DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Claim Objections
The previously raised objection to claims 7 and 8 have been overcome by Applicant’s amendment and are therefore withdrawn.

Claim Rejections - 35 USC § 112
The previously raised rejections under 35 U.S.C. § 112(b) to claims 1,4, 6-8,10,14 and 17 have been overcome by Applicant’s amendment and are therefore withdrawn.

Claim Rejections - 35 USC § 103
Applicant’s arguments filed on 12/17/2020, directed at the amended claims submitted on 12/17/2020 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

	
Claim Objections
Claims 13 and 20 are objected to because of the following informalities:  they recite “wherein the the initial login location stored in the single sign-on token indicates a service tag of an initial information handling system that corresponds to the initial login location”. There is a redundant word “the”.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6, 12 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 6, 12 and 19 recite the limitation "the second information handling system".  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557).

	Regarding claim 1, Shimono teaches A method for access (see [0055] and Fig. 2: “[Operation S6] When recognizing that the user authentication is successful, the user 4 performs operation for desiring an access to the service A with respect to the terminal device 5”. And see [0086] and Fig. 5: “By the above-described chained-issuance of the token, for example, the shared information 111 managed by the server 100 of the original company is accessible by the user 22 as an employee of the subcontractor or the user 23 as an employee of the sub-subcontractor”. And see [0090] and Fig. 6: “The server 100 includes the DB 110, a trusting relationship information storage unit 120, an authentication unit 130, and an access control unit 140”) in a management controller group hierarchy (see Fig. 5 reproduced below and [0083]: “The server 100 is managed by an original company. The servers 200, 200a, and 200b are managed by a subcontractor. Servers 300, 300a, 300b, 300c, 300d, 300e, 300f, 300g, and 300h are managed by a sub-sub contractor. Servers 400 and 400a are managed by a sub-sub-sub contractor”. And see [0085]: “In FIG. 5, the servers between the companies having a direct trusting relationship are coupled with arrows. For example, the original company has various types of relationship with subcontractors. For example, the relationship is made with a subsidiary company, an associated company, a business partner, and the like. Similarly, the subcontractor has various types of relationship with sub-subcontractors. Further, the sub-subcontractor has various types of relationship with sub-sub-subcontractors”. And see [0227] and Fig. 30: “the roles on the service provided by the sever according to the pair of the relationship with another server and the role of the user in the other server may be assigned to a user who is authenticated by the other server. For example, an employee of the subsidiary company may be provided with the service in a wider range compared to an employee of the sub-subcontractor”. The Examiner interprets the server 100 managed by an original company, a management controller group hierarchy), comprising: 

    PNG
    media_image1.png
    586
    860
    media_image1.png
    Greyscale

receiving a request for a user at a first information handling system (see [0041]: “the user transmits, to a second server, the authentication information that is issued by a first server by which the user is authenticated. Based on the authentication information attached to a processing request, the second server authenticates that the user has the right to use the service. The second server chained-issues, to the user, the authentication information that allows the user to use the service thereof. By using the authentication information issued by the second server, the user is able to receive the provision of service from the second server”. The Examiner interprets “a second server” as a first information handling system. The Examiner further interprets the second server receiving “a processing request” as receiving a request for a user at a first information handling system), 
the request to authenticate the user for access using a single sign-on token (see [0040]: “After performing the user authentication, the server may issue information that authenticates that the server has the right to use the service (hereinafter referred to as authentication information) to the user. In this case, by transmitting a request attached with the issued authentication information to the server, the user may receive the provision of service from the server. If the authentication information issued by a server is usable by another server, the user is able to use the service of the plurality of servers simply if the user is authenticated by a single server”. And see [0068]: “a token is used as an example of the authentication information”. And see [0004]: “There is a technique called Single Sign-On. Single Sign-On is an authentication technique for using resources on a plurality of computers by a single action of authentication processing. In general, according to Single Sign-On, in a server having a prescribed relationship with another server in which a user is authenticated, the service is provided to the user without the user authentication in the server”. And see [0041]: “the user transmits, to a second server, the authentication information that is issued by a first server by which the user is authenticated. Based on the authentication information attached to a processing request, the second server authenticates that the user has the right to use the service. The second server chained-issues, to the user, the authentication information that allows the user to use the service thereof. By using the authentication information issued by the second server, the user is able to receive the provision of service from the second server”. The Examiner interprets “the authentication information that is issued by a first server by which the user is authenticated”, where “a token is used as an example of the authentication information”, taught in [0041] and [0068] as a single sign-on token because the authentication information (token) enables the second server to authenticates “that the user has the right to use the service” provided by the second server (see [0041]). In other words, If the authentication information issued by a server is usable by another server, the user is able to use the service of the plurality of servers simply if the user is authenticated by a single server” (see [0040])); 
validating the request to authenticate the user for access using the single sign-on token (see [0041]: “the user transmits, to a second server, the authentication information that is issued by a first server by which the user is authenticated. Based on the authentication information attached to a processing request, the second server authenticates that the user has the right to use the service. The second server chained-issues, to the user, the authentication information that allows the user to use the service thereof. By using the authentication information issued by the second server, the user is able to receive the provision of service from the second server”. The Examiner interprets the second server authenticating that the user has the right to use the service provided by the second server based on the authentication information (a single sign-on token) attached to a processing request” as validating the request to authenticate the user for access using the single sign-on token).
 
