶0041, ¶0043);
receiving authentication information based upon authentication of security credentials of a user of distributed workspace ¶0042 -This present systems and methods can ensure that traffic associated with a network application is channeled through a CEB By way of illustration , when a user accesses a SaaS web service with security assertion markup language ( SAML ) enabled for instance , the corresponding access request can be forwarded to a designated gateway service that determines , checks or verifies if the CEB was used to make the access request Responsive to determining that a CEB was used to make the access request , the gateway service can perform or provide authentication and single sign - on ( SSO ) , and can allow the CEB to connect directly to the SaaS web service Encryption ( e.g. , standard encryption ) can be used for the application session between the CEB and the SaaS web service ; ¶0043 - The CEB ( sometimes referred to as workspace application or receiver can interoperate with one or more gateway services, intermediaries and / or network servers ( sometimes collectively referred to as cloud services or Citrix Cloud ) to provide access to a network application - See ¶0091).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 9,
Sanin further teaches
wherein the input requesting access to the additional application launched outside of the distributed [..] session comprises a request to launch the application in a system browser distinct from the distributed [..] session (Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a persistent authenticated session established by a non-browser program of the access device)
Sanin does not explicitly teach that the distributed session is a distributed workspace session.
Fleck teaches
a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) ¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 10,
Sanin further teaches
wherein the at least one processor being configured to block an authentication process associated with the additional application comprises the at least one processor being configured to: determining whether the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application. (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
monitor communication information exchanged between the system browser and a remote computing device;
Fleck teaches
blocking an authentication process associated with the additional application comprises: monitor communication information exchanged between the system browser and a remote computing device; determining whether the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application ( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and/or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Regarding claim 11,
Sanin further teaches
wherein the input requesting access to the additional application comprises a request to launch the application in a [..] browser distinct from the distributed [..] session and operated in accordance with a [..] browsing service (Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a
persistent authenticated session established by a non-browser program of the access device).
However, Sanin does not explicitly teach
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service
Fleck teaches
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service (¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 12,
Sanin further teaches
wherein the at least one processor being configured to block an authentication process associated with the additional application comprises the at least one processor being configured to determine if the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
Monitor communication information exchanged between the secure browser and a remote computing device;
Fleck teaches
Monitor communication information exchanged between the secure browser and a remote computing device; determining, by the processing device, if the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and / or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Regarding claim 14,
Sanin further teaches
perform the previously blocked authentication process associated with an additional application based upon an unsuccessful completion of the alternative authentication process (Col. 6, lines 35- 45 - the CLC 165 is launched and responds that no session is 40 available ( or the CLC does not respond or the operating system 110 responds that the CLC is not running) – the browser 115 requests a login form from the CAW 170 (432), the CAW provides a login form (434), and the browser renders the login form (440). Col.8, lines 50-55- If any of the checks fail, the CAW 170 responds with an error message and a login form with which the user can manually enter login credentials)
Regarding claim 15,
Sanin teaches a system comprising:
a computer readable memory; a network interface operably coupled to a remote computing device; and at least one processor operably coupled to the memory and the network interface and configured to receive authentication information based upon authentication of security credentials of a user [..]; launch a distributed [..]session based upon the authentication information ( Col.1, lines 54-60 - The client then submits the credentials to the server, and the server validates the credentials ( e.g., by verifying that 55 the submitted credentials match previously-established credentials known to the server) - A successful authentication establishes an application session for the user);
receive an input requesting access to an additional application launched outside of the distributed [..] session, wherein the additional application has been previously authenticated via the distributed [..] session ( Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a 15 persistent authenticated session established by a non-browser program of the access device.- Abstract - Leveraging an established authenticated session in obtaining authentication to a client application includes receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – See Also Claim 1).
