DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 07/30/2019. Claims 1-17 are pending.

Priority
This application is not claiming any priority.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/30/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


1.	Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called "clients".
Applicant should amend the system claims to include a hardware component such as a hardware processor or a memory.

2.	Claims 1-8 rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The analysis is as follows:

Per 2019 PEG:
Step 1) Claims 1-8 are directed to software per se system and are NOT categorically eligible. Claims 9-20 are directed to system and method and therefore are categorically subject matter eligible.
Step 2) – 2A:
In light of the specification, claim(s) 1-20 do NOT recite features that may reasonably be construed as Abstract.
As such, claims 1-8 are patent “ineligible” due to failing the first prong. Claims 9-20 are patent “eligible”.

Examiner’s Note
The adjective “silent” in “silent authentication request” is interpreted as the underlying concept of SSO authentication, i.e., a request for accessing plurality of services/resources with the assumption that user is authenticated.

Claim Objections
Claim 1 is objected to because of the following informalities:  
In limitation “…receives and verifies a silent authentication request on behalf of the authenticated user from the user management server…” from is read of as it appears to be a grammatical error.
Appropriate correction or clarification on the limitation as currently presented is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-4, 6-14 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chao, US2014/0317716A1 in view of Stein, US2008/0168539A1.

Per claim 1, Chao discloses an identity management system, comprising: 
an identity provider server that authenticates a user (Although not shown, it is assumed that the user of the IWD/IPAS console has been authenticated in a known manner.  The user is represented within the system (the IWD/IPAS console 800 and the IWD/IPAS security service 802) by a first token 805. This token is not provided (or exposed) to the user but, rather, is just an internal system data structure.  The token, which identifies what privileges the user has and resources he or she can access – Chao: par. 0082), that redirects an authenticated user to a user management server (At step 812, the first user token 805 is signed and provided to the IWD/IPAS security service 802 – Chao: par. 0084), that receives and verifies a silent authentication request on behalf of the authenticated user from the user management server wherein the silent authentication request includes a cryptographic signature and a modified message, and that provides a site token to access a requested resource when the silent authentication request is verified (The security service 802 receives the token 805, which is provided as cleartext, and, at step 814, returns to the IWD/IPAS console 800 a secret 816.  The secret is protected by encryption and thus is opaque (and suitable for transport over the public network).  At step 818, the console 808 sends the secret 816 to the monitor console 804.  At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815 and, at step 822, sends the signed messages and secret back to the IWD/IPAS security service 802.  The "shared services" token 815 is owned by the shared services provider 806. The IWD/IPAS security service 802 verifies the secret and, at step 824, sends the monitor console 804 a shared services user token 825 – Chao: par. 0084 – Note: “a modified message” is equivalent to “the signed secret” and “a site token” is equivalent to “a shared services user token”); and
a user management server that presents a resource page (i.e., management console) to the authenticated user (The shared services user token 825 is used to access the monitor console automatically, after which the monitor console is displayed to the user – Chao: par. 0084), Chao is not relied on to explicitly disclose but Stein discloses that converts a resource request from the authenticated user into the silent authentication request by applying a cryptographic function to a message to provide the cryptographic signature (Note: a SAML assertion includes a digitally signed token, signed by a SAML authority. This allows further requests of the user without having to re-authenticate in/for any domain which trusts the SAML authority that issued the token.  In essence, the token defines the circle of trust which the user is able to operate within) and by applying a modification to the message to provide the modified message, that sends the silent authentication request to the identity provider server (the trusted relying party module 606 requests access (638) to the target system on the user's behalf.  The request is made to the target system's receiving FIMM 610, which extracts the list of attribute values and names and the local user name of the now authenticated user.  The attributes may be written to a local repository or, more usefully, to an HTTP cookie or similar object.  Thus, the relying party FIMM performs an inverse function of the asserting party FIMM.  It starts with the SAL assertion and converts the information about authentication back into a format known by the local system - Stein: par. 0045), and that redirects the authenticated user to the requested resource when the site token is provided (The relying party FIMM 610 of the target system now redirects (640) the requested access (with an SAML artifact) so that the concentrator directs the request for access (642) to the target system 612 – Stein: par. 0046);
wherein the cryptographic function and the modification are known only by the identity provider server and the user management server (the relying party FIMM performs an inverse function of the asserting party FIMM.  It starts with the SAL assertion and converts the information about authentication back into a format known by the local system – Stein: par. 0045 – Note: the implemented SAML assertion is symmetric and therefore based on a secret only accessible to asserting party FIMM and the relying party that can do the inverse function).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chao in view of Stein to include a user management server that presents a resource page to the authenticated user, that converts a resource request from the authenticated user into the silent authentication request by applying a cryptographic function to a message to provide the cryptographic signature and by applying a modification to the message to provide the modified message, that sends the silent authentication request to the identity provider server, and that redirects the authenticated user to the requested resource when the site token is provided; wherein the cryptographic function and the modification are known only by the identity provider server and the user management server.
One of ordinary skill in the art would have been motivated because it would allow “managing user entitlements to participation with federated application resources, user identification mapping and assertion transportation and redirection” – Stein: par. 0041. 

