Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to application filed on 4/29/2019. Claims 1, 16 and 20 are independents. Claims 1-20 are currently pending.

Objection to Drawings
The Specification/Drawings is objected. Figures in Drawings are not recognizable. 
Replacement of Drawings is required.

Claim Rejections -35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because:
Claim 1 recites an identity management container application, a set of Internet-related APIs and an identity management agent. These three elements may be software. Specification does not define the three to be hardware. As a result, claim 1 will be software per se.
Claims 2-15 depend on claim 1 and they do not recite any hardware element(s) and therefore they do not cure deficiency of claim 1.
Claim Rejections - 35 USC § 112

(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 5 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter (“”the Internet-related APIs include the following functions: to retrieve a directory domain…to add the directory user to directory group”) which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. There are no descriptions for all of those limitations listed. 

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 5  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 5 recites a list of functions for APIs. Claim does not clearly show or recite if all of the functions listed are performed by the claim. While the claim recites a listing of the functions it does not 

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4, 6-12 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Leafe et al. (US 20120233668 A1), hereinafter Leafe, in view of MOHAMAD ABDUL et al. (US 20180337914 A1), hereinafter D1.

	Regarding claims 1, 16 and 20, Leafe teaches a system for native authentication to access a resource, comprising:
	an identity management container application configured to receive a user input request from a user for accessing a resource, configured to allow an authenticated user to access the resource, and configured to communicate with an identity management agent using Internet-related APIs for authenticating the user (para. 0254, using API for authentication; controlling access to resources; para. 0139, 0141 and 0147, communicating with LDAP store/server, Active Directory or OpenLDAP);
	a set of Internet-related APIs (para. 0245 0254, 0261 and 0262, using RESTful API) for the identity management container application to communicate with the identity management agent (para. 0139, 0141 and 0147, accessing LDAP store/server, Active Directory or OpenLDAP; 0049, 0195 and 0199, using container service). 
	Leafe does not explicitly disclose an identity management agent resident on an enterprise's network system, wherein the identity management agent is configured to communicate with one or more enterprise on-premise systems, to communicate with an active directory domain controller resident on the enterprise's network system, and to communicate with the identity management container application. However, in an analogous art, D1 teaches an identity management agent resident on an enterprise's network system (para. 0020, 0035 and 0042-0046, identity management (“IDM”)functionality in the cloud and on-premise), wherein the identity management agent is configured to communicate with one or more enterprise on-premise systems, to communicate with an active directory domain controller resident on the enterprise's network system, and to communicate with the identity management container application (para. 0040, 0167 and 0206, password is managed in an active directory (“AD”)/LDAP server (e.g., AD 204 of FIG. 2), an IDCS agent Identity Bridge (e.g., ID Bridge 230 of FIG. 2) deployed on-premise generates the Kerberos principal key and sends it to IDCS; that is system is in communication with active directory (“AD”)/LDAP server).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe and D1 because it would enhance controlling user accessing resources (D1 para. 0028).

	Regarding claim 2, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the user input request for accessing the resource originates from inside an enterprise network firewall (para. 0306 and 0073, LDAP server behind a company firewall).

	Regarding claim 3, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the user input request for accessing the resource originates from outside an enterprise network firewall (FIG. 1 #102 and #114/116, user is outside proxy/gateway as firewall).

	Regarding claims 4 and 17, the combination of Leafe and D1 teaches all of the limitations of claims 1 and 16, respectively, as described above. Leafe further teaches wherein the Internet-related APIs are REST APIs (para. 0245 0254, 0261 and 0262, using RESTful API).

	Regarding claim 6, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the identity management container application and the identity management agent communicate through a firewall on the enterprise's network (FIG. 1 #102 and #114/116, user is outside proxy/gateway as firewall through #112 service endpoints which includes authentication services).

	Regarding claim 7, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the enterprise's on-premise systems comprise any of: 
an executable application (para. 0008, A public cloud has an infrastructure that is available to the general public or a large industry group and is likely owned by a cloud services company. A private cloud operates for a single organization, but can be managed on-premise or off-premise);
	a mainframe;
	a router; and
	an employee asset.

	Regarding claim 8, the combination of Leafe and D1 teaches all of the limitations of claim 7, as described above. Leafe further teaches wherein the on-premise systems further comprise existing enterprise rules and attributes from spreadsheets, human resources systems, or application programming interfaces (para. para. 0008, 0257 and 0258, processor includes rule engine used through API calls).

	Regarding claims 9 and 18, the combination of Leafe and D1 teaches all of the limitations of claims 1 and 16, respectively, as described above. Leafe further teaches wherein the identity management container application is configured to be portable and configured to reside and execute on a cloud environment, on-premise; and on a private cloud instance (par. 0008, 0245, 0306, executed in cloud environment, can be managed on-premise and on private clouds).

	Regarding claim 10, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the resource is any of an application of the enterprise, an enterprise asset, or a cloud application (para. 0008, 0033 and 0250 cloud computing).

	Regarding claim 11, the combination of Leafe and D1 teaches all of the limitations of claim 7, as described above. Leafe further teaches wherein user credentials of the user for an on-premise resource are used to enable the user to access the resource (para. 0130, 0131 and 0137, [t]he authz provider720 performs the necessary analysis to determine whether an identified user has the necessary permissions to perform a requested action).

	Regarding claims 12 and 19, the combination of Leafe and D1 teaches all of the limitations of claims 11 and 16, respectively, as described above. Leafe further teaches wherein the user credentials are stored on the enterprise's on-premise systems (para. 0008, 0137 and 0138, user credentials are stored on-premise).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Leafe in view of D1, as applied in the claims above, further in view of Vats et al. (US 20180083944 A1), hereinafter Vats.

