DETAILED ACTION
Responsive to the Applicant reply filed on 11/11/2020, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in following.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed 11/11/2020 has been entered. Claims 1, 2, 11-12 and 20 have been amended. Claims 10 and 19 have been canceled. Claims 1-9, 11-18 and 20 remain pending in the application.

Response to Arguments
Applicant’s arguments with respect to claims 1, 2, 11-12 and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1, 2, 4 ,5 ,11 ,12 ,14 ,15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kermes et al. (US 20190228144 A1 hereinafter “Kermes”) in view of WOELFEL et al. (US 20120278872 A1 hereinafter “Woelfel”).
Regarding claim 1, (Currently Amended) Kermes discloses a system, comprising (Fig. 1-6): 
at least one data processor; and at least one memory storing instructions which, when executed by the at least one data processor, result in operations comprising (¶0117, The apparatus may include a processor, memory in electronic communication with the processor, and instructions stored in the memory): 
intercepting, at a gateway controller, a first request from an endpoint to access a web-based repository service accessible through a public network, the gateway controller being within a same private network as the endpoint (Fig. 6, ¶0063, a request 630 may be directed to the reverse proxy 610. That is, the initial attempt 620 to access the application platform may be redirected to the reverse proxy 610 based on identifying that the initial attempt 620 did not include the authentication information; a gateway controller having a reverse proxy within a same private network1: ¶0060, The reverse proxy 610 may be an example of the corresponding proxy server described with respect to FIGS. 2 through 5.; ¶0049, a user device 405 outside of the trusted network 415 may use virtual private cloud 420 to access the application 410. … The virtual private cloud 420 may include an availability zone 425 and a balancer 430. … and the availability zone 425 may include a reverse proxy 435, … The reverse proxy 435 may be an example of the corresponding proxy server described with respect to FIGS. 2 and 3: a web-based repository service2: ¶0060,The application 615 may be an example of or hosted by an application or application server as described with respect to FIGS. 2 through 5; ¶0020, Subsystem 125 may include cloud clients 105, cloud platform 115, and data center 120; ¶0033, the application server 215 and 315 may be components of the subsystem 125, as described with reference to FIG. 1);  
intercepting) to the reverse proxy 610 using a virtual private cloud (a gateway controller having a reverse proxy within a same private network as the endpoint, See details on Emphasis1 above) in order to use an application’s service (a web-based repository service, See details on Emphasis2  above). 
the gateway controller configured to intercept the first request prior to the first request exiting the private network and/or entering the public network, and the endpoint being associated with a first cloud platform (¶0064 At block 635, the reverse proxy 610 may initiate an mTLS process. The mTLS process may be based on a certificate associated with the user device 605 to validate the identity of the user device 605. The reverse proxy 610 may then transmit an mTLS result 640 to the application 615. In some examples, the mTLS result 640 may include a header, the SAML request, and the relay state; ¶0048, A user device 405 may utilize the exemplary procedure 400 to authenticate the user device 405 for accessing an application 410 through virtual private cloud 420 when external to a trusted network 415. This user device 405 may be an example of a user device as described above, for example, with respect to FIGS. 2 and 3. The virtual private cloud 420 may receive access requests as input and may perform multiple procedures in order to authorize the user device 405; ¶0050, the user device 405 may transmit a request to access the application 410 to the availability zone 425 via the balancer 430. The reverse proxy 435 may receive the request and perform an mTLS procedure based on the certificate of the user device 405);
According to the citation above, Kermes discloses the step 635 wherein, the mTLS process (configured to intercept the first request) may be based on a certificate associated with the user device 605 (endpoint being associated with a first cloud platform, See details on Emphasis1 above) to validate the identity of the user device 605 before processing the step 645 (prior to the first request exiting the private network, See details on Emphasis1 above).   
verifying, by the gateway controller, the first request to determine, based at least on an header of the first request and/or an Internet Protocol (IP) address of the endpoint, whether the endpoint is authorized to access the web-based repository service to store and/or retrieve a data associated with the first request (¶0064, The reverse proxy 610 may then transmit an mTLS result 640 to the application 615. In some examples, the mTLS result 640 may include a header, the SAML request, and the relay state. For example, the header may include a successful mTLS process tag and a reverse proxy-specific secret. The secret may include a universally unique identifier; Mutual Transport Layer security (mTLS): ¶0025, the identification information may include an internet protocol (IP) address associated with the proxy server 210, a secret, an mTLS indication, or some combination of these)
