DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
The Amendment filed on 03/02/2021 has been entered. 
The double patenting rejection of claims 1, 9, 11 and 18 is withdrawal in view of amendment.
The rejection of claims 18-20 under 35 U.S.C 101 is maintained (see below).
Claims 1, 11 and 18 are amended.
Claims 1-20 are pending of which claims 1, 11 and 18 are independent claims.

Response to Arguments
The applicant's arguments filed on 03/02/2021 regarding claims 1-20 have been fully considered but the arguments are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 18 as amended is directed to a system comprising “one or more processors…” (Specification [0214] defines processor with open definition and therefore it can be broadly interpreted as software) and “a policy enforcement point (PEP)“ (there is no definition in specification and it can be reasonably implemented as software routines). Therefore, claim 18 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-4, 10-11, 13-14, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian).
Regarding claim 1: Singh discloses A method of controlling access to a resource, the access controlled by a multi- tenant system, the method comprising: 
receiving at a web server a request for the resource from a user via a web browser (Singh - [0030]: To interact with the software offering, the user may provide a request 228 for a resource 218 associated with the software offering from a browser 202 (e.g., a web browser). For example, request 228 may be a HyperText Transfer Protocol (HTTP) request for a webpage containing data associated with a user account of the user with the software offering. See also [0046]),; 
determining an access policy for authenticating the user that is associated with the resource, the access policy based in part on the identity of the tenant (Singh - [0048]: Next, an authentication policy for the tenant is obtained (operation 308). . The authentication policy may include a policy name, the authentication mechanism, and/or location information for authentication credentials associated with the authentication mechanism); and 
Singh - [0049]: The authentication mechanism associated with the authentication policy is then used to authenticate the user (operation 310)).
However Singh doesn’t explicitly teach, but Pandian discloses the request comprising a Uniform Resource Locator (URL) associated with the resource and an identity of a tenant corresponding to the user, the request comprising a call to an application programming interface (API) corresponding to the web server and the identity of the tenant is included in the URL (Pandian - [0027]: In block 202, redirection module 106 centrally receives inbound web service call messages 102 with different endpoint URLs from third party systems over a computer network. Each endpoint URL includes a hostname of web server 104, a path identifying a tenant and an action, and a query string identifying a customer defined Application Programming Interface (API) key)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh with Pandian so that the request comprises a URL associated with a protected resource. The modification would have allowed the system to access protected resource using URL. 
Regarding claim 3: Singh as modified discloses the authenticating comprising requesting and receiving credentials from the user (Singh - [0049]: the authentication mechanism may be used to obtain one or more user-provided authentication credentials from the user (e.g., by requesting the user-provided authentication credentials through a webpage)).
Regarding claim 4: Singh as modified discloses wherein the credentials comprise a username and password (Singh - [0027]: a user may provide a username and password).
Regarding claim 10: Singh as modified discloses the access policy comprising one of basic authentication or token based authentication (Singh - [0028]: a centralized authentication policy 120 that allows identity provider 102 and/or authentication service 104 to identify the authentication mechanism associated with a given tenant and authenticate the user using the authentication mechanism. After the user is authenticated, identity provider 102 and/or authentication service 104 may provide one or more security tokens that grant access to resources on the tenant and/or other tenants with which the user has user accounts).

Regarding claims 11, 13-14, and 17: Claims are directed to a computer readable medium claims and do not teach or further define over the limitations recited in claims 1-4 and 10. Therefore, claims 11-14, and 17 are also rejected for similar reasons set forth in claims 1-4 and 10. 
Regarding claim 18: Claim is directed to a system claim and is substantially similar to the limitations of claim 1, thus it is interpreted and rejected for the reasons set forth above in the rejection of claim 1.
Regarding claim 20: Singh as modified discloses wherein the PEP and the PDP are implemented by a web server (Singh - Fig. 1, Authentication Service and Authentication Policy).