Per claim 9, Chao discloses an information handling system, comprising:
a programmable integrated circuit (Chao: par. 0029 and Fig. 2, block 204); and 
a memory storing an authentication application, which when executed by the programmable integrated circuit configures the information handling system into a silent authentication system (Chao: par. 0029 and Fig. 2, block 206); 
wherein the silent authentication system processes a silent authentication request by performing a cryptographic function on a message to provide a cryptographic signature (The security service 802 receives the token 805, which is provided as cleartext, and, at step 814, returns to the IWD/IPAS console 800 a secret 816.  The secret is protected by encryption and thus is opaque (and suitable for transport over the public network).  At step 818, the console 808 sends the secret 816 to the monitor console 804.  At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815 and, at step 822, sends the signed messages and secret back to the IWD/IPAS security service 802.  The "shared services" token 815 is owned by the shared services provider 806. The IWD/IPAS security service 802 verifies the secret and, at step 824, sends the monitor console 804 a shared services user token 825 – Chao: par. 0084 – Note: “a modified message” is equivalent to “the signed secret” and “a site token” is equivalent to “a shared services user token”), and 
Chao is not relied on to explicitly disclose but Stein discloses by translating between the message and a modified message by applying a modification to one of the message and the modified message (The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification (e.g., SAML v. 2.0 as originally promulgated by OASIS and subsequently revised from time to time).  Name mappings can be many-to-one, many-to-few or one-to-one. [0043] This colloquy is shown in the illustration with the local application 602 requesting (622) access to a target system, the asserting FIMM 604 redirecting the request with a SAML artifact, and the local application making an access (626) to the artifact receiver service.  The artifact receiver service is hosted by a trusted relying party, in this case the concentrator 606.  The concentrator 606 requests (628) the SAML assertion, which is subsequently provided (630) by the local asserting FIMM 604.  The information needed for this assertion concerns the authenticated user and how that authentication was performed.  The identity information is made part of the assertion SubjectStatement and the manner of authentication is made part of the AuthenticationStatement in the SAML assertion (630) – Stein: par. 0042-0043 – Note: SAML assertion in the asserting party FIMM converts the message from local system to the target system).
Therefore, claim 9 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 16, Chao discloses a method comprising:
applying a cryptographic function on a message to provide a cryptographic signature (the first user token 805 is signed and provided to the IWD/IPAS security service 802… The security service 802 receives the token 805… and, at step 814, returns to the IWD/IPAS console 800 a secret 816…At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815– Chao: par. 0084); 
Chao is not relied on to explicitly disclose but Stein discloses modifying a message by applying a modification to provide a modified message (The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification (e.g., SAML v. 2.0 as originally promulgated by OASIS and subsequently revised from time to time).  Name mappings can be many-to-one, many-to-few or one-to-one – Stein: par. 0042 – Note: SAML assertion in the asserting party FIMM converts the message from local system to the target system); and 
sending the cryptographic signature and the modified message as a silent authentication request (the local application 602 requesting (622) access to a target system, the asserting FIMM 604 redirecting the request with a SAML artifact, and the local application making an access (626) to the artifact receiver service.  The artifact receiver service is hosted by a trusted relying party, in this case the concentrator 606.  The concentrator 606 requests (628) the SAML assertion, which is subsequently provided (630) by the local asserting FIMM 604.  The information needed for this assertion concerns the authenticated user and how that authentication was performed.  The identity information is made part of the assertion SubjectStatement and the manner of authentication is made part of the AuthenticationStatement in the SAML assertion (630) – Stein: par. 0042-0043 – Note: a SAML assertion includes a digitally signed token, signed by a SAML authority. This allows further requests of the user without having to re-authenticate in/for any domain which trusts the SAML authority that issued the token.  In essence, the token defines the circle of trust which the user is able to operate within).
Therefore, claim 16 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 2, Chao-Stein discloses the identity management system of claim 1, wherein the message comprises a plurality of parameters, and wherein the modified message comprises the plurality of parameters including the modification applied to at least one of the plurality of parameters (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042).
The same motivation to modify Chao in view of Stein applied to claim 1 above applies here.

Per claim 3, Chao-Stein discloses the identity management system of claim 2, wherein the modification comprises at least one math function using at least one modifier variable applied to the at least one of the plurality of parameters to generate at least one modified parameter (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042 – Note: a function that has an inverse function is an obvious variation of a math function).
The same motivation to modify Chao in view of Stein applied to claim 1 above applies here.