The Examiner designates the embodiment described in [0040] and [0041] of Shimono as an “example embodiment of Shimono”. The “example embodiment of Shimono” differs from claim 1 in that it does not explicitly teach the step of determining whether a link of trust is established based on an initial login location stored in the single sign-on token. The “example embodiment of Shimono” also differs from claim 1 in that it does not explicitly teach that the validating the request to authenticate the user for access using the single sign-on token taught by the “example embodiment of Shimono” is based on a determination that the link of trust is established.  
In the same field of endeavor, Shimono teaches determining whether a link of trust is established based on an initial login location stored in the single sign-on token (see [0139] and Fig. 11: “[Operation S142] The authentication unit 130 determines the effectiveness of the obtained token. The details of the processing will be described below (see FIG. 12)”. And see [0145] and Fig. 12: “[Operation The authentication unit 130 determines whether there is a direct trusting relationship with the issuer of the obtained token. For example, according to the value of the issuer of the token, the authentication unit 130 searches the column for the URL of the partner of the relationship definition table 122. If the URL is detected, the authentication unit 130 determines that the direct trusting relationship with the issuer of the token exists”. 
And see [0050]-[0052] and Fig. 2: “[Operation S1] The user 4 performs login operation to the information processing device 3 with respect to the terminal device 5. For example, the user 4 inputs the authentication information (a user ID and a password) into the terminal device 5. …. [Operation S3] The information processing device 3 performs the user authentication based on the authentication information”. And see [0056] and Fig. 2: “[Operation S8] In response to the authentication information issuance request from the user 4 that performs the user authentication, the information processing device 3 issues the authentication information that authenticates the right of the user 4 to use the service C. For example, after receiving the authentication information issuance request in the same session as in which the authentication information is received, the information processing device 3 recognizes that the authentication information is the authentication information issuance request from the user that performs the user authentication. … The authentication information includes the identifier of the information processing device 3 as the identifier of the device as the issuing source.” And see [0102] and FIG. 8: “FIG. 8 is a diagram illustrating an example of information included in the token. A token 40 includes a token issuer 41, a number of times of chained-issuance 42, an authentication content 43, and an electronic signature 44”. And see [0103]: “The token issuer 41 is the identifier of the server that issues the token. For example, the URL of the server is used as the identifier of the server”. Therefore, the Examiner interprets the identifier of the information processing device 3 stored in the authentication information (single sign-on token) as the issuing source, where The information processing device 3 performs the initial user authentication using a user ID and a password, an initial login location stored in the single sign-on token because the information processing device 3 initially logs in the user.
In the “example embodiment of Shimono” ([0040] and [0041]), the token issuer 41 contained in the single sign-on token 40 (“authentication information”) issued by the first server and received by the second server is also an initial login location because the first server is the token issuer and also initially logs in the user. See [0040]: “After performing the user authentication, the server may issue information that authenticates that the server has the right to use the service (hereinafter referred to as authentication information) to the user”. Therefore, the Examiner interprets “[Operation S142] The authentication unit 130 determines whether there is a direct trusting relationship with the issuer of the obtained token. For example, according to the value of the issuer of the token, the authentication unit 130 searches the column for the URL of the partner of the relationship definition table 122. If the URL is detected, the authentication unit 130 determines that the direct trusting relationship with the issuer of the token exists” taught in [0145] and Fig. 11, as determining whether a link of trust is established based on an initial login location stored in the single sign-on token because “the issuer of the obtained token” is an initial login location in the scenario described above).