According to the citation above, Kermes discloses the step 640, wherein the mTLS result 640 may include a header (header of the first request, see details on Mutual Transport Layer security (mTLS) above) which may include a reverse proxy-specific secret. The secret may include a universally unique identifier (Internet Protocol (IP) address of the endpoint, see details on Mutual Transport Layer security (mTLS) above). The result of the mTLS transmits to the Application 615 (whether the endpoint is authorized to access the web-based repository service) in step 640.
Although Kermes discloses upon the gateway controller successfully verifying the first request (Fig.6, steps 630-640) as stated above, it does not explicitly discloses “sending, by the gateway controller and to the endpoint, a redirect request to a reverse proxy at the gateway controller, the redirect request including the first request, and the redirect request configured to be forwarded by the endpoint to the reverse proxy ; and responding, by the reverse proxy at the gateway controller, to the redirect request from the endpoint by at least accessing, on behalf of the endpoint, the web-based repository service to store and/or retrieve the data associated with the first request, the web-based repository service being accessed by at least the reverse proxy 
In a same field of endeavor, Woelfel discloses the system, wherein upon the gateway controller successfully verifying the first request, sending, by the gateway controller and to the endpoint, a redirect request to a reverse proxy at the gateway controller, the redirect request including the first request, and the redirect request configured to be forwarded by the endpoint to the reverse proxy (¶0136, The operation of “Identity Provider-Initiated” login illustrated by the message diagram 200 may further be considered as a sequence of steps shown in FIG. 3; ¶0126, a “User login” message 202 from the client 110 to the IDP 106 (same as the steps 302-304 in Fig. 3) … an “Assertion to PRS-RP” message 206 from the client 110 to the PRS-RP 112 (same as the step 306) ;¶0154, At the Step 306 “Send Assertion to Reverse Proxy”, the original resource configuration of the IDP 106 identifies the PRS Reverse Proxy 112 as the Service Provider. In this way, the user's browser posts the assertion and all- subsequent resource requests to the PRS Reverse Proxy 112); and
According to the citation above, Woelfel indicates that steps in Figure 2 are correspond to steps in Figure 3. Woelfel discloses the steps 202-204 and/or steps 302-304, wherein the message “IDP assertion response” (verifying the first request) sends from Identity Provider 106 (gateway controller) to Client Terminal 110 (endpoint). The message “Send Assertion to Reverse Proxy” (redirect request including the first request “Assertion”) is redirected to the PRS Reverse Proxy 112 (reverse proxy).
responding, by the reverse proxy at the gateway controller, to the redirect request from the endpoint by at least accessing, on behalf of the endpoint, the web-based repository service to store and/or retrieve the data associated with the first request, the web-based repository service being accessed by the reverse proxy sending, to the web-based repository service via the public network, an encrypted second request corresponding to the first request (¶0126, an “Assertion to PRS-RP” message 206 from the encrypted second request corresponding to the first request3: ¶0164, FIG. 4 is a flow chart illustrating individual steps of the step 308 “Send Revised Assertion to Service Provider” (Emphasis added) … including steps 402-412 “Forward revised assertion to SP … 410 “Encrypt revised assertion with key B”; ¶0177, At the Step 410 “Sign revised assertion with key B”, the revised XML document is signed with a new signature based on the encryption key “B”, thus forming the encrypted revised assertion which includes the revised XML document (a revised “actual” assertion) and the new signature; web-based repository service via the public network4 :¶0107, the private network 116 may be a local network, a virtual private network over the Internet 108, or any means for providing communication channels between the client device 110, the PRS-RP 112, and the internet 108 through the optional firewall 114).
According to the citation above, Woelfel discloses steps 206 and/or 306, wherein sending the message 206 “Assertion to PRS-RP” from the client 110 to the Reverse Proxy 112 (request having the first request from the endpoint to the reverse proxy), and steps 208 or 308, wherein the message 208 “Revised assertion” is sent from the Reverse Proxy 112 to the Service Provider 104 (web-based repository service to store and/or retrieve the data associated with the first request). Woelfel further discloses the step 410 “Encrypt revised assertion with key B” (encrypted second request, see details on Emphasis3) which is one of illustrating individual steps of the step 308 “Revised assertion”. Woelfel also discloses that the each of the client device 110, the PRS-RP 112 may be interconnected through a private network 116 (the service via the public network, see details on Emphasis 4).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to combine reverse Proxy 435 in the availability zone 425 by modifying PRS reverse Proxy 112 based upon the teachings of Woelfel. A person having 