Per claim 4, Chao-Stein discloses the identity management system of claim 3, wherein the user management server applies the at least one math function using the at least one modifier variable to the at least one of the plurality of parameters to generate the at least one modified parameter (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042), and wherein the identity provider server applies an inverse of the at least one math function using the at least one modifier variable to the at least one modified parameter to generate at least one unmodified parameter used to regenerate the message (The relying party module 606 of the concentrator provides (634) the global unique ID for the subject user and, in return, the ClearTrust module 608 provides (636) the necessary credentials for authentication at the target system.  Using these credentials, the trusted relying party module 606 requests access (638) to the target system on the user's behalf.  The request is made to the target system's receiving FIMM 610, which extracts the list of attribute values and names and the local user name of the now authenticated user.  The attributes may be written to a local repository or, more usefully, to an HTTP cookie or similar object.  Thus, the relying party FIMM performs an inverse function of the asserting party FIMM – Stein: par. 0045 – Note: a function that has an inverse function is an obvious variation of a math function).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chao in view of Stein to include wherein the user management server applies the at least one math function using the at least one modifier variable to the at least one of the plurality of parameters to generate the at least one modified parameter, and wherein the identity provider server applies an inverse of the at least one math function using the at least one modifier variable to the at least one modified parameter to generate at least one unmodified parameter used to regenerate the message..
One of ordinary skill in the art would have been motivated because it would allow to convert the information about authentication back into a format known by the local system – Stein: par. 0045.

Per claim 6, Chao-Stein discloses the identity management system of claim 1, further comprising: 
a federation server that is accessed by the identity provider server to obtain an identity token to authenticate the user when the user comprises a resource administrator or a privileged consumer (interactions occur via IWD/IPAS console 800, IWD/IPAS security service 802, a monitor console 804, and a monitor shared services provider 806.  The IWD/IPAS security service is implemented in the security server, which performs user identity management and access control policy management.  This scenario assumes that the entities have established trust relationships in the manner previously described (in either FIG. 6 or FIG. 7)… Although not shown, it is assumed that the user of the IWD/IPAS console has been authenticated in a known manner.  The user is represented within the system (the IWD/IPAS console 800 and the IWD/IPAS security service 802) by a first token 805 – Chao: par. 0081-0082); and 
Chao is not relied on but Stein discloses a data store system that is accessed by the identify provider to obtain an identity token to authenticate the user when the user comprises a resource consumer (permission for the user to participate with the target system is provided by a portion 608 of the federated identity concentrator that implements the ClearTrust.TM.  solution available from RSA Security Inc.  of Bedford, Mass.  CleartTrust is a software solution that provides for user account creation and maintenance, profile updates and password setting.  It is a rules-based solution that grants or denies user accesses based on definable user attributes.  Here, those attributes are received as part of the SAML assertion and, assuming they match the stored attributes, permission to access the target system is granted accordingly – Stein: par. 0044).
The same motivation to modify Chao in view of Stein applied to claim 1 above applies here.

Per claim 7, Chao-Stein discloses the identity management system of claim 6, wherein: 
the resource administrator or privileged consumer is authenticated based on a predetermined trust relationship identified by access to an internal login link (Appropriate trust relationships are presumed, as previously described.  In this embodiment, the user 901 makes a request to access the monitoring shared service by selecting a bookmarked URL in the console 900.  This is step 908.  This action causes a redirect to a login page of the shared service UI 904.  This redirect is step 910.  In this embodiment, and instead of issuing a challenge to the user, the shared service UI 904 (having established the necessary trust relationship), issues a redirect to the IWD console 900.  This second redirect is step 912.  Steps 910 and 912 are transparent to the user 901.  At step 914, the IWD console 900 issues a login challenge to the user 901- Chao: par. 0086); and 
wherein the resource consumer is authenticated based on user credentials provided by the user (The user posts his or her UID/password at step 916.  If the user 901 is authenticated, the IWD console 900 logs into the security service 902 at step 918.  The security service 902 responds at step 920 by returning the user token.  …  The shared service then issues the user the requested information at step 932 to complete the process – Chao: par. 0086).