Shimono further teaches validating the request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established (see [0041]: “the user transmits, to a second server, the authentication information that is issued by a first server by which the user is authenticated. Based on the authentication information attached to a processing request, the second server authenticates that the user has the right to use the service. The second server chained-issues, to the user, the authentication information that allows the user to use the service thereof. By using the authentication information issued by the second server, the user is able to receive the provision of service from the second server”. And see [0136]: “As illustrated in FIGS. 9 and 10, the Due to the chained-issuance of the token, the provision of service to the user authenticated by another server is permitted”. And see [0137]: “Below is a procedure, performed by the server according to the token issuance request added with the token issued by the server 200, of the token issuing processing based on the relationship with another server”. And see [0138] and FIG. 11: “FIG. 11 is a flowchart illustrating an example of the procedure of the token issuing processing based on the relationship. The processing illustrated in FIG. 11 will be described according to the order of the operation numbers. [Operation S141] The authentication unit 130 obtains the token issued by the server 200”. 
And see [0139] and FIG. 11: “[Operation S142] The authentication unit 130 determines the effectiveness of the obtained token. The details of the processing will be described below (see FIG. 12)”. And see [0140] and FIG. 11: “[Operation S143] If the token is effective, the authentication unit 130 proceeds the processing to Operation S145. If the token is ineffective, the authentication unit 130 proceeds the processing to Operation S144”. And see [0141]: “[Operation S145] The authentication unit 130 generates a token”. And see [0143]: “FIG. 12 is a flowchart illustrating an example of a procedure of the effectiveness determining processing”. And see [0145] and FIG. 12: “[Operation S152] The authentication unit 130 determines whether there is a direct trusting relationship with the issuer of the obtained token. For example, according to the value of the issuer of the token, the authentication unit 130 searches the column for the URL of the partner of the relationship definition table 122. If the URL is detected, the authentication unit 130 determines that the direct trusting relationship with the issuer of the token exists. If the direct trusting relationship with the issuer of the token exists, the authentication unit 130 proceeds the processing to Operation S153. If the direct trusting relationship with the issuer of the token does not exist, the authentication unit 130 proceeds the processing to Operation S155. And see [0146] and FIG. 12: “[Operation S153] The authentication unit 130 determines the authentication unit 130 determines that the obtained token is effective”. And see [0148]: “if the electronic signature is not correct, if the direct trusting relationship with the issuer of the token does not exist, or if the number of times of the chained-issuance is larger than the chain threshold value, the token issuance is suppressed”.
Shimono teaches in [0041] that validating the request to authenticate the user for access using the single sign-on token involves authenticating that the user has right to use the service using the single sign-on token by chained-issuing the authentication information (another token) that allows the user to use the service.  Shimono further teaches in [0138], [0139] and Fig. 11 that a server chained-issuing a token based on the relationship with another server involves determining the effectiveness of the token obtained from another server. Shimono also teaches in [0143], [0145] and Fig. 12 that determining the effectiveness of the token obtained from another server involves determining whether there is a direct trusting relationship with the issuer of the obtained token. Therefore, by summarizing the above, Shimono teaches validating the request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established, as recited by claim 1).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by the “example embodiment of Shimono” ([0040] and [0041]) by adding the step of determining whether a link of trust is established based on an initial login location stored in the single sign-on token taught by Shimono and by letting the validating the request to authenticate the user for access using the single sign-on token taught by the “example embodiment of Shimono” be based on a determination that the link of trust is established, as taught by 