Regarding claim 2, (Currently Amended) the combination of Kermes and Woelfel discloses as discussed above. Woelfel discloses the system of claim 1, wherein the redirect request further includes a cryptographic signature that the gateway controller generates for the endpoint, in response to successfully verifying the first request from the endpoint (¶0164, FIG. 4 is a flow chart illustrating individual steps of the step 308 “Send Revised Assertion to Service Provider” which is performed in an Assertion Processing Module (see Assertion Processing Module 1214, FIG. 12) of the PRS Reverse Proxy 112, including steps: 402 “Receive assertion from client”; 404 “Validate assertion with key A”; 406 “Is assertion valid?”; 408 “Revise URLs of assertion”; 410 “Encrypt revised assertion with key B”; and 412 “Forward revised assertion to SP”; ¶0177, At the Step 410 “Sign revised assertion with key B”, the revised XML document is signed with a new signature based on the encryption key “B”, thus forming the encrypted revised assertion which includes the revised XML document (a revised “actual” assertion) and the new signature).
According to the citation above, Woelfel discloses the redirect request further includes a cryptographic signature (key “B” or new signature) that the gateway controller (PRS Reverse Proxy 112) generates for the endpoint (step 308 including steps 402-412), in response to successfully verifying the first request from the endpoint (steps 402-406).

Regarding claim 4, (Original) the combination of Kermes and Woelfel discloses as discussed above. Woelfel discloses the system of claim 1, wherein the first request comprises a Hypertext Transfer Protocol (HTTP) request, and wherein the encrypted second request comprises a Hypertext Transfer Protocol Secure (HTTPS) request (par. .
According to the citation above, Woelfel discloses the first request comprises a Hypertext Transfer Protocol (HTTP) request (In the art, SSL is implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as HTTP, FTP), and wherein the encrypted second request comprises a Hypertext Transfer Protocol Secure (HTTPS) request (Secure Socket Layer (SSL) tunnels).

Regarding claim 5, (Original) the combination of Kermes and Woelfel discloses as discussed above. Woelfel discloses the system of claim 4, wherein the reverse proxy is configured to translate the Hypertext Transfer Protocol request into the Hypertext Transfer Protocol Secure request (par. 0182, After login, the client 110 is able to use the services of the service provider 104 by having all traffic forwarded through the PRS Reverse Proxy 112. Any encrypted traffic over Secure Socket Layer (SSL) tunnels through the PRS Reverse Proxy 112 will then be intercepted in the PRS Reverse Proxy 112, and all URL references to itself will be replaced with URLs of the domains of the client 110 or the service provider 104 respectively, depending on the direction of the traffic).
According to the citation above, Woelfel discloses the reverse proxy is configured to translate the Hypertext Transfer Protocol request into the Hypertext Transfer Protocol Secure request (Secure Socket Layer (SSL) tunnels, In the art, the use of SSL to secure HTTP traffic constitutes the HTTPS protocol).

