Palo Alto Networks, Inc.Download PDFPatent Trials and Appeals BoardJan 28, 20222020006051 (P.T.A.B. Jan. 28, 2022) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/792,033 10/24/2017 Nishant Doshi 114.PALO-00503- US-CON1 3554 159684 7590 01/28/2022 Gilliam IP PLLC (Palo Alto Networks) 7200 N. Mopac Expy. Suite 440 Austin, TX 78731 EXAMINER JACKSON, JENISE E ART UNIT PAPER NUMBER 2439 NOTIFICATION DATE DELIVERY MODE 01/28/2022 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): uspto@gilliamip.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte NISHANT DOSHI Appeal 2020-006051 Application 15/792,033 Technology Center 2400 Before BRADLEY W. BAUMEISTER, AMBER L. HAGY, and DAVID J. CUTITTA II, Administrative Patent Judges. CUTITTA, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1-20, which are all of the claims under consideration. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 “Appellant” refers to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as Palo Alto Networks, Inc. Appeal Brief filed April 28, 2020 (“Appeal Br.”) at 2. Appeal 2020-006051 Application 15/792,033 2 CLAIMED SUBJECT MATTER Summary The subject matter of Appellant’s application relates generally to “using a single sign-on [(“SSO”)] proxy to regulate access to a cloud service.” Spec., ¶ 4.2 In particular, Appellant describes using the SSO proxy to determine whether a user authentication request satisfies at least one criterion for access to a cloud service associated with an SSO service and forwarding the request to the SSO service if the request satisfies the at least one criterion. Id. Exemplary Claims Claims 1, 11, and 20 are independent. Claims 1, 2, 4, 5, 7, and 9, reproduced below, exemplify the claimed subject matter: 1. A method of regulating access to a cloud service using a single sign-on (SSO) proxy, comprising a communication interface and processing system, the method comprising: receiving an authentication request at the SSO proxy from a user system directed to a SSO service, wherein the authentication request comprises a request for the SSO service to authorize the user system to access the cloud service; in the SSO proxy, responsive to receipt of the authentication request, determining whether the authentication request satisfies at least one criterion for allowing access to the cloud service associated with the SSO service; and 2 In addition to the Appeal Brief noted above, we refer to: (1) the originally filed Specification filed October 24, 2017 (“Spec.”); (2) the Final Office Action mailed October 30, 2019 (“Final Act.”); and (3) the Examiner’s Answer mailed June 24, 2020 (“Ans.”); and (4) the Reply Brief filed August 24, 2020 (“Reply Br.”). Appeal 2020-006051 Application 15/792,033 3 upon determining that the authentication request satisfies the at least one criterion, forwarding the authentication request from the SSO proxy to the SSO service, wherein the SSO service, responsive to receiving the authentication request from the SSO proxy, determines whether to authorize the user system to access the cloud service. 2. The method of claim 1, wherein the at least one criterion includes a geographic location limitation, and the method further comprises: determining whether the authentication request was received from a geographic location that satisfies the geographic location limitation. 4. The method of claim 1, wherein the at least one criterion includes a time limitation, and the method further comprises: determining whether the authentication request was received at a time that satisfies the time limitation. 5. The method of claim 1, wherein the at least one criterion includes a device type limitation, and the method further comprises: determining whether the user system satisfies the device type limitation. 7. The method of claim 1, further comprising: after the SSO service authenticates the authentication request, determining that the at least one criterion is no longer satisfied; and upon determining that the at least one criterion is no longer satisfied, transferring a signoff request to the SSO service. 9. The method of claim 1, further comprising: upon determining that the authentication request does not satisfy the at least one criterion, transferring a notification to the user system indicating that the authentication request was not forwarded to the SSO service. Appeal 2020-006051 Application 15/792,033 4 Appeal Br. 13-14 (Claims Appendix). REFERENCES The Examiner relies on the following prior art references:3 Name Reference Date Koeten US 9,749,331 B1 Aug. 29, 2017 Goyal US 2013/0212665 A1 Aug. 15, 2013 Manza US 2015/0089579 A1 Mar. 26, 2015 Caldeira de Andrada (“Caldeira”) US 2015/0121496 A1 Apr. 30, 2015 Uchil US 2017/0289135 A1 Oct. 5, 2017 REJECTIONS The Examiner rejects the claims as shown below: Claim(s) Rejected 35 U.S.C. § References/Basis Final Act. 1, 2, 5, 6, 8, 11, 12, 15, 16, 18, 20 103 Koeten, Uchil 8 3, 4, 13, 14 103 Koeten, Uchil, Caldeira 15 7, 17 103 Koeten, Uchil, Goyal 17 9, 10, 19 103 Koeten, Uchil, Manza 18 1-20 Non-Statutory Double Patenting 6 OPINION We review the appealed rejections for error based upon the issues identified by Appellant and in light of Appellant’s arguments and evidence. