DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/3/2021 has been entered.
 
Status of Claims
Claims 1-21 are pending of which claims 1, 8 and 15 are in independent form.
Claim 21 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph.
Claims 1-21 is rejected under 35 U.S.C. 103.

Response to Arguments
Applicant's arguments filed 3/3/2021 have been fully considered but they are not persuasive.

Applicant’s Argument:
Applicant argues, on pages 7-12 of the “Remarks” that “transforming, by the computing device, the directory claim into a composite directory claim including at least two of a first normalized claim that contains an object identifier that is derived from the identity information and is recognizable by the 

Examiner’s Response:
Examiner respectfully disagrees; the combination of Rimer, Sabin and Olszewski clearly teaches, transforming, by the computing device, the directory claim into a composite directory claim including at least two of a first normalized claim that contains an object identifier, a second normalized claim that contains a system user identifier, a third normalized claim that contains an entity identifier (Sabin: In various embodiments, techniques for identity-based address normalization are provided. A principal attempts to access a resource via a principal-supplied address. A principal identity for the principal is used to acquire one or more address patterns. The principal-supplied address is compared against the one or more address patterns and when a match is detected, the principal-supplied address is normalized according to policy associated with the matched pattern. Additional access limitations and security restrictions are then enforced in response to the normalized address [abstract], ¶ [0008]. At 150, the address normalization service normalizes the principal-supplied address based on matching it to a pattern and then takes an action to normalize that address into a normalized address. The normalized address is recognized by the resource and may trigger additional security and access restriction processing by the resource or other services associated with the resource ¶ [0037]. In some cases, at 160, the address normalization service enforces one or more actions against the principal 
that is derived from the identity information and is recognizable by the relying party (Rimer: In accordance with still other aspects, the present invention relates to a method in a computer system for identifying a principal associated with a first object. The method includes maintaining in the first object identity information identifying the principal. The first object includes an API with a findbyidentity method that is invoked with the identity information as an argument. Under control of the findbyidentity method, a principal data store is searched for a principal identified by the identity information ¶ [0010]. The second concept of the Identity System is that of an Identity. Since principals interact with one another in the computing world, they all need to have identities that provide the ability to distinguish and recognize each other. An identity claim, stored as a property of a principal, is information that uniquely identifies that principal within a given identification system. One or more identity claims, therefore, establish an identity for a principal ¶ [0033]. Such data may include the email addresses of the sending and receiving principals, and may include other principal data as well. In this example, the component object has the email address of the principal, which also happens to be the identity claim of the principal. Note that the identity information in this case is an identity reference of the principal ¶ [0056]. Also see ¶ [0059], [0061], [0062] and [0082]).
causing, by the computing device, at least a portion of the composite directory claim to be used to authorize use, by the user, of the network resource provided by the relying party, wherein the network resource is unable to recognize the identity information contained in the directory claim (Rimer: Embodiments provide application and/or resource access control features of an online computing environment, but are not so limited. In an embodiment, a computer-implemented method provides access control features for an online application environment based in part on the use of a number of directory service instances isolated from direct customer access and deployed in a defined datacenter architecture. In one embodiment, a computing environment uses web-based access control features and a number of directory service instances having organizational units and corresponding provide user authorization and access, resource management, partner and/or other access and usage features using one or more directory service instance (DSI) data structures to provide online services to subscribing customers ¶ [0016]. For example, users associated with a group FPO obtain access to an owner's site collection since the FPO objects are included as members of an authorized security group that has access to the site collection (e.g., administrator group, special access group, etc.) ¶ [0019]. In one embodiment, each DSI data structure can be populated with customer information including authorized users, access levels, subscription parameters, service agreement access limitations, etc. ¶ [0030]. Also see ¶ [0042], [0047]).
Therefore Applicant’s argument is not persuasive.
	
	Applicant further argued the combination of Rimer and Sabin on pages 13-14. 
Examiner hereby specifies that the prior art of record are in the same field of endeavor, all the limitations are taught by the prior art of record the motivation to combine and been provided for all the combinations; therefore Applicant’s argument is simply not persuasive.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claim 21 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claim 21, recites “in a format unrecognizable by a service”, however Examiner could not find support for this terminology anywhere in the specification. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-13 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Rimer, Matthew et al. (US 20050091265 A1) [Rimer] in view of Sabin; Jason Allen et al. (US 20090089857 A1) [Sabin] in view of Olszewski; Marcin et al. (US 20110314520 A1) [Olszewski].