	Regarding claim 5, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the Internet-related APIs include the following functions (Examiner claims that all the operations in this list are well-known operations of Active Directory and LDAP etc. servers, as well as evidenced in Leafe para. 0235, 0254 and 0267, authorization service is operable to store, retrieve, delete, and query stored credentials from in the storage pools 814. In one embodiment, an authorization service provides an ACL-based authorization. In a second embodiment, the authorization service provides posix-compatible authorization. In a third embodiment, the authorization service provides tree or graph-based authorization, such as would be provided with an LDAP-based authorization service).
	Before further explanation and to simplify the process, Examiner categorizes the functionalities listed in this claim as following:
	a. create – 
		to add a directory user to a directory group.
b. update – 
		to patch a password;
		to change status of a user;
		to update a single string attribute value from a specific directory user;
		…
c. read/query -
		to retrieve a directory domain;
to get a random password that meets the domain's password policy;
		to get a list of organizational units;
		to search for a particular organizational unit;
		…
	In a similar way, the rest in the list are categorized as:
	d. delete
in addition, according the above categorization, Vats teaches all the limitations in these categories (para. 0096, Administration services leverage and extend the SCIM standard to implement schema-based REST APIs for Create, Read, Update, Delete, and Query (“CRUDQ”) operations on all IDCS resources; para. 0031, 0052 and 0181, LDAP and Active Directory; para. 0249-0251 list of all objects that REST APIs function CRUDQ on the objects)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1 and Vats because it would a different way that is scalable for authentication using RESTAPIs (Vats para. 0049).
Further, it is noted that functions of APIs listed in the claim are only found in the nonfunctional descriptive material which are not functionally involved in the claim.  Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to include all or any of the listed API functions to achieve the predictable benefit of customization.

Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Leafe in view of D1, as applied in the claims above, further in view of Jaeger (US 10326845 B1).

	Regarding claim 13, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. 
Leafe in view of D1 does not explicitly teach but in an analogous art, Jaeger teaches wherein the container is a Docker container (col6 ln1-39, using Docker containers).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1 and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

	Regarding claim 14, the combination of Leafe and D1 teaches all of the limitations of claim 1, as described above. 
Jaeger teaches further comprising a plurality of containers and a swarm management cluster load balancing processor for balancing network traffic across the plurality of containers (col6 ln1-39, using Docker containers and Docker Swarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1 and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

	Regarding claim 15, the combination of Leafe and D1 teaches all of the limitations of claim 7, as described above.
Leafe in view of D1 does not explicitly teach but in an analogous art,  Jaeger teaches wherein the container is programmable by a user administrator of the enterprise to set enterprise rules and attributes for user provisioning (col10 ln17-21 and Table1, processes Admin Provisions/disposes Provisions/disposes Tenant's internal istrator and configures and configures IT (may act as infrastructural hosts and internal MSP components of the application administrator); provisioning admin user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1 and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

References Cited Not Used
	The closest art Venkatasubramanian et al. (US 10922284 B1) teaches a provides a web-based user interface (UI) framework that allows end users to authenticate and access different applications in a seamless manner. Authentication is provided by integrating with proprietary or third-party authentication services, such as the Apache Knox authentication service. Apache Knox, and similar services, can be configured with various identity providers like an LDAP (lightweight directory access protocol) based source. The access to different services is provided by RESTful APIs. The Apache Knox gateway is a system that provides a single point of authentication and access for Apache Hadoop services in a cluster. It simplifies Hadoop security for users that access the cluster data and execute jobs and operators that control access and manage the cluster. The gateway runs as a server, or a cluster of servers, providing centralized access to one or more Hadoop clusters. Policy enforcement ranges from authentication/federation, authorization, audit, dispatch, host mapping and content rewrite rules. Policy is enforced through a chain of providers that are defined within the topology deployment descriptor for each Apache Hadoop cluster gated by Knox. The cluster definition is also defined within the topology deployment descriptor and provides the Knox Gateway with the layout of the cluster for purposes of routing and translation between user facing URLs and cluster internals. Each Apache Hadoop cluster that is protected by Knox has its set of REST APIs represented by a single cluster specific application context path. This allows the Knox Gateway to both protect multiple clusters and present the REST API consumer with a single endpoint for access to all of the services required, across the multiple clusters. Although embodiments are described with respect to Apache Knox authentication, embodiments are not so limited, and any other similar authentication service can be used. (28) In general, REST (Representational State Transfer) is an architectural style that defines a set of constraints to be used for creating web services. Web Services that conform to the REST architectural style, or RESTful web services, provide interope.
	The closest art Nuggehalli et al. (US 20190306227 A1) teaches a method for accessing to cloud services. The method uses authentication API, Docker container and Docker Swarm to provisioning new users and authenticating users. The approach uses a first set of cloud services, referred to herein as Integrated Cloud Environment (ICE) cloud services, to access to a second set of cloud services, referred to herein as Smart Integration (SI) cloud services, on end-user devices. The ICE cloud services provide a user-friendly user interface for accessing the SI cloud services via an end-user device, implement the Application Program Interfaces (APIs) of the SI cloud services, and also manage results generated by the SI cloud services. The ICE cloud services also manage user information, authorization credentials and tokens needed to access third-party services. According to another embodiment, the SI cloud and the ICE cloud are integrated using direct linking, i.e., directly linking an end-user device to the SI cloud.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday-Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437