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian) and Manza et al. (Pub. No.: US 2015/0089579, hereinafter Manza).
Regarding claims 2 and 12: Singh as modified doesn’t explicitly teach but Manza discloses wherein the determining the access policy comprises determining if the resource is protected (Manza - [0094]: requests received through a web interface layer 1004 (such as a REST layer) for resources (such as access to applications, credentials, policies, or other data) can be analyzed to determine whether the requested resource is protected).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh and Pandian with Manza so that an analysis is performed to determine whether the requested resource is protected. The modification would have allowed the system to protect the resource for security. 

Claims 5, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian) and Sondhi et al. (Pub. No.: US 2015/0089569, hereinafter Sondhi).
Regarding claims 5, 15 and 19: Singh as modified doesn’t explicitly teach but Sondhi discloses further comprising validating the credentials by sending the credentials to an OAuth based server Sondhi - [0047]: if client application 204 requests access to a particular resource (or a particular scope including that resource) from resource server 210, then resource server 210 may redirect the request to OAuth authorization server 220).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh and Pandian with Sondhi so that the request is redirected to an OAuth server. The modification would have allowed the system to authenticate a request using open authentication protocol. 

Claims 6, 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian) and Sondhi et al. (Pub. No.: US 2015/0089569, hereinafter Sondhi) and Miller et al. (Pub. No.: US 2003/010598, hereinafter Miller).
Regarding claims 6 and 16: Singh as modified doesn’t explicitly teach but Miller discloses the sending comprising returning an Hypertext Transfer Protocol (HTTP) redirect status code that directs the web browser to the OAuth based server (Miller - [0053]: At step 302, after receiving the redirect code, system 1 (102) directs the client to system 2 (104) in such a way that the system 2 log in server will redirect the client back to the system 1 log in page after authentication).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh, Pandian and Sondhi with Miller so that a redirect status code is returned for directing the web browser to an authentication server. The modification would have allowed the system to redirect the authentication request to an authentication server. 
Regarding claim 8: Singh as modified doesn’t explicitly teach but Miller discloses wherein the OAuth based server redirects the web browser to a single sign-on (SSO) server (Miller - [0085]: At step 510, the server www.chase.com (system 2) verifies that www.jpmorgan.com is a site with which session credentials may be shared, and sends an HTTP response code 302 (“redirect”) to the client browser, with a redirection URL of “https://www.jpmorgan.com/login?chasesso=293ryfhs8dsjdgfas832fdjdijhHyGg”. Note that the redirection URL has as an argument the SSO credential for the user on the www.chase.com server).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh, Pandian and Sondhi with Miller so that a browser can be redirected to an SSO server. The modification would have allowed the system to use single sign on server to authenticate a request. 

Claim 7 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian) and Sondhi et al. (Pub. No.: US 2015/0089569, hereinafter Sondhi) and Miller et al. (Pub. No.: US 2003/010598, hereinafter Miller) and Manza et al. (Pub. No.: US 2015/0089579, hereinafter Manza).
Regarding claim 7: Singh as modified doesn’t explicitly teach but Manza discloses further comprising obtaining an access token, validating the access token and issuing a local session cookie to the web browser (Manza - [0035]: If a user requests a service, but the user's authentication cookie does not authorize access to the service, the user can be redirected to a login page to obtain a new authentication cookie).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh, Pandian and Sondhi and Miller with Manza so that a new cookie is issued upon validating an access cookie. The modification would have allowed the system to be more secure. 

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Singh (Pub. No.: US 2014/0090037) in view of Pandian et al. (Pub. No.: US 2017/0093827, hereinafter Pandian) and Sondhi et al. (Pub. No.: US 2015/0089569, hereinafter Sondhi) and Jose et al. (Pub. No.: US 2017/0160880, hereinafter Jose).
Regarding claim 9: Singh as modified doesn’t explicitly teach but Jose discloses wherein the OAuth based server comprises a microservice (Jose - [0060]: The microservices within the security subheader may include key store microservice, OAuth authorization microservice).
prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Singh, Pandian and Sondhi with Jose so that OAuth server can be microservice. The modification would have allowed the system to include microservices. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.






/MENG LI/
Primary Examiner, Art Unit 2437