Obviousness

The obviousness analysis of US Patent 8327426 under 35 U.S.C. § 103 considers whether the claimed invention would have been obvious to a person having ordinary skill in the art (PHOSITA) at the time of the invention's priority date, June 1, 2006. The patent addresses the well-known problem of users needing to manage multiple authentication credentials for various Internet services, even when those services could securely interact. The solution involves single sign-on (SSO) combined with transparent proxy services across multiple identity domains.

The following prior art references are considered for this analysis:

Patent Citations from US8327426 (Pre-June 1, 2006):

• US5913025A (Novell, Inc.): Method and apparatus for proxy authentication.
• US5991810A (Novell, Inc.): User name authentication for gateway clients accessing a proxy cache server.
• US6182141B1 (Intel Corporation): Transparent proxy server.
• US6421768B1 (First Data Corporation): Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment.
• US6728885B1 (Networks Associates Technology, Inc.): System and method for network access control using adaptive proxies.
• US20040128392A1 (International Business Machines Corporation): Method and system for proof-of-possession operations associated with authentication assertions in a heterogeneous federated environment.
• US20050015490A1 (Saare John E.): System and method for single-sign-on access to a resource via a portal server.
• US6892307B1 (Sun Microsystems, Inc.): Single sign-on framework with trust-level mapping to authentication requirements.
• US20050193427A1 (Pramod John): Secure enterprise network.
• US20060021010A1 (International Business Machines Corporation): Federated identity brokering.

Non-Patent Citations from US8327426 (Pre-June 1, 2006):

• "Brokered Authentication:Security Token Service (STS)." MSDN. Dec. 2005. Microsoft.
• "Federation of Identities in a Web Services World." MSDN. Microsoft Corporation. 2003.
• "The Enterprise Single Sign-On Service and associated BizTalk Server 2004 services fail after you install Windows XP Service Pack 2 (SP2)". 2004.
• "Web Services Federation Language (WSSpecification), Version 1." Jul. 8, 2003. Siddartha Bajaj et al.
• Cohen, F., "Using Web services for e-Commerce single sign-in ". Jan. 1, 2002.
• Patterson, Pat et al., "Federated Identity: Single Sign-On Among Enterprises." Oct. 14, 2004.

Additionally, US8327426 incorporates by reference three Novell applications filed in early 2004, titled "Techniques for Dynamically Establishing and Managing Authentication and Trust Relationships" (U.S. Ser. No. 10/765,523), "Techniques for Establishing and Managing a Distributed Credential Store" (U.S. Ser. No. 10/767,884), and "Techniques for Establishing and Managing Trust Relationships" (U.S. Ser. No. 10/770,677). While specific publication numbers for these serial numbers could not be definitively retrieved as direct patent grants to Novell in the given search context, their titles indicate they broadly cover concepts foundational to the present invention concerning identity services, authentication, and trust relationships.

Obviousness Analysis of Independent Claims (Claims 1, 8, and 14)

The core inventive concepts of US8327426 revolve around:

1. A first identity service authenticating a principal.
2. The first identity service generating an authentication message (request + response/token/instruction) for a second identity service.
3. This message facilitating SSO to the second identity service, potentially automatically or after further interaction based on policy.
4. Transparent proxying of targeted services from the second identity service to the principal, often via the first identity service.
5. Browser redirection to manage the flow of authentication messages and tokens.

A PHOSITA in 2006 would have been motivated to combine existing SSO solutions, federated identity management, and proxy technologies to improve user experience, enhance security, and enable seamless access to distributed services, directly addressing the known problem of multiple logins.

Combination 1: US6421768B1 (First Data) + US6182141B1 (Intel) + US20060021010A1 (IBM) + "Federation of Identities in a Web Services World" (Microsoft 2003)

This combination would render Claim 1 obvious.

• US6421768B1 (First Data) teaches the fundamental concept of SSO in a distributed environment using authentication tokens (cryptographically assured cookies) to avoid re-authentication.
• US6182141B1 (Intel) discloses a transparent proxy server that intercepts network communications without the client's explicit knowledge. This directly addresses the "intercepted by the method for receipt" and "principal believing interactions are with the external service, which is one of the other services that the identity service controls access to, and a determination as to whether to use a single interaction or multiple interactions for authentication of the principal to the other services is automatically communicated in the new authentication response" elements of Claim 1, by making the SSO process seamless and invisible to the principal.
• US20060021010A1 (IBM) describes federated identity brokering, where an identity provider (analogous to the "first identity service") brokers identity information to a service provider (analogous to the "identity service" or "second identity service") to grant access to resources. This includes the exchange of authentication assertions or tokens between trusted entities, forming the "authentication message" with an "authentication request and as a new authentication response" that "vouches for authentication of the principal to the identity service."
• "Federation of Identities in a Web Services World" (Microsoft 2003) further details federated identity concepts, where trust relationships enable one domain's authentication of a principal to be accepted by another domain through security tokens.