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). 3 All citations to the references use the first-named inventor or author only. Appeal 2020-006051 Application 15/792,033 5 Arguments not made are waived. See 37 C.F.R. § 41.37(c)(1)(iv)(2020). Appellant does not persuade us that the Examiner errs in the obviousness rejections of claims 1, 4-11, and 14-20, and we adopt as our own the findings and reasons set forth by the Examiner for these claims to the extent consistent with our analysis herein. Final Act. 3-18; Ans. 2-24. We add the following discussion of those claims primarily for emphasis. Obviousness Rejection of Claims 1, 6, 8, 11, 16, 18 and 20 The Examiner finds Koeten teaches or suggests “upon determining that the authentication request satisfies the at least one criterion, forwarding the authentication request from the SSO proxy to the SSO service,” as recited in claim 1. Final Act. 9 (citing Koeten 10:13-15, 11:35-61). Appellant argues that Koeten’s “gateway is not analogous to the SSO proxy of claim 1 because . . . [it] does not forward the requests to some other element.” Appeal Br. 4-5. According to the Examiner, “Appellant misinterprets the Koeten reference, because the Cloud service also functions as a SSO service in Koeten.” Ans. 3. The Examiner finds that “Koeten discloses the system may combine a cloud federated single sign-on (SSO) solution with the cloud service access and information gateway” and “[t]hus, the gateway of Koeten is a SSO proxy, because there is a system that combines cloud SSO solution with the cloud service and gateway, which is the proxy of Koeten.” Ans. 3-4 (citing Koeten 6:38-41). We are not persuaded by Appellant’s argument. As the Examiner explains, Appellant’s initial argument distinguishing Koeten’s gateway from the SSO proxy of claim 1 is misplaced because the SSO service and cloud service in Koeten are combined and, therefore, Koeten’s gateway does teach Appeal 2020-006051 Application 15/792,033 6 the claimed SSO proxy forwarding an authentication request to the SSO service. Ans. 3-4 (citing Koeten 6:38-41). Appellant, in turn, fails to rebut the finding by the Examiner that the SSO service and cloud service in Koeten are combined. See generally Reply Br. 3-7. The Examiner additionally relies on (Ans. 4) Koeten’s discussion of the gateway receiving, from a user device, a request to access a cloud service, “[t]he gateway compar[ing the] context of the request to an access policy for the single sign-on system and grant[ing] conditional access to the cloud service based on the access policy” to teach the limitation at issue (Koeten 1:67-2:1-3). The Examiner finds that Koeten “‘satisfies at least one criterion before forwarding the authentication request from the SSO proxy’, because Koeten discloses the request can include an identity of the user, a type of the user device, a type of network over which the request is received, and/or a type of information requested from the cloud service” and each of these contexts may act as a criterion. Ans. 4 (citing Koeten 2:1-7). Appellant responds that in Koeten, “gateway 300 receives an access request to access a cloud service, and uses information associated with the request to make an access determination to the cloud service. A cloud service access and information gateway module 304 additionally makes a determination of whether to allow access to the cloud service using the access request.” Reply Br. 3 (citing Koeten 10:1-20, 10:41-59). According to Appellant, “[t]here is no disclosure in Koeten of either of the gateway 300 or the cloud service access and information gateway module 304 receiving the access request and, based on a determination that the access request satisfies at least one criterion, forwarding the access request to a separate component.” Id. at 3. Appeal 2020-006051 Application 15/792,033 7 This argument is unpersuasive because Appellant addresses an embodiment of Koeten discussing gateway 300 at column 10 and with reference to Figure 3, but fails to address the Examiner’s findings related to a different embodiment in which Koeten’s gateway forwards an access request to a combined SSO service/cloud service based on a context of the request such as a type of user device. Ans. 4 (citing Koeten 2:1-7). Next, Appellant argues that in Koeten “the gateway forwards a request for information to a cloud service after the gateway determined that access to the cloud service was allowed (i.e., after performing the SSO service)” and therefore, because the “request is forwarded after authentication, that request is not the authentication request of claim 1 and the teaching in no way discloses claim 1’s requirement that the SSO proxy of claim 1 forwards the authentication request.” Appeal Br. 5. This argument is unpersuasive. As discussed above, Koeten teaches an authentication request is forwarded by the gateway to a combined SSO service/cloud