Regarding independent claim 11 and 20, (Currently Amended) they are a method and a non-transitory computer readable medium storing instructions that respectively corresponds to the independent claim 1. Therefore, the claims are rejected for at least the same reasons as the system of claim 1.

Regarding claim 12, (Currently Amended) it is a method claim that corresponds to the claim 2. Therefore, it is rejected for at least the same reasons as the system of claim 2.

Regarding claim 14, (Original) it is a method claim that corresponds to the claim 4. Therefore, it is rejected for at least the same reasons as the system of claim 4.

Regarding claim 15, (Original) it is a method claim that corresponds to the claim 5. Therefore, it is rejected for at least the same reasons as the system of claim 5.


Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kermes et al. (US 20190228144 A1 hereinafter “Kermes”) in view of WOELFEL et al. (US 20120278872 A1 hereinafter “Woelfel”) as applied to claim 2 above, further in view of Borzycki et al. (US 20140108486 A1 hereinafter “Borzycki”).
Regarding claim 3, (Original) the combination of Kermes and Woelfel discloses as discussed above except “the cryptographic signature comprises a hashed message authentication code.”
In a same field of endeavor, Borzycki further discloses the system of claim 2, wherein the cryptographic signature comprises a hashed message authentication code (par. 0473, the Kerberos SSP may use OS APIs to invoke cryptographic operations, such as the Hash API used to compute the checksum which is an initial step in generating a signature).


Regarding claim 13, (Original) it is a method claim that corresponds to the claim 3. Therefore, it is rejected for at least the same reasons as the system of claim 3.


Claims 6, 7, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kermes et al. (US 20190228144 A1 hereinafter “Kermes”) in view of WOELFEL et al. (US 20120278872 A1 hereinafter “Woelfel”) as applied to claim 1 above, further in view of Loo (US 20150229638 A1).
Regarding claim 6, (Original) the combination of Kermes and Woelfel discloses as discussed above. Although Kermes discloses “data center” (See ¶0019), it does not explicitly disclose, “the web-based repository service provides object-based storage, block-based storage, and/or file-based storage.”
In a same field of endeavor, Loo discloses the system of claim 1, wherein the web-based repository service provides object- based storage, block-based storage, and/or file-based storage (par. 0037, local storage may include or implement one or more databases (e.g., a document database, a relational database, or other type of database), one or more file 
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to combine the data center by modifying the cloud computer system enable to access the object store service based upon the teachings of Loo. A person having ordinary skill in the art would have been motivated to combine these features because it would allow, “Cloud computer system 110 may provide an object store service that may provide a storage facility for BLOBs (binary large objects).” (¶0060). 

Regarding claim 7, (Original) the combination of Kermes and Woelfel discloses as discussed above except “storing, in a cache associated with the gateway controller, at least a portion of data retrieved from the web-based repository service; and responding to a third request from the endpoint to access the web-based repository service to retrieve data by at least accessing the cache prior to accessing the web-based repository service.”
In a same field of endeavor, Loo discloses the system of claim 1, wherein storing, in a cache associated with the gateway controller, at least a portion of data retrieved from the web-based repository service (Fig. 2, 220, par. 0067, Cloud computer system 110 may include one or more memory storage devices (“local storage”), such as cache 220. Cache 220 may be used to store enterprise data 224 and authentication information 222); and
responding to a third request from the endpoint to access the web-based repository service to retrieve data by at least accessing the cache prior to accessing the web-based repository service (Fig. 2, 220, par. 0067, Cloud computer system 110 may include one or more memory storage devices (“local storage”), such as cache 220. Cache 220 may be used to store enterprise data 224 and authentication information 222; par. 0079, 
According to the citation above, Loo discloses responding to a third request from the endpoint to access the web-based repository service to retrieve data by at least accessing the cache (security authentication information in cache 220) prior to accessing the web-based repository service (determine authentication of a user before further processing is performed).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to combine PRS Reverse Proxy 112 by modifying the cache 220 based upon the teachings of Loo. A person having ordinary skill in the art would have been motivated to combine these features because it would allow, “Authentication manager 262 may store security authentication information (e.g., authentication information) in cache 220.” (¶0079). Therefore, the information may include details about the security authentication, such as one or more services a user may be authorized to access from an enterprise computer system (¶0111).