The improved “example embodiment of Shimono” ([0040] and [0041]) as described above does not explicitly teach that “to authenticate the user for access” also uses the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more information handling systems.
In the same field of endeavor, Shimono teaches “to authenticate the user for access using… the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more information handling systems” (see Fig. 5 and [0083]: “The server 100 is managed by an original company. The servers 200, 200a, and 200b are managed by a subcontractor. Servers 300, 300a, 300b, 300c, 300d, 300e, 300f, 300g, and 300h are managed by a sub-sub contractor. Servers 400 and 400a are managed by a sub-sub-sub contractor”. And see [0085]: “In FIG. 5, the servers between the companies having a direct trusting relationship are coupled with arrows. For example, the original company has various types of relationship with subcontractors. For example, the relationship is made with a subsidiary company, an associated company, a business partner, and the like. Similarly, the subcontractor has various types of relationship with sub-subcontractors. Further, the sub-subcontractor has various types of relationship with sub-sub-subcontractors”. And see [0227] and Fig. 30: “the roles on the service provided by the sever according to the pair of the relationship with another server and the role of the user in the other server may be assigned to a user who is authenticated by the other server. For example, an employee of the subsidiary company may be provided with the service in a wider range compared to an employee of the sub-subcontractor”. The Examiner interprets the server 100 managed by an original company, the servers 200 (a subsidiary the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more information handling systems. 
And see [0195] and FIG. 22: “FIG. 22 is a diagram illustrating an example of storage information of the trusting relationship information storage unit according to the fourth embodiment. According to the fourth embodiment, the trusting relationship information storage unit 120 stores .a relationship definition table 122a, a role assignment policy definition table 124, and a service definition table 125”. And see [0198], [0199] and FIG. 24 reproduced below: “FIG. 24 is a diagram illustrating an example of the data structure of the relationship definition table according to the fourth embodiment. The relationship definition table 122a has a column for a partner's URL and a relationship with the partner”. 

    PNG
    media_image2.png
    539
    664
    media_image2.png
    Greyscale

And see [0200], [0201] and FIG. 25 reproduced below: “FIG. 25 is a diagram illustrating an example of the data structure of the role assignment policy definition table. The role assignment policy definition table 124 has columns for a relationship with a partner, a role authenticated by the partner, a chain threshold value, and a role authenticated by the server 100. In the column for the relationship with the partner, a relationship between an organization that manages the server 100 and an organization that manages the partner's server is set.)

    PNG
    media_image3.png
    526
    762
    media_image3.png
    Greyscale


And see [0202], [0203] and FIG. 26 reproduced below: “FIG. 26 is a diagram illustrating an example of the data structure of the service definition table. The service definition table 125 has columns for the role and the service content….If the role is an employee of a subsidiary company, for example, the service content is set in such a way that the access to the name list of the representatives of each department of the company that manages the server 100 is permitted.

    PNG
    media_image4.png
    736
    489
    media_image4.png
    Greyscale

And see [0086] and Fig. 5: “By the above-described chained-issuance of the token, for example, the shared information 111 managed by the server 100 of the original company is accessible by the user 22 as an employee of the subcontractor or the user 23 as an employee of the sub-subcontractor”. And see [0227] and Fig. 30: “the roles on the service provided by the sever according to the pair of the relationship with another server and the role of the user in the other server may be assigned to a user who is authenticated by the other server. For example, an employee of the subsidiary company may be provided with the service in a wider range compared to an employee of the sub-subcontractor”. The Examiner interprets an employee of the subsidiary company (subcontractor) may be provided with the service in a wider range compared to an employee of the sub-subcontractor taught in [0227] as “to authenticate the user for access using… the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more information handling systems”, as recited by claim 1).

.

Claims 2 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Sondhi (US 2013/0086669).

