PTAB

PGR2021-00092

Netskope Inc v. Bitglass Inc

Key Events

Petition

petition

Title: Secure Application Access System
Brief Description: The ’671 patent relates to methods for securing data on client devices that are external to corporate infrastructures. The challenged claims focus on a system that uses proxy routing to manage and secure access to cloud-based applications within a single-sign-on (SSO) framework.

Prior Art Relied Upon: Sarukkai (Patent 9,137,131) and Rowley (Application # 2008/0189778).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner argued that Sarukkai taught a complete SSO system using a network intermediary (a proxy) to monitor traffic between a client, a cloud service provider, and an identity provider (IdP). Sarukkai’s architecture included two proxies: a service reverse proxy and an IdP reverse proxy. Petitioner asserted that Rowley taught a secure authentication scheme that addressed the man-in-the-middle attack vulnerability inherent in using a proxy between a client and an IdP, as was done in Sarukkai.
- Motivation to Combine: A POSITA would combine Sarukkai and Rowley to improve the security of Sarukkai’s system. Rowley identified the precise vulnerability in systems like Sarukkai’s and taught a solution: removing the proxy between the client and the IdP to establish direct, secure communication. Petitioner contended a POSITA would have been motivated to modify Sarukkai by removing its IdP reverse proxy, as taught by Rowley, while retaining Sarukkai's service reverse proxy to achieve the desired traffic monitoring without the security flaw.
- Expectation of Success: Petitioner asserted that combining these known elements to solve a known security problem would have yielded predictable results.

Prior Art Relied Upon: Cronk (Application # 2012/0008786) and Woelfel (Application # 2012/0278872).
Core Argument for this Ground:
- Prior Art Mapping: Petitioner asserted that Cronk disclosed a foundational SSO system where a user device requests content from a service provider and is redirected to an IdP for authentication before receiving access. However, Cronk did not expressly teach techniques for managing, moderating, and monitoring the network traffic. Woelfel was argued to remedy this by teaching a reverse proxy server that intercepts all traffic between the client and a cloud-based service provider, rewriting URLs to maintain control and visibility.
- Motivation to Combine: A POSITA would combine Woelfel’s reverse proxy architecture with Cronk’s SSO system to gain the ability to monitor and manage network traffic across disparate subscribers and service providers, a clear need in the system described by Cronk. Cronk itself acknowledged that a service provider could use a proxy to deliver content. Implementing Woelfel's proxy would provide the standard and predictable benefits of monitoring, managing, and moderating network traffic.
- Expectation of Success: Petitioner argued that using a reverse proxy in front of a service provider was a known method for load balancing and traffic monitoring, making the combination predictable.

Prior Art Relied Upon: N/A
Core Argument for this Ground: Petitioner argued that claims 19 and 20 are invalid for lacking both written description and enablement. The claims recite a primary IdP relaying an SSO request to a second IdP for validation. Petitioner contended that these claims were added in an amendment late in prosecution and that the ’671 patent specification provides no disclosure, guidance, or working examples of this multi-IdP architecture. The petition asserted that the specification only discloses a single IdP validating an SSO request, and therefore a POSITA would not have understood the inventor to be in possession of the subject matter of claims 19 and 20 at the time of filing.
Additional Grounds: Petitioner asserted additional obviousness challenges, including combinations of Sarukkai/Rowley with Song (for logging/reporting features in claim 24) and Guccione (for multi-IdP features in claim 19). Similar combinations based on Cronk/Woelfel with Song and Guccione were also presented. A final obviousness ground based on Kahol and Parla was asserted, arguing a similar theory to the Sarukkai/Rowley combination.

Priority Date Challenge: Petitioner contended that the challenged claims are not entitled to the Nov. 30, 2015, priority date of a parent application. The argument centered on the assertion that the parent application disclosed only an SSO system that required a SAML proxy, whereas the challenged claims recite a system without one. Petitioner argued this difference breaks the priority chain, making the effective filing date of the challenged claims May 18, 2020. This later priority date would render several references, such as Kahol, eligible as prior art against the challenged claims.

Not Cumulative Art: Petitioner argued against discretionary denial under 35 U.S.C. §325(d). It was asserted that none of the primary references relied upon in the petition were used as a basis for rejection during examination. Petitioner contended the asserted art is materially different from and not cumulative to the art considered by the examiner.
Examiner Error: The petition argued that the new combinations demonstrate a fatal defect in the claims by teaching the very feature the examiner found to be novel: communication with an application program via a rewritten URL that goes through an application proxy server. This suggests the PTO materially erred in allowing the claims, warranting institution of review.

Petitioner requested the institution of a post-grant review and the cancellation of claims 17-20 and 22-24 of the ’671 patent as unpatentable under 35 U.S.C. §103 and/or §112.