	Regarding claims 1, 8, 15 and 21, Rimer discloses, a method for [normalizing] claims across a plurality of disparate identity directories, comprising: receiving, by a computing device, a directory claim from a first identity directory of the plurality of disparate identity directories (The user is found by enumerating the IdentityClaims associated with the Principal. When an appropriate IdentityClaim is found (LdapDnIdentityClaim or UpnIdentityClaim) an IdentityReference is obtained by using the GetIdentityReference method of IdentityClaim. If the IdentityReference is not an LdapDnIdentity then Translate is called to generate an LdapDnIdentity. The urnValue is then used as the DN in the modify operation ¶ [0120], [0125]. The user is found by enumerating the IdentityClaims associated with the Principal. When an appropriate IdentityClaim is found (LdapDnIdentityClaim or UpnIdentityClaim) an IdentityReference is obtained by using the GetIdentityReference method of IdentityClaim. If the IdentityReference is not an LdapDnIdentity then Translate is called to generate an LdapDnIdentity ¶ [0131]. The second concept of the Identity System is that of an Identity. Since principals interact with one another in the computing world, they all need to have identities that provide the ability to distinguish and recognize each other. An identity claim, stored as a property of a principal, is information that uniquely identifies that principal within a given identification system. One or more identity claims, therefore, establish an identity for a principal. For example, an e-mail address for a person can serve as an identity claim if it uniquely identifies that person in the electronic mail system. Similarly, a telephone number can serve as an identity claim for a household if it uniquely identifies that household in a PSTN telephone network. In order to extend recognition out of a single system, it is necessary to push the identity claim to others for recognition. For example, given John Doe as a principal, in order to recognize, and uniquely identify John Doe, we can issue an email identity claim. That identity claim provides a unique representation of John Doe that can now be recognized by others and used by others to distinguish this John Doe from other John Does that may be encountered in the connected computing world. An identity claim provides the basis for the ability to distinguish principals 
causing, by the computing device, at least a portion of the composite directory claim to be used to authorize use, by the user, of the network resources provided by the relying party, wherein the network resources is unable to recognize the identity information contained in the directory claim (The user is found by enumerating the IdentityClaims associated with the Principal. When an appropriate IdentityClaim is found (LdapDnIdentityClaim or UpnIdentityClaim) an IdentityReference is obtained by using the GetIdentityReference method of IdentityClaim. If the IdentityReference is not an LdapDnIdentity then Translate is called to generate an LdapDnIdentity. The urnValue is then used as the DN in the modify operation ¶ [0120], [0125]. The user is found by enumerating the IdentityClaims 
that is derived from the identity information and is recognizable by the relying party (In accordance with still other aspects, the present invention relates to a method in a computer system for identifying a principal associated with a first object. The method includes maintaining in the first object identity information identifying the principal. The first object includes an API with a findbyidentity method that is invoked with the identity information as an argument. Under control of the findbyidentity method, a principal data store is searched for a principal identified by the identity information ¶ [0010]. The second concept of the Identity System is that of an Identity. Since principals interact with one another in the computing world, they all need to have identities that provide the ability to distinguish and recognize each other. An identity claim, stored as a property of a principal, is information that uniquely identifies that principal within a given identification system. One or more identity claims, therefore, establish an identity for a principal ¶ [0033]. Such data may include the email addresses of the sending and receiving principals, and may include other principal data as well. In this example, the component object has the email address of the principal, which also happens to be the identity claim of the principal. Note that the identity information in this case is an identity reference of the principal ¶ [0056]. Also see ¶ [0059], [0061], [0062] and [0082]).
However, Rimer does not explicitly facilitate transforming, by the computing device, the directory claim into a composite directory claim including at least two of a first normalized claim that contains an object identifier, a second normalized claim that contains a system user identifier, a third normalized claim that contains an entity identifier.
transforming, by the computing device, the directory claim into a composite directory claim including at least two of a first normalized claim that contains an object identifier, a second normalized claim that contains a system user identifier, a third normalized claim that contains an entity identifier (In various embodiments, techniques for identity-based address normalization are provided. A principal attempts to access a resource via a principal-supplied address. A principal identity for the principal is used to acquire one or more address patterns. The principal-supplied address is compared against the one or more address patterns and when a match is detected, the principal-supplied address is normalized according to policy associated with the matched pattern. Additional access limitations and security restrictions are then enforced in response to the normalized address [abstract], ¶ [0008]. At 150, the address normalization service normalizes the principal-supplied address based on matching it to a pattern and then takes an action to normalize that address into a normalized address. The normalized address is recognized by the resource and may trigger additional security and access restriction processing by the resource or other services associated with the resource ¶ [0037]. In some cases, at 160, the address normalization service enforces one or more actions against the principal before directing the principal to the resource for access. Again, this is done in response to the actions being associated with the normalized address. So, the address normalization service does not have to maintain a sleuth of potential ways that the resource can be addressed or accessed; rather the normalized address provides a central mechanism for achieving this and principal-supplied addresses are transformed to the normalized format in response to identity-based patterns and policy ¶ [0038]. At 230, the identity-based address normalization service normalizes the principal-supplied address to a normalized address for accessing the resource. This normalization includes a variety of benefits, such as but not limited to permitting security and access services to process against principals and their requests when they address the resource via the normalized address. Thus, this is not just transforming one format to another format, this permits designated services to process when the resource is accessed via 
It would have been obvious to one ordinary skilled in the art at the time of the present invention to combine the teachings of the cited references because Sabin’s system would have allowed Rimer to facilitate transforming, by the computing device, the directory claim into a composite directory claim including at least two of a first normalized claim that contains an object identifier, a second normalized claim that contains a system user identifier, a third normalized claim that contains an entity identifier. The motivation to combine is apparent in the Rimer’s reference, because there is a need for more flexible and customized mechanisms for URL normalization.
However neither Rimer nor Sabin explicitly facilitate the directory claim including identity information identifying a user of a relying party product, the identity information provided to authorize the user to access a network resource provided by a relying party.
Olszewski discloses, the directory claim including identity information identifying a user of a relying party product, the identity information provided to authorize the user to access a network resource provided by a relying party (Embodiments provide application and/or resource access control features of an online computing environment, but are not so limited. In an embodiment, a computer-
It would have been obvious to one ordinary skilled in the art at the time of the present invention to combine the teachings of the cited references because Olszewski’s system would have allowed Rimer and Sabin to facilitate the directory claim including identity information identifying a user of a relying party product, the identity information provided to authorize the user to access a network resource provided by a relying party. The motivation to combine is apparent in the Rimer and Sabin’s reference, because there a need to maintain controlling access to hosted application services by current and future customers compound with scale.