Regarding claim 2, Shimono fails to teach determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request; and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request.
In the same field of endeavor, Sondhi teaches determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request (see [0061] and Fig. 2: “the browser application 204 and native application one 206 may be included in a circle of trust, or other trusted group of mobile applications residing on the user device 202. In this single sign-on functionality may only be performed for members of the group (i.e., the circle of trust). … Here, the security agent application 210 may receive a request from the browser application 204 to log in to the web application 224. In response, the security agent application 210 may request log-in credentials from a user of the user device 202 such as, but not limited to, a user name, password, etc. The security agent application 210 may then transmit user and/or context information 234 to the REST module 230 via the networks 216”. And see [0062]: “Upon authentication, the REST module 230 may provide user tokens and/or client tokens back to the security agent application 210. … Upon successfully logging in, the security application may also receive an access token for accessing the appropriate service of the application provider computers 212 (e.g., the web application 224 and/or application services 226, 228)”. And see [0063] and Fig. 2: “in some examples, the security agent application 210 may later receive a request from native application one 206 to access application service one 226. In this case, since native application one 206 is in the same circle of trust as the browser application 204”. The Examiner interprets the browser application 204 as the initial login location and an initial information handling system. The Examiner further interprets the native application one 206 as the first information handling system that received the request. The Examiner further interprets determining “the browser application 204 and native application one 206 may be included in a circle of trust, or other trusted group of mobile applications” as determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request); and 
granting the user full access based on a determination that the initial login location corresponds to the initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request (see [0063] and Fig. 2: “the security agent application 210 may later receive a request from native application since native application one 206 is in the same circle of trust as the browser application 204, and since the security agent application 210 has already authenticated the user and/or the user device 202 (i.e., user and/or client tokens have already been received), the security agent application 210 may be able to request an access token (this time, the token with horizontal stripes) from the identity service computers 214 without re-requesting the user credentials of the user of the user device 202. That is, once the security agent application 210 has authenticated the user and the device 202, the security agent application 210 may be able to perform single sign-on functionality for other applications of the circle of trust. However, if the user requested to log in to application service two 228 via native application two 208 (assuming, as noted above, that native application two 208 may not be in the circle of trust), the security agent application 210 would not be able to request and/or receive an access token for that operation”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by Shimono by adding the steps of determining whether the initial login location corresponds to an initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request; and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system in the same local group of the management controller group hierarchy as the first information handling system that received the request taught by Sondhi. It would have been obvious because Sondhi teaches that doing so achieves the following desirable result: “once the security agent application 210 has authenticated the user and the device 202, the security agent application 210 may be able to perform single sign-on functionality for other applications of the circle of trust” (see [0063]).

Regarding claim 6, Shimono fails to teach wherein determining whether the link of trust is established between the first information handling system and the second information handling system is based on a determination whether the first information handling system and the second information handling system are part of the same local group.  
In the same field of endeavor, Sondhi teaches wherein determining whether the link of trust is established between the first information handling system and the second information handling system is based on a determination whether the first information handling system and the second information handling system are part of the same local group  (see [0061] and Fig. 2: “the browser application 204 and native application one 206 may be included in a circle of trust, or other trusted group of mobile applications residing on the user device 202. In this example, native application two 208 may not be a member of the group. …As such, single sign-on functionality may only be performed for members of the group (i.e., the circle of trust)).  
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the method of determining whether the link of trust is established between the first information handling system and the second information handling system taught by Shimono with the method based on a determination whether the first information handling system and the second information handling system are part of the same local group, as taught by Sondhi. It would have been obvious because doing so predictably determines whether the link of trust is established between the first information handling system and the second information handling system.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Drozd (US9992186).

Regarding claim 3, Shimono fails to teach determining whether the initial login location is recognized; and based on a determination that the initial login location is not recognized: granting the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including at least one local group of information handling systems; and denying the user access to the local group included in the aggregate group.
In the same field of endeavor, Drozd teaches determining whether the initial login location is recognized; and based on a determination that the initial login location is not recognized: granting the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including at least one local group of information handling systems; and denying the user access to the local group included in the aggregate group (see abstract: “In response to a request received from a client device, the user is authenticated based on user credentials extracted from the request. Upon having successfully authenticated the user, tenants and one or more roles of each of the tenants associated with the user are identified. In one embodiment, an authorization token having information identifying the plurality of tenants and their respective one or more roles of the user is generated. The information of each of the tenants and its respective roles are encrypted with a specific key corresponding to the tenant. The authorization token containing the encrypted tenants and the roles of the user is transmitted to the client device to allow the client device to determine whether the user is allowed to access a requested resource based on the authorization token”. And see col. 6, line 60-col. 7, line 1: “ACL DB 150 may represent multiple access control lists that are attributes of a file or directory that control which users (e.g., clients 101-102) on a file storage (e.g., storage 164) can access the file or directory. Different types of access are defined, typically read, write, and/or execute. A .
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by Shimono by adding the steps of determining whether the initial login location is recognized; and based on a determination that the initial login location is not recognized: granting the user access to view information about an aggregate group in the management controller group hierarchy, the aggregate group including at least one local group of information handling systems; and denying the user access to the local group included in the aggregate group taught by Drozd. It would have been obvious because doing so predictably achieves the benefit of granting the user access to view information about an aggregate group.