Regarding claim 16, (Original) it is a method claim that corresponds to the claim 6. Therefore, it is rejected for at least the same reasons as the system of claim 6.

Regarding claim 17, (Original) it is a method claim that corresponds to the claim 7. Therefore, it is rejected for at least the same reasons as the system of claim 7.


s 8, 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kermes et al. (US 20190228144 A1 hereinafter “Kermes”) in view of WOELFEL et al. (US 20120278872 A1 hereinafter “Woelfel”) as applied to claim 1 above, further in view of Srinivasan et al. (US 20190103968 A1 hereinafter “Srinivasan”).
Regarding claim 8, (Original) the combination of Kermes and Woelfel discloses as discussed above. Although the combination discloses “cloud platform”, it does not explicitly discloses “the first cloud platform and a second cloud platform form a multi-cloud computing environment, and wherein another instance of the gateway controller is deployed at the second cloud platform to enable another endpoint at the second cloud platform to access the web-based repository service.”
In a same field of endeavor, Srinivasan discloses the system of claim 1, wherein the first cloud platform and a second cloud platform form a multi-cloud computing environment (¶0115, The infrastructure described herein can be implemented in various different environments including a cloud environment (could be various types of clouds including private, public, and hybrid cloud environments), on-premises environment, a hybrid environment, and the like), and wherein another instance of the gateway controller is deployed at the second cloud platform to enable another endpoint at the second cloud platform to access the web-based repository service (¶0042, Cloud Gate 112 is a reverse proxy “access enforcement module” or “policy enforcement point” that secures a web browser and REST API resources using standards such as OAuth2 and OpenID Connect standards … Cloud Gate 112 may intercept and validate a sign-on cookie and enable (or prevent) single sign-on capabilities upon successful validation of the cookie; ¶0059, Cloud Gate 112 checks for the presence of an SSO session cookie, which should be available if the user using the client has already been authenticated by IDCS 114).
According to the citation above, Srinivasan discloses the first cloud platform and a second cloud platform form a multi-cloud computing environment (private, public, and , and wherein another instance of the gateway controller (Cloud Gate 112 is a reverse proxy) is deployed at the second cloud platform to enable another endpoint at the second cloud platform to access the web-based repository service (presence of an SSO session cookie).
It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to combine the cloud platform by modifying the cloud environment based upon the teachings of Srinivasan. A person having ordinary skill in the art would have been motivated to combine these features because it would allow, “Cloud Gate 112 is a component of IDCS 114 and provides for single sign-on (SSO) protection” (¶0042). Therefore, IDCS 114 may be configured to provide identity and access management capabilities in a multi-tenant cloud environment (¶0040).

Regarding claim 9, (Original) the combination of Kermes, Woelfel and Srinivasan discloses as discussed above. Srinivasan discloses the system of claim 8, wherein the multi-cloud computing environment comprises a hybrid cloud computing environment in which the first cloud platform comprises a private cloud platform and the second cloud platform comprises a public cloud platform (¶0115, The infrastructure described herein can be implemented in various different environments including a cloud environment (could be various types of clouds including private, public, and hybrid cloud environments), on-premises environment, a hybrid environment, and the like).

Regarding claim 18, (Original) it is a method claim that corresponds to the claim 8. Therefore, it is rejected for at least the same reasons as the system of claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure
HIRA et al. (US 20190238508 A1) - Unified security policies across virtual private clouds with overlapping ip address blocks: the proxy server 310 may be an example of a reverse proxy associated with the application server 315, where the proxy server 310 may intercept and handle messaging from any user devices 305 to the associated application server 315
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524.  The examiner can normally be reached on campus 9:00 AM- 4:30 PM, alternate Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/A.S./            Examiner, Art Unit 2493       

/CARL G COLIN/            Supervisory Patent Examiner, Art Unit 2493