Regarding claims 2, 9 and 16, the combination of Rimer, Sabin and Olszewski discloses, wherein the first identity directory comprises a multi- company directory into which a single company directory is synchronized (Olszewski: As shown in FIG. 1 and described in detail further below, the environment 100 includes a claim provider component or claim provider 104, a synchronizer component or synchronizer 106, a grid manager component or grid manager 108 associated with an online service architecture 110 that provides services and/or resources to a number of entities that include customer systems 112(1)-112(n). In one embodiment, the claim provider 104, synchronizer 106, and grid manager 108 are included as part of a centralized resource center, available to components of a defined grid network ¶ [0013]. Also see ¶ [0016]-[0018], [0030], [0038], [0039]).

Regarding claims 3, 10 and 17, the combination of Rimer, Sabin and Olszewski discloses, wherein the single company directory is synchronized into the multi-company directory by creating a user entry in the multi-company directory for each user in the single company directory in the context of a respective company (Olszewski: As shown in FIG. 1 and described in detail further below, the environment 100 includes a claim provider component or claim provider 104, a synchronizer component or synchronizer 106, a grid manager component or grid manager 108 associated with an online service architecture 110 that provides services and/or resources to a number of entities that include customer systems 112(1)-112(n). In one embodiment, the claim provider 104, synchronizer 106, and grid manager 108 are included as part of a centralized resource center, available to components of a defined grid network ¶ [0013]. Also see ¶ [0016]-[0018], [0030], [0038], [0039]).