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Chang (US2014/0208119).

Regarding claim 4, Shimono fails to teach receiving a request to elevate privileges of the user to enable access to a local group in the management controller group hierarchy, the local group in the management controller group hierarchy not including the first information handling system; redirecting the request to a controlling member of the local group; and receiving a re-authenticated single sign-on token back from the controlling member of the local group. 
In the same field of endeavor, Chang teaches receiving a request to elevate privileges of the user to enable access to a local group in the management controller group hierarchy, the local group in the management controller group hierarchy not including the first information handling system; redirecting the request to a controlling member of the local group; and receiving a re-authenticated single sign-on token back from the controlling member of the local group (see [0053]: “Intermediate server security tokens also contain their credential information which can be used by downstream server to perform fine-grained, policy-based access control”. And see [0054]: “3. Downstream server may assert security roles they have to elevate security credentials of the original requester so as to enable original requester to access protected data that require higher privilege than what the original requester has. This is a major claim of our invention disclosure that sensitive data can be protected following the defense in depth principle that a client is allowed to access sensitive data if and only if the client follow defined server access path and go through multiple tier of token and message validity check, access control check, and optionally one or more times of security credential elevation”). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by Shimono by adding the steps of receiving a request to elevate privileges of the user to enable access to a local group in the management controller group hierarchy, the local group in the management controller group hierarchy not including the first information handling system; redirecting the request to a controlling member of the local group; and receiving a re-authenticated single sign-on token back from the controlling member of the local group taught by Chang. It would have been obvious because Chang teaches the following: “Embodiments of the invention use a security token to represent the client identity and credentials where the credentials may include security attributes such as user group membership and roles. The security credentials allow downstream servers to use user security attributes to perform fine-grained, policy-based access control” (see [0052]).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Subramaniam (US2013/0332606).

Regarding claim 5, Shimono fails to teach determining whether the initial login location corresponds to an initial information handling system that manages an aggregate group in the management controller group hierarchy, the aggregate group including the first information handling system that received the request; and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system that manages the aggregate group in the management controller group hierarchy.  
In the same field of endeavor, Subramaniam teaches determining whether the initial login location corresponds to an initial information handling system that manages an aggregate group in the management controller group hierarchy, the aggregate group including the first information handling system that received the request (see abstract: “A method for sign-on and sign-out for a computer system includes: receiving a first sign-on request for the computer system; obtaining, from the first sign-on request, a first user identifier, the first user identifier corresponding to a first user for the computer system; obtaining, from the first sign-on request, a first uniform resource locator (URL); determining whether the first URL includes a first root name for the computer system”); and 
granting the user full access based on a determination that the initial login location corresponds to the initial information handling system that manages the aggregate group in the management controller group hierarchy (see [0030]: “The sign-on request may also include a sub-domain name, for example a sub-domain that is associated with a tenant website on the document and information sharing system 106. When the sign-on request includes the sub-domain name, in addition to issuing the gatekeeper cookie to the root domain, the document and information sharing system 106 issues a cookie to the sub-domain name. For each additional non-vanity sign-on request to a different .  
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method taught by Shimono by adding the steps of determining whether the initial login location corresponds to an initial information handling system that manages an aggregate group in the management controller group hierarchy, the aggregate group including the first information handling system that received the request; and granting the user full access based on a determination that the initial login location corresponds to the initial information handling system that manages the aggregate group in the management controller group hierarchy taught by Subramaniam. It would have been obvious because Subramaniam teaches that doing so achieves the following desirable result: “Issuing the sub-domain cookie in conjunction with the root cookie being issued, signs the user into the tenant website specified in the URL of the sign-on request” (see [0044]).

Claims 7, 13, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), and further in view of Gillon (US2016/0117176).