determine, based on the additional application being previously authenticated via the distributed [..] session, the application authorizes use of an alternative authentication process different from an authentication process associated with the additional application, block. based on determining the application authorizes use of an alternative authentication process, the authentication process associated with the application (Abstract - determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination – Col. 3, lines 60-70 - leveraging authenticated access to a first CLC-enabled client to enable subsequent authenticated access to other CLC-enabled clients without requiring the user to provide credentials to obtain the subsequent access - Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system – Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
execute the alternative authentication process for the additional application, wherein to execute the alternate authentication process comprises the at least one processor being configured to: transmit an authentication request including the authentication information for the user to the remote computing device via the network interface, receive an authentication response from the remote computing device via the network interface, the authentication response comprising an indication of a successful completion of the alternative authentication process or an unsuccessful completion of the alternative authentication process and provide access to the additional application based upon a successful completion of the alternative authentication process (Claim 1 - the token generating system generating the token by leveraging a persistent authenticated session established between the access device and another application server system, and the token generating system being different from the access device and the application server system; Col.2, lines 5-10 - leveraged authentication may be used to obtain access without manual entry of authentication criteria – Col.7,lines 20-50 - The CLC 165 submits the application identification and the CLC master authentication token to the CAW 170 and requests an application token from the CAW 170 (525). The CAW 170 verifies the CLC master authentication token and the application identification (530). If the CLC master authentication token and the application identification are valid, the CAW 170 generates an encrypted application token (535) and passes the application token to 30 the CLC 165 (540) [..] The associated server 135 decrypts the application token to extract user authentication 35 data (555), and uses this data to establish an authenticated session for the user (560). Thus, the session is established without requiring the user to enter credentials to establish the session. Col. 8, lines 50-55 - If any of the checks fail, the CAW 170
responds with an error message and a login form with which the user can manually enter login credentials - Claim 1 - in response to the application validating the application token, establishing, by the application server system, an authenticated session with the access device. Col. 6,lines 15-20 - The server 130 then establishes an authenticated session to permit the user to access the client 120).
However, Sanin does not explicitly teach that the distributed session is a distributed workspace session.
receive authentication information based upon authentication of security credentials of a user of a distributed workspace
Fleck teaches
the distributed session is a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) – ¶0039 – The browser is sometimes referred to as an embedded browser , and the client application with embedded browser ( CEB ) is sometimes referred to as a workspace application -See ¶0041, ¶0043) .
receiving authentication information based upon authentication of security credentials of a user of distributed workspace ¶0042 -This present systems and methods can ensure that traffic associated with a network application is channeled through a CEB By way of illustration , when a user accesses a SaaS web service with security assertion markup language ( SAML ) enabled for instance , the corresponding access request can be forwarded to a designated gateway service that determines , checks or verifies if the CEB was used to make the access request Responsive to determining that a CEB was used to make the access request , the gateway service can perform or provide authentication and single sign - on ( SSO ) , and can allow the CEB to connect directly to the SaaS web service Encryption ( e.g. , standard encryption ) can be used for the application session between the CEB and the SaaS web service ; ¶0043 - The CEB ( sometimes referred to as workspace application or receiver can interoperate with one or more gateway services, intermediaries and / or network servers ( sometimes collectively referred to as cloud services or Citrix Cloud ) to provide access to a network application - See ¶0091).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 16,
Sanin further teaches
wherein the input requesting access to the additional application launched outside of the distributed [..] session comprises a request to launch the application in a system browser distinct from the distributed [..] session Col. 4, lines 55-60 - Launching a CLC-enabled client may include clicking on a link corresponding to a web site 140 or 145 (i.e., a browser client) while using the browser 115 – Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a 15 persistent authenticated session established by a non-browser program of the access device)
Sanin does not explicitly teach that the distributed session is a distributed workspace session.