service, based on a context of the request. Koeten 2:1-7, 11:1- 7. In another embodiment, Koeten teaches performing first and second authentications, with the combined SSO service/cloud service performing the second authentication. Koeten 11:35:59. Therefore, even assuming the gateway performs a first authentication, as argued by Appellant, Koeten still teaches that the combined SSO service/cloud service performs a subsequent second authentication to determine whether the user has access to the cloud service. For example, in at least one embodiment, Koeten teaches that gateway module 304 forwards an authentication request to the combined SSO service/cloud service, based on a context of the request, and then the SSO service performs a second authentication: Appeal 2020-006051 Application 15/792,033 8 In one embodiment, the policy 342 may specify that for a request with a particular combination of features, access should be granted to the cloud service using an automatically selected user account. In another embodiment, the policy 344 may specify that a request in another context should require a second authentication factor before access is granted. Koeten 11:50-56 (emphasis added). Therefore, even assuming that Koeten discloses performing a first authentication at the gateway, Appellant fails to explain why subsequently forwarding a second request to the combined SSO service/cloud service does not teach forwarding an authentication request, as claimed. We are, therefore, unpersuaded by Appellant’s argument that in Koeten “the gateway forwards a request for information to a cloud service after the gateway determined that access to the cloud service was allowed.” Appeal Br. 5. Appellant next argues that “Uchil also fails to disclose anything analogous to the SSO proxy of claim 1 could receive an authentication request directed to Koeten’s gateway and forward the request to the gateway upon determining that the request satisfies at least one criterion.” Id. This argument is unpersuasive because the Examiner relies on Koeten, not Uchil, to teach the limitation at issue as discussed previously above. For the reasons discussed, Appellant does not persuade us of error in the Examiner’s obviousness rejection of independent claim 1. We sustain, therefore, the Examiner’s rejection of that claim, as well as the rejection of independent claims 11 and 20 and dependent claims 6, 8, 16, and 18, which Appellant does not argue separately with particularity. Appeal Br. 3-11. Appeal 2020-006051 Application 15/792,033 9 Obviousness Rejection of Claims 2, 3, 12, and 13 The Examiner finds Koeten teaches or suggests “wherein the at least one criterion includes a geographic location limitation, and the method further comprises: determining whether the authentication request was received from a geographic location that satisfies the geographic location limitation,” as recited in claim 2. Final Act. 10 (citing Koeten 8:40-60). Appellant argues: Koeten discloses that “the location of the network may also be considered when defining the policy. For example, a request made over a wireless network in the United States may be allowed access to certain cloud services, while a request made over a wireless network in Europe may only be granted for a different set of cloud services.” Appeal Br. 7 (citing Koeten 8:54-60). According to Appellant, “the location of the network in Koeten affects which clouds services are allowed to be accessed by the disclosed SSO service (i.e., Koeten’s gateway),” but the “location of the network has no bearing on whether the SSO service even receives an authentication request, as satisfaction of the geographic location limitation is required for the SSO proxy of claim 2 to forward the authentication request to the SSO service.” Id. The Examiner responds that Appellant argues “against the references individually” and concludes that “one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.” Ans. 9. Appellant’s argument is persuasive. Koeten lists several contexts for forwarding an authentication request including “an identity of the user, a type of the user device, a type of network over which the request is received, and[/or] a type of information requested from the cloud service.” Koeten Appeal 2020-006051 Application 15/792,033 10 2:1-7. As discussed above in our analysis of claim 1, the Examiner relies on Koeten’s contexts to teach the claimed at least one criterion. A geographic location, however, is not included in Koeten’s list of contexts. Moreover, although the portion of Koeten cited by the Examiner describes that the location of the network affects which clouds services may be accessed, the Examiner has not shown that Koeten teaches or suggests that the network location may act as a context for forwarding a request. We, therefore, agree with Appellant that, in Koeten, the “location of the network has no bearing on whether the SSO service even receives an authentication request.” Appeal Br. 7. Still further, the Examiner’s response that Appellant argues the references individually is