Federal Circuit Reverses Board in Two IPR Decisions
In International Business Machines Corp. (IBM) v. Iancu, the Federal Circuit found that the Board's interpretation of key claim limitations was incorrect resulting in the Board's decisions having errors.
IBM owns U.S. Patent No. 7,631,346, entitled "Method and System for a Runtime User Account Creation Operation Within a Single-Sign-On Process in a Federated Computing Environment." At the behest of several private companies (who have settled and are not parties here), the U.S. Patent and Trademark Office, acting as delegee of the USPTO Director, instituted two related inter partes reviews (IPRs) of various claims of the '346 patent. In the first IPR, the Board found that claims 1, 3, 12, 14, 15, and 18 are unpatentable because they are anticipated by Japanese Publication No. Tokkai 2004-302907A (Sunada). In the second IPR, the Board found that claims 1, 3, 12, 13, 15, and 18 are unpatentable because they are anticipated by U.S. Patent No. 7,680,819 (Mellmer).
The Federal Circuit vacated and remanded the Sunada IPR decision as being based on an incorrect claim construction of the "federated computing environment" limitation of all claims at issue. In the Mellmer IPR decision, the same claim construction error was found to be present, but did not affect the Federal Circuit's holding to reverse the Board's decision.
The '346 Patent
The specification explains that enterprises try to give their users the benefit of being able to gain access to multiple applications without regard to authentication barriers that protect each particular system supporting those applications. A user might assume that once he or she has been authenticated by some computer system, the authentication should be valid throughout the user's working session, or at least for a particular period of time, without regard to the various computer architecture boundaries that are almost invisible to the user. Among the techniques used to do so are "single-sign-on" (SSO) processes, which aim to require of a user only one authentication process during a particular user session.
The specification explains that user expectations about ease of access are coming to extend beyond the systems within an enterprise to Internet domains of different enterprises so that users can jump from interacting with an application on one Internet domain to another application on another domain without regard to the authentication barriers that protect each particular domain. Thus, to reduce the costs of user management and to improve interoperability among enterprises, federated computing spaces have been created.
The specification then defines the term "federated" as being based on a cooperative relationship among enterprises that falls short of the unitary control available within an enterprise. As enterprises move to support federated business interactions, these enterprises should provide a user experience that reflects the increased cooperation between two businesses. In particular, a user may authenticate to one party that acts as an identity provider and then single-sign-on to a federated business partner.
Claim 1 of the '346 patent recites:
1. A method for managing user authentication within a distributed data processing system, wherein a first system and a second system interact within a federated computing environment and support single-sign-on operations in order to provide access to protected resources, at least one of the first system and the second system comprising a processor, the method comprising:
triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system, wherein the second system requires a user account for the user to complete the single-sign-on operation prior to providing access to the protected resource;
receiving from the first system at the second system an identifier associated with the user; and
creating a user account for the user at the second system based at least in part on the received identifier associated with the user after triggering the single-sign-on operation but before generating at the second system a response for accessing the protected resource, wherein the created user account supports single-sign-on operations between the first system and the second system on behalf of the user.
IPR Claim Construction
The disputes here focuses on the "federated computing environment" and "single-sign-on" claim limitations. The Board and the parties agreed that both phrases are limiting, even though the first appears only in the preamble.
The Board recognized that both IBM and the private companies that requested the IPRs ("Petitioner") agreed about what a "federated computing environment" means: "a 'loosely coupled affiliation of enterprises which adhere to certain standards of interoperability; the federation provides a mechanism for trust among those enterprises with respect to certain computational operations for the users within the federation.'"
But, surprisingly, the Board rejected the parties' agreed-on construction "that the scope of the term is limited to an affiliation of enterprises." The Board did so even while recognizing the specification passage stating that "[a] federation is a loosely coupled affiliation of enterprises . . . ." Despite that passage, the Board concluded that a federated computing environment is not limited to enterprises, such as organizations, institutions, etc.
Alternatively, the Board construed "federated computing environment" to mean an environment having a loosely coupled affiliation of entities that adhere to certain standards of interoperability; the federation provides a mechanism for trust among those entities with respect to certain computational operations for the users within the federation. That construction replaces "enterprises" with "entities."
The Board was then able to find that claim element met in Sunada, and the key significance of that replacement is that, under the Board's construction, "two computer systems (or entities) within a single enterprise could disclose a 'federated computer environment.'"
The Federal Circuit concluded that the Board's construction is not reasonable in light of the specification. In the key specification passage quoted above, which is on its face definitional, the patent states that a "federation" is "a loosely coupled affiliation of enterprises." Nothing in the specification contradicts the passage's plain meaning. In fact, the specification describes that a federation is a set of distinct entities, such as enterprises, organizations, institutions, etc., that cooperate to provide a single-sign-on, ease-of-use experience to a user.
The Federal Circuit found that a "system," referring to just the physical equipment and not who controls it or deals with customers in providing access to it, is not of the same type as "enterprises, organizations, institutions."
IPR Decisions
Thus, the Board's final written decision in the Sunada IPR was vacated and remanded for the Board to determine in the first instance whether, under the correct claim construction, Sunada anticipates the claims at issue in that IPR.
With respect to the Mellmer IPR, the Federal Circuit reversed the finding of anticipation. The relevant claim limitation of the '346 patent requires "triggering a single-sign-on operation on behalf of the user in order to obtain access to a protected resource that is hosted by the second system." The Board construed "single-sign-on operation" to mean "a process by which a user is authenticated at a first entity and subsequently not required to perform another authentication before accessing a protected resource at a second entity."
It is undisputed that, under those definitions, a user performs an authentication when the user takes an action that provides credentials, or that plays a role in launching a provision of credentials on the user's behalf, to obtain access to resources. Thus, a "single-sign-on operation" is one that does not require the user to take such action to gain access to a second entity's resources after the user has been authenticated with a first entity.
The Mellmer patent describes a basic architecture for managing digital identity information in a network, such as the Internet. Mellmer teaches techniques for securely logging in to multiple sites with a single password and doing so from any machine on the network. More particularly, Mellmer describes a "DigitalMe" system that, for a user with a DigitalMe ID, eases access to various independent websites (DigitalMe partners) that participate in the system.
The issue here is whether a particular part of the described system requires a second user authentication action to gain access to a DigitalMe partner's resources.
The Federal Circuit found that the Board unreasonably viewed Mellmer and took a login scenario in isolation and out of context. Once the focus was properly widened to understand the whole set of options and scenarios shown, substantial evidence did not support a finding that there is no user action triggering an authentication at the target site.
The Board did not cite, and the Director has not cited, anything in Mellmer that would support a contrary finding. Nor was there any basis for discrediting the testimony of IBM's expert, which was grounded solidly in consideration of the full passages relevant to understanding the entire scenario. The Federal Circuit therefore found that Mellmer does not teach the single-sign-on limitation of the claims at issue in the IPR. Thus, despite the incorrect claim interpretation, that interpretation did not change the finding that Mellmer does not anticipate the claims. The Board's decision in the Mellmer IPR was therefore reversed.
IBM Corp. v. Iancu (Fed. Cir. 2019)
Nonprecedential disposition
Panel: Circuit Judges Moore, Taranto, and Chen
Opinion by Circuit Judge Taranto