Fleck teaches
a distributed workspace session (¶0003 - client application (sometimes referred to as a workspace application or receiver) is configured to establish and/or maintain a secure or encrypted cache. The secure cache can operate as a secure vault of cached content (e.g., content cached on behalf of one more network applications such as SaaS applications) ¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 17,
Sanin further teaches
wherein the at least one processor being configured to block an authentication process associated with the additional application comprises the at least one processor being configured to: determining whether the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application. (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
monitor communication information exchanged between the system browser and a remote computing device;
Fleck teaches
blocking an authentication process associated with the additional application comprises: monitor communication information exchanged between the system browser and a remote computing device; determining whether the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application ( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and/or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Regarding claim 18,
Sanin further teaches
wherein the input requesting access to the additional application comprises a request to launch the application in a [..] browser distinct from the distributed [..] session and operated in accordance with a [..] browsing service (Claim 8 - wherein the request to establish the authenticated session with the application server system is a request from a browser program of the access device and the token generating system generated the token by leveraging a
persistent authenticated session established by a non-browser program of the access device).
However, Sanin does not explicitly teach
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service
Fleck teaches
a request to launch the application in a secure browser distinct from the distributed workspace session and operated in accordance with a secure browsing service (¶ 0133 –¶ 0136 - The gateway service can generate and / or send a URL redirect message to the standard browser , responsive to the determination . The URL redirect message can be similar to a URL redirect message sent from the server to the standard browser in FIG . 5 in operation ( 3 ) . A secure browser plug – in of the standard browser can receive the URL redirect message , and can for example send a request to access the non - sanctioned network application , to the secure browser 420. The secure browser 420 can direct the request to the server of the non - sanctioned network application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to utilize the workspace session in order for administrators to secure, lock, or wipe user access to data if a security compromise occurs.
Regarding claim 19,
Sanin further teaches
wherein the at least one processor being configured to block an authentication process associated with the additional application comprises the at least one processor being configured to determine if the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application (Abstract -receiving a request for access to a client application requiring authentication of a requestor and determining whether there exist characteristics of leverageable authentications corresponding to established sessions having an authenticated state at a time of the determination - Col.2, lines 10-15 Such an interface may be rendered unnecessary if user authentication can be automatically established by leveraging concurrent authentication with another secured system).
However, Sanin does not explicitly teach
Monitor communication information exchanged between the secure browser and a remote computing device;
Fleck teaches
Monitoring communication information exchanged between the secure browser and a remote computing device; determine if the communication information comprises information related to launching the additional application; and block the authentication process associated with the additional application if the communication information comprises information related to the launching the additional application( ¶ 0132 - The gateway service can detect or otherwise determine if the requested network application is a sanctioned network application . The gateway service can determine if a CEB initiated the request . The gateway service can detect or otherwise determine that the request is initiated from a source ( e.g. , initiated by the standard browser ) in the client device other than ; In operation ( 2 ) , the gateway service detects that the requested network application is a non - sanctioned network application . The gateway service can for instance extract information from the request ( e.g. , destination address , name of the requested network application ) , and compare the information against that from a database of sanctioned and / or non - sanctioned network applications . The gateway service can determine , based on the comparison , that the requested network application is a non – sanctioned network application – ¶ 0133 - In operation ( 3 ) , responsive to the determination , the gateway service can block access to the requested network application , e.g. , by blocking the request . The gateway service can generate and or send a URL redirect message to the standard browser , responsive to the determination).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin to include the teachings of Fleck. The motivation for doing so is to allow the system to determine whether the application is a sanctioned network application or a non sanctioned network application ( Fleck - (¶ 0132 –¶ 0133).