Regarding claims 7 and 14, as explained above in the rejection of claim 1, Shimono modified as described in the rejection of claim 1 teaches An information handling system, comprising: management controller comprising a secondary processor having access to a second memory, the second memory storing instructions executable by the secondary processor to:
receive a request for a user at a first information handling system in a management controller group hierarchy, the request to authenticate the user for access using a single sign-on token and the management controller group hierarchy formed with two or more levels, each level formed with one or more groups corresponding to one or more information handling systems;
determine whether a link of trust is established based on an initial login location stored in the single sign-on token; and 
validate request to authenticate the user for access using the single sign-on token based on a determination that the link of trust is established.  

Shimono fails to teach that the information handling system comprises a processor subsystem comprising a primary processor having access to a first memory; the second memory including an embedded storage partition.
However, Gillon teaches that the information handling system comprises a processor subsystem comprising a primary processor having access to a first memory; management controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor to (see [0009]: “A further disclosed aspect includes an embedded controller for an information handling system having a primary processor and a primary memory, the embedded controller comprising a secondary processor having access to a second memory, the second memory including an embedded storage partition and the second memory storing instructions executable by the secondary processor”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the information handling system taught by Shimono by adding a processor subsystem comprising a primary processor having access to a first memory and by letting the second memory include an embedded storage partition, as taught by Gillon. It would have been obvious because doing so predictably achieves the commonly understood benefit of having a dedicated 

Regarding claims 13 and 20, Shimono further teaches wherein the the initial login location stored in the single sign-on token indicates a service tag of an initial information handling system that corresponds to the initial login location (see [0050]-[0052] and Fig. 2: “[Operation S1] The user 4 performs login operation to the information processing device 3 with respect to the terminal device 5. For example, the user 4 inputs the authentication information (a user ID and a password) into the terminal device 5. …. [Operation S3] The information processing device 3 performs the user authentication based on the authentication information”. And see [0056] and Fig. 2: “[Operation S8] In response to the authentication information issuance request from the user 4 that performs the user authentication, the information processing device 3 issues the authentication information that authenticates the right of the user 4 to use the service C. For example, after receiving the authentication information issuance request in the same session as in which the authentication information is received, the information processing device 3 recognizes that the authentication information is the authentication information issuance request from the user that performs the user authentication. … The authentication information includes the identifier of the information processing device 3 as the identifier of the device as the issuing source.” And see [0102] and FIG. 8: “FIG. 8 is a diagram illustrating an example of information included in the token. A token 40 includes a token issuer 41, a number of times of chained-issuance 42, an authentication content 43, and an electronic signature 44”. And see [0103]: “The token issuer 41 is the identifier of the server that issues the token. For example, the URL of the server is used as the identifier of the server”. Therefore, the Examiner interprets the identifier of the information processing device 3 stored in the authentication information (single sign-on token) as the issuing source, where The information processing device 3 performs the initial user authentication using an initial login location stored in the single sign-on token because the information processing device 3 initially logs in the user.  In the scenario described above, the Examiner interprets the token issuer 41 as a service tag of an initial information handling system that corresponds to the initial login location).  

Claims 8, 12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Gillon (US2016/0117176), and further in view of Sondhi (US 2013/0086669).
Claims 8 and 15 recite the same elements/features as those discussed above with respect to Claim 2. Therefore, Claims 8 and 15 are likewise rejected for the same reasons as those discussed above with respect to Claim 2.
Claims 12 and 19 recite the same elements/features as those discussed above with respect to Claim 6. Therefore, Claims 12 and 19 are likewise rejected for the same reasons as those discussed above with respect to Claim 6.

Claims 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Gillon (US2016/0117176), and further in view of Drozd (US9992186).
Claims 9 and 16 recite the same elements/features as those discussed above with respect to Claim 3. Therefore, Claims 9 and 16 are likewise rejected for the same reasons as those discussed above with respect to Claim 3.

Claims 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Gillon (US2016/0117176), and further in view of Chang (US2014/0208119).
.

Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Shimono (US2013/0232557), further in view of Gillon (US2016/0117176), and further in view of Subramaniam (US2013/0332606).
Claims 11 and 18 recite the same elements/features as those discussed above with respect to Claim 5. Therefore, Claims 11 and 18 are likewise rejected for the same reasons as those discussed above with respect to Claim 5.

	Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ZHIMEI ZHU/Examiner, Art Unit 2495        
                                                                                                                                                                                                /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495