Motivation to Combine:
A PHOSITA would combine these references to create a more efficient and user-friendly SSO system for federated environments. The transparent proxy from Intel would allow seamless interception of initial requests, redirecting them to the SSO mechanism (First Data) and federated identity broker (IBM, Microsoft NPL) to streamline authentication across trusted identity services. This combination directly enables the "identity service acts as a proxy for access sessions to the other services on behalf of the principal, the principal's access sessions occur indirectly through the identity service and transparently to the principal" recited in Claim 1. The concept of including instructions for single or multiple authentication interactions (as taught by US6892307B1 (Sun) through "trust-level mapping to authentication requirements") would be an obvious enhancement for a PHOSITA desiring to balance security and usability based on policy in a federated system.

Combination 2: US20040128392A1 (IBM) + US5913025A (Novell) + US6892307B1 (Sun)

This combination would render Claim 8 obvious.

• US20040128392A1 (IBM) teaches the use of authentication assertions in a federated environment, where these assertions provide "proof-of-possession" and can be used by relying parties (the "identity service" in Claim 8) to establish trust and grant access. This provides the "authentication request and an authentication response as a single sign-on transaction from a principal" received indirectly from an "original identity service."
• US5913025A (Novell) discloses methods for proxy authentication, where a proxy system authenticates a client to a remote server on the client's behalf. This supports the "original identity service acting as a proxy on behalf of the principal and actions of that original identity service are transparent to the principal."
• US6892307B1 (Sun) describes an SSO framework with "trust-level mapping to authentication requirements." This reference provides the clear teaching for the "detecting, by a machine and from an identity service, an instruction, which is represented in the authentication response" and "taking, by the machine, an action in response to the instruction to authenticate the principal for access to targeted services, access to the target services occur via proxied sessions through the identity service and transparent to the principal, wherein the action taken is dynamic and a real-time evaluation of policies processed by the identity service." Sun's patent explicitly suggests that authentication requirements can vary based on trust and policy.

Motivation to Combine:
A PHOSITA would combine these references to build a federated identity system where a receiving identity service dynamically evaluates authentication instructions received from a trusted original identity service. Novell's proxy authentication would enable the original identity service to act transparently on behalf of the principal. IBM's teachings provide the specifics of authentication assertions for this exchange. Sun's framework provides the motivation and mechanism for policy-driven, dynamic authentication decisions ("action taken is dynamic and a real-time evaluation of policies"). Extending access to "targeted services" via proxied sessions after successful authentication is a logical next step to complete the SSO experience.

Combination 3: US20060021010A1 (IBM) + US5913025A (Novell) + US6421768B1 (First Data) + "Brokered Authentication:Security Token Service (STS)" (Microsoft 2005)

This combination would render Claim 14 obvious.

• US20060021010A1 (IBM) focuses on federated identity brokering, where an identity provider (e.g., the "first identity service") acts as a broker to authenticate a principal to a service provider (e.g., the "second identity service") to grant access to resources.
• US5913025A (Novell) describes proxy authentication, where a proxy obtains authentication for a client to a remote service.
• US6421768B1 (First Data) teaches SSO using cryptographically assured cookies, which are a form of authentication tokens.
• "Brokered Authentication:Security Token Service (STS)" (Microsoft 2005) describes Security Token Services that issue security tokens (assertions) after authenticating a principal. These tokens are used for brokered authentication across different services/domains and directly support the concept of a "first authentication token" and a "second authentication token."

Motivation to Combine:
A PHOSITA would be motivated to combine these to achieve a comprehensive and seamless federated SSO and proxy service solution. The Microsoft NPL and IBM's patent establish the industry-standard mechanisms for federated identity and brokered authentication, leading to the issuance of authentication tokens (First Data) from a first identity service and then a second identity service (relying on the first's token due to a secure relationship). Novell's proxy authentication directly teaches the mechanism for the "first identity service acting as a proxy for features of the target service and using the service token," and then "making the targeted service accessible from and to the principal." The concept of the principal believing direct interaction is occurring, even while proxied, would be a desired user experience improvement.

Conclusion

Considering the well-known challenges in identity management and SSO prior to June 2006, a PHOSITA would have been highly motivated to combine existing technologies to provide a more integrated and user-friendly solution. The prior art collectively discloses all the fundamental elements of US Patent 8327426, including SSO, federated identity, authentication tokens/assertions, trusted relationships between identity services, policy-driven authentication, and various forms of proxying, including transparent proxies. The combinations outlined above demonstrate how a PHOSITA would have arrived at the claimed methods by logically integrating these known components to solve known problems, thereby rendering Claims 1, 8, and 14, and by extension the entire patent, obvious under 35 U.S.C. § 103.