not applicable here because the rejection of the limitation at issue relies solely on teachings from Koeten. We do not sustain, therefore, the Examiner’s obviousness rejection of claim 2, as well as the rejections of dependent claims 3, 12, and 13, which recites similar limitations. Obviousness Rejection of Claims 5 and 15 The Examiner finds Koeten teaches or suggests “wherein the at least one criterion includes a device type limitation, and the method further comprises: determining whether the user system satisfies the device type limitation,” as recited in claim 5. Final Act. 10 (citing Koeten 1:59-67 and 2:1-15). Appellant argues: Koeten discloses that “device and network context module 204 is concerned with the type and status of device and network from which a request to access a cloud service is made” (see Appeal 2020-006051 Application 15/792,033 11 Koeten, col. 8, ll. 26-28). As was the case with claim 2, Koeten device type merely affects whether the SSO service (i.e., Koeten’s gateway) allows access to a cloud service. The device type has no bearing on whether the SSO service even receives an authentication request, as satisfaction of the device type limitation is required for the SSO proxy of claim 5 to forward the authentication request to the SSO service. Appeal Br. 8 (citing Koeten 8:26-28). Appellant’s argument is unpersuasive. One of the portions of Koeten cited by the Examiner lists several contexts for forwarding an authentication request including “a type of the user device.” Koeten 2:1-15. Appellant’s arguments fail to address this finding and are, therefore, not responsive to the rejection. We sustain, therefore, the Examiner’s rejection of claim 5, as well as the rejection of dependent claim 15, which Appellant does not argue separately with particularity. Appeal Br. 8. Obviousness Rejection of Claims 4 and 14 The Examiner finds Caldeira teaches or suggests “wherein the at least one criterion includes a time limitation, and the method further comprises: determining whether the authentication request was received at a time that satisfies the time limitation,” as recited in claim 4. Final Act. 16 (citing Caldeira ¶¶ 27, 29, 30); Ans. 10. Appellant argues: Even if Caldeira disclosed an element analogous to a time limitation, Caldeira, like Koeten and Uchil, fails to disclose that the time limitation would have any bearing on whether an SSO service receives an authentication request, as satisfaction of the time limitation is required for the SSO proxy Appeal 2020-006051 Application 15/792,033 12 of claim 4 to forward the authentication request to the SSO service. Appeal Br. 9. Appellant’s argument includes no citation to Caldeira or persuasive reasoning. Such a conclusory argument, amounting to little more than a paraphrasing of the claim language and a general denial, is unpersuasive to rebut the Examiner’s findings. Cf. 37 C.F.R. § 41.37(c)(iv) (“A statement which merely points out what a claim recites will not be considered an argument for separate patentability of the claim.”). Appellant’s argument lacks evidence or a reasoned explanation in support of the asserted conclusion. Attorney argument alone is afforded little weight in the absence of persuasive evidence. In re Geisler, 116 F.3d 1465, 1470 (Fed. Cir. 1997) (It is well settled that “mere argument or conclusory statements,” which are unsupported by factual evidence, are entitled to little probative value.). We sustain, therefore, the Examiner’s rejection of claim 4, as well as the rejection of dependent claim 14, which Appellant does not argue separately with particularity. Appeal Br. 9. Obviousness Rejection of Claims 7 and 17 The Examiner finds the combination of Koeten and Goyal teaches or suggests “after the SSO service authenticates the authentication request, determining that the at least one criterion is no longer satisfied; and upon determining that the at least one criterion is no longer satisfied, transferring a signoff request to the SSO service,” as recited in claim 7. Final Act. 17 (citing Koeten 8:40-60; Goyal ¶¶ 35, 36). Appellant argues that “Goyal discloses that a sign-off request from a user is transferred to an authentication server 190, which signs-off the user Appeal 2020-006051 Application 15/792,033 13 in due course” and “[t]ransferring an explicit sign-off request from a user is not transferring a sign-off request in response to the at least one criterion no long being satisfied, as required by claim 7.” Appeal Br.10 (citing Goyal ¶¶ 35, 36). The Examiner responds that “the term ‘criterion’ is a broad term” and not specifically defined in Appellant’s Specification. Ans. 10. Hence, the Examiner determines “the ‘criterion’ is in due course, error or failure conditions no long[er] being satisfied, thus a sign-off request is sent.” Id. Appellant in turn, fails to demonstrate that the Examiner’s interpretation of criterion is inconsistent with the Specification or otherwise unreasonably broad. In view of the Examiner’s uncontested interpretation of criterion, we agree that the combination of Koeten and Goyal teaches or suggests the limitation at issue. Next, Appellant argues for the first time that “in claim 7, the sign-off request is transferred to the SSO service upon determining that the criterion is no longer satisfied” whereas conversely “in Goyal a user transfers a sign- off request to an authentication server 190 that signs a user off in due course.” Reply Br. 8-9. This argument is untimely. “Any argument raised in the reply brief which was not raised in the appeal brief, or is not responsive to an argument raised in the examiner’s answer . . . will not be considered by the Board for purposes of the present appeal, unless good cause is shown.” 