Regarding claims 4, 11 and 18, the combination of Rimer, Sabin and Olszewski discloses, wherein the directory claim includes a globally unique identifier that is not recognized by the network resources (Rimer: FIG. 5 illustrates an embodiment of the translate method in accordance with the 

Regarding claims 5, 12 and 19, the combination of Rimer, Sabin and Olszewski discloses, wherein each of the first, second and third normalized claims includes an identity provider customer identifier (Sabin: In various embodiments, techniques for identity-based address normalization are provided. A principal attempts to access a resource via a principal-supplied address. A principal identity for the principal is used to acquire one or more address patterns. The principal-supplied address is compared against the one or more address patterns and when a match is detected, the principal-supplied address is normalized according to policy associated with the matched pattern. Additional access limitations and security restrictions are then enforced in response to the normalized address [abstract], ¶ [0008]. At 150, the address normalization service normalizes the principal-supplied address based on matching it to a pattern and then takes an action to normalize that address into a normalized address. The normalized address is recognized by the resource and may trigger additional security and access restriction processing by the resource or other services associated with the resource ¶ [0037]. In some cases, at 160, the address normalization service enforces one or more actions against the principal before directing the principal to the resource for access. Again, this is done in response to the actions being associated with the normalized address. So, the address normalization service does not have to maintain a sleuth of potential ways that the resource can be addressed or accessed; rather the normalized address provides a central mechanism for achieving this and principal-supplied addresses are transformed to the normalized format in response to identity-based patterns and policy ¶ [0038]).

Regarding claims 6 and 13, the combination of Rimer, Sabin and Olszewski discloses, wherein the identity provider customer identifier is followed by the object identifier, the system user identifier, or the entity identifier (Rimer: Related to identity claims, is the concept of an identity reference. Whereas an identity claim is a way to uniquely "tag" a principal with a specific identity, an identity reference is a way to refer to that principal (uniquely, out of every other principal in the system), by means of that tag. Identity references can be considered "pointers" to or identifiers of a corresponding identity claim. For example, a Person (which is a principal object) might contain an identity claim for the email address "jsmith@fabrikam.com". A Document object (which is not a principal) might contain an "author" field, which in turn contains an identity reference for "jsmith@fabrikam.com". That identity reference indicates the author of the document is the principal which contains the matching identity claim, i.e., the Person. A principal object might contain an identity reference, but only as a pointer to another principal (for example, a Person might contain a "manager" field which holds an identity reference to that person's manager). Through identity references, applications and objects on the computer system can identify principals on the computer system ¶ [0035]. Also see ¶ [0039] and [0050]).


Claims 7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Rimer in view of Sabin in view of Olszewski in view of Schmidt; Donald E. et al. (US 20060123472 A1) [Schmidt].

Regarding claims 7, 14 and 20, the combination of Rimer, Sabin and Olszewski teaches all the claims of claims 1, 8 and 15.

Schmidt discloses, wherein the identifier provider customer identifier is followed by the object identifier, the system user identifier, or the entity identifier (Tokens are typically used to authenticate users. Active Directory Federation Services ("ADFS").TM. is an example of an authentication system that provides ADFS tokens, for authentication and authorization to applications in a DMZ to exchange data. ADFS provides tokens that are different than Windows.TM. tokens. Windows.TM. tokens that provide authorization are typically referred to as NT tokens. The examples provided may allow extranet, and federated access, and may allows Windows.TM. tokens to be provided for applications running in the DMZ ¶ [0022], [0024], [0025], [0034], [0035]).
It would have been obvious to one ordinary skilled in the art at the time of the present invention to combine the teachings of the cited references because Schmidt’s system would have allowed Rimer, Sabin and Olszewski to facilitate wherein the identifier provider customer identifier is followed by the object identifier, the system user identifier, or the entity identifier. The motivation to combine is apparent in the Rimer, Sabin and Olszewski’s reference, because it substantially improves maintaining and updating accounts.

Conclusion
The examiner requests, in response to this Office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD S ROSTAMI whose telephone number is (571)270-1980.  The examiner can normally be reached on Mon-Fri From 9 a.m. to 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hosain T Alam can be reached on (571)272-3978.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





3/13/2021