Claims 6,13,20 are rejected under 35 U.S.C. 103 as being unpatentable over Sanin in view of Fleck further in view of Nambannor Kunnath et al. Publication No. US 2021/0209200 A1 ( Nambannor Kunnath hereinafter)
Regarding claim 6,
Sanin in view of Flex further teaches
wherein launching the distributed workspace session based upon the authentication information (See -Claim 1 rejection)
However, Sanin in view of Fleck does not explicitly teach
launching, by the processing device, the distributed workspace session as a WebView application
Nambannor Kunnath teaches
launching, by the processing device, a distributed workspace session as a WebView application (¶ 0005 – ¶0006 - The component can be a component of an operating system executing on the user device, such as a WEBVIEW component in the ANDROID operating system. For example, the component can include functions of the WEBVIEW class. The script can also include the unique request token. Once loaded to the component, the script can cause a portal application executing on the user device to launch. The portal application can be an application that stores a user's credentials and displays icons corresponding to a plurality of applications available to the user and can provide SSO access to a selected application by authenticating the user to the selected application – ¶ 0047 -0048 - The portal application 320 can provide a "portal" by, for example, displaying multiple icons associated with different applications. For example, one icon can be associated with BOXER, another icon can be associated with MICROSOFT EXCEL, and yet another icon can be associated with SALESFORCE. By selecting one of these icons through the graphical user interface presented by the portal application 320, a user can access the applications associated with those icons. An example portal application 320 is VMWARE's WORKSPACE ONE).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin in view of Fleck to include the teachings of Nambannor Kunnath. The motivation for doing so is to allow system to provide an improved authentication methods that provide SSO for applications that require separate authentication and do not require making changes to those applications. (Nambannor Kunnath - ¶ 0004).
Regarding claim 13,
Sanin in view of Fleck further teaches
wherein the at least one processor being configured to launch the distributed workspace session based upon the authentication information (See Claim 8 rejection)
However, Sanin in view of Fleck does not explicitly teach
Launching the distributed workspace session as a WebView application
Nambannor Kunnath teaches
launching a distributed workspace session as a WebView application (¶ 0005 – ¶0006 - The component can be a component of an operating system executing on the user device, such as a WEBVIEW component in the ANDROID operating system. For example, the component can include functions of the WEBVIEW class. The script can also include the unique request token. Once loaded to the component, the script can cause a portal application executing on the user device to launch. The portal application can be an application that stores a user's credentials and displays icons corresponding to a plurality of applications available to the user and can provide SSO access to a selected application by authenticating the user to the selected application – ¶ 0047 -0048 - The portal application 320 can provide a "portal" by, for example, displaying multiple icons associated with different applications. For example, one icon can be associated with BOXER, another icon can be associated with MICROSOFT EXCEL, and yet another icon can be associated with SALESFORCE. By selecting one of these icons through the graphical user interface presented by the portal application 320, a user can access the applications associated with those icons. An example portal application 320 is VMWARE's WORKSPACE ONE).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin in view of Fleck to include the teachings of Nambannor Kunnath. The motivation for doing so is to allow system to provide an improved authentication methods that provide SSO for applications that require separate authentication and do not require making changes to those applications. (Nambannor Kunnath - ¶ 0004).
Regarding claim 20,
Sanin in view of Fleck further teaches
wherein the at least one processor being configured to launch the distributed workspace session based upon the authentication information (See Claim 15 rejection)
However, Sanin in view of Fleck does not explicitly teach
Launching the distributed workspace session as a WebView application
Nambannor Kunnath teaches
launching, by the processing device, a distributed workspace session as a WebView application (¶ 0005 – ¶0006 - The component can be a component of an operating system executing on the user device, such as a WEBVIEW component in the ANDROID operating system. For example, the component can include functions of the WEBVIEW class. The script can also include the unique request token. Once loaded to the component, the script can cause a portal application executing on the user device to launch. The portal application can be an application that stores a user's credentials and displays icons corresponding to a plurality of applications available to the user and can provide SSO access to a selected application by authenticating the user to the selected application – ¶ 0047 -0048 - The portal application 320 can provide a "portal" by, for example, displaying multiple icons associated with different applications. For example, one icon can be associated with BOXER, another icon can be associated with MICROSOFT EXCEL, and yet another icon can be associated with SALESFORCE. By selecting one of these icons through the graphical user interface presented by the portal application 320, a user can access the applications associated with those icons. An example portal application 320 is VMWARE's WORKSPACE ONE).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Sanin in view of Fleck to include the teachings of Nambannor Kunnath. The motivation for doing so is to allow system to provide an improved authentication methods that provide SSO for applications that require separate authentication and do not require making changes to those applications. (Nambannor Kunnath - ¶ 0004).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/YOUNES NAJI/Primary Examiner, Art Unit 2445