37 C.F.R. § 41.41(b)(2). Here, Appellant raises this argument for the first time in the Reply Brief and Appellant has not shown that the argument is responsive to any particular finding or reasoning raised in the Examiner’s Answer. We, therefore, consider the argument waived because the Examiner has not been Appeal 2020-006051 Application 15/792,033 14 provided a chance to respond and Appellant has provided no such showing of good cause. We sustain, therefore, the Examiner’s rejection of claim 7, as well as the rejection of dependent claim 17, which Appellant does not argue separately with particularity. Appeal Br. 10. Obviousness Rejection of Claims 9, 10, and 19 The Examiner finds Manza teaches or suggests “upon determining that the authentication request does not satisfy the at least one criterion, transferring a notification to the user system indicating that the authentication request was not forwarded to the SSO service,” as recited in claim 9. Final Act. 18 (citing Manza ¶¶ 54-56). Appellant argues that “claim 9 specifically requires a notification indicating that the authentication request was not forwarded to the SSO service.” Appeal Br. 10. According to Appellant, “Manza further discloses that a policy may be matched to a logon failure page but does not disclose that the policy matching would indicate that the authentication request was not forwarded to the SSO service.” Appeal Br. 10-11; Reply Br. 9. The Examiner responds that Manza’s logon failure page provides notification that the authentication request was not forwarded to the SSO service because “Manza discloses if the logon fails, the web application’s logon failure page can be displayed to the user” and “[t]hus, if the user fails authentication, the request will not be forwarded to the SSO service.” Ans. 11. We agree with the Examiner’s finding that Manza teaches, or at least suggests, indicating that the authentication request was not forwarded to the SSO service. “[O]bviousness is not determined by what the references Appeal 2020-006051 Application 15/792,033 15 expressly state but by what they would reasonably suggest to one of ordinary skill in the art.” In re DeLisle, 406 F.2d 1386, 1389 (CCPA 1969). We sustain, therefore, the Examiner’s rejection of claim 9, as well as the rejection of dependent claim 19, which Appellant does not argue separately with particularity. Appeal Br. 11. Appellant’s argument for claim 10 relies on the argument presented for claim 9. See Appeal Br. 11 (“Manza’s teachings do not even indicate that the authentication request was not forwarded to the SSO service. As such, it is not possible for Manza to indicate a reason that the authentication request was not forwarded to the SSO service, as required by claim 10.”). We sustain, therefore, the Examiner’s rejection of claim 10 for the same reasons discussed above for claim 9. Non-statutory Double Patenting Rejection The Examiner rejects claims 1-20 on the ground of obviousness-type double patenting based on claims 1-20 of U.S. Patent No. 9,807,079. Final Act. 6-8. Appellant does not address the merits of this rejection. Appeal Br. 3- 11. Therefore, we summarily sustain the rejection. See MPEP § 1205.02, 9th ed., Rev. 10.2019 Last Revised June 2020 (“If a ground of rejection stated by the examiner is not addressed in the appellant’s brief, that ground of rejection will be summarily sustained by the Board.”). CONCLUSION We sustain the Examiner’s various rejections of claims 1, 4-11, and 14-20 under 35 U.S.C. § 103. Appeal 2020-006051 Application 15/792,033 16 We do not sustain the Examiner’s various rejections of claims 2, 3, 12, and 13 under 35 U.S.C. § 103. We sustain the Examiner’s obviousness-type double patenting rejection of claims 1-20. Because we affirm at least one ground of rejection with respect to each claim on appeal, we affirm the Examiner’s decision to reject all of the pending claims. DECISION SUMMARY In summary: Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1, 2, 5, 6, 8, 11, 12, 15, 16, 18, 20 103 Koeten, Uchil 1, 5, 6, 8, 11, 15, 16, 18, 20 2, 12 3, 4, 13, 14 103 Koeten, Uchil, Caldeira 4, 14 3, 13 7, 17 103 Koeten, Uchil, Goyal 7, 17 9, 10, 19 103 Koeten, Uchil, Manza 9, 10, 19 1-20 Non-Statutory Double Patenting U.S. Patent No. 9,807,079 1-20 Overall Outcome 1-20 Appeal 2020-006051 Application 15/792,033 17 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