Per claim 8, Chao-Stein discloses the identity management system of claim 1, further comprising: 
a plurality of subservient web servers hosting a corresponding plurality of applications accessible by the identity management system via a network interface (As shown in FIG. 5, by creating a circle of trust in a system 500 where the concentrator 502 is responsible for managing user entitlements to participation with federated application resources, user identification mapping and assertion transportation and redirection, the environment is made much simpler than was the case above.  Now, the maximum number of connections for each application/node has been reduced to two.  For example, application 1, associated with node 504, asserts to concentrator 502 and relies on assertions therefrom.  Likewise, application 3, associated with node 508, and application 4, associated with node 510, each respectively assert to concentrator 502 and rely on assertions therefrom.  Application 2, associated with node 506, relies on assertions from concentrator 502.  For its part, the concentrator 502 relies on assertions from applications 1, 3 and 4, and asserts to all of the applications 1-4 – Stein: par. 0041); 
wherein the message identifies one of the plurality of subservient web servers and one of the plurality of applications as the requested resource (The relying party FIMM 610 of the target system now redirects (640) the requested access (with an SAML artifact) so that the concentrator directs the request for access (642) to the target system 612.  This request accesses the artifact receiver service at the target system such that the target system interrogates (644) its local relying party FIMM 610 for the SAML assertion that will provide the local authentication credentials and that SAML assertion is provided (646) in response – Stein: par. 0046); and 
wherein identity provider server provides a site token to the identified one of the plurality of subservient web servers to enable access of the one of the plurality of applications by the authenticated user (Upon successful authentication at the target system in the target's local credentials, the user is granted access (648) to the target system – Stein: par. 0046).
The same motivation to modify Chao in view of Stein applied to claim 1 above applies here.

Per claim 10, Chao-Stein discloses the information handling system of claim 9, wherein the message and the modified message each comprise at least one parameter, wherein the modification comprises at least one math function that uses at least one modification variable to modify the at least one parameter (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042).
The same motivation to modify Chao in view of Stein applied to claim 4 above applies here.

Per claim 11, Chao-Stein discloses the information handling system of claim 9, wherein: 
the authentication application comprises a user management application that configures the information handling system into a user management server (This security model provides a seamless layer of security infrastructure to an application (with its own security infrastructure) running on a virtual machine in the cloud environment.  A user (e.g., an administrator) registers to the layer of security infrastructure.  Upon receiving a request by the user to add a service (e.g., a shared service) to the application (or to use that service, if previously deployed and enabled), the layer of security infrastructure is used to authenticate the user, preferably by communicating to the application using a private key.  The application security infrastructure then adds (or enables access to) the service without requiring direct authentication from the user to the application security infrastructure – Chao: par. 0079);; and 
wherein the user management server applies the cryptographic function to the message to provide the cryptographic signature, applies the modification to the message to provide the modified message, and transmits the cryptographic signature and the modified message as the silent authentication request (At step 812, the first user token 805 is signed and provided to the IWD/IPAS security service 802.  The security service 802 receives the token 805, which is provided as cleartext, and, at step 814, returns to the IWD/IPAS console 800 a secret 816.  The secret is protected by encryption and thus is opaque (and suitable for transport over the public network).  At step 818, the console 808 sends the secret 816 to the monitor console 804.  At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815 and, at step 822, sends the signed messages and secret back to the IWD/IPAS security service 802.  The "shared services" token 815 is owned by the shared services provider 806.  The IWD/IPAS security service verifies the secret and, at step 824, sends the monitor console 804 a shared services user token 825 – Chao: par. 0084).

Per claim 12, Chao-Stein discloses the information handling system of claim 11, wherein the message comprises at least one parameter, and wherein the modification comprises at least one math function that uses at least one modifier variable to modify the at least one parameter to convert the message into the modified message (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042).
The same motivation to modify Chao in view of Stein applied to claim 4 above applies here.

Per claim 13, Chao-Stein discloses the information handling system of claim 9, wherein: 
the authentication application comprises an identification provider application that configures the information handling system into an identity provider server (This security model provides a seamless layer of security infrastructure to an application (with its own security infrastructure) running on a virtual machine in the cloud environment.  A user (e.g., an administrator) registers to the layer of security infrastructure.  Upon receiving a request by the user to add a service (e.g., a shared service) to the application (or to use that service, if previously deployed and enabled), the layer of security infrastructure is used to authenticate the user, preferably by communicating to the application using a private key.  The application security infrastructure then adds (or enables access to) the service without requiring direct authentication from the user to the application security infrastructure – Chao: par. 0079); and 
wherein the identity provider server receives the silent authentication request comprising the cryptographic signature and the modified message, applies the modification to the modified message to regenerate the original message, applies the cryptographic function to the original message to generate a new cryptographic signature (At step 812, the first user token 805 is signed and provided to the IWD/IPAS security service 802.  The security service 802 receives the token 805, which is provided as cleartext, and, at step 814, returns to the IWD/IPAS console 800 a secret 816.  The secret is protected by encryption and thus is opaque (and suitable for transport over the public network).  At step 818, the console 808 sends the secret 816 to the monitor console 804.  At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815 and, at step 822, sends the signed messages and secret back to the IWD/IPAS security service 802.  The "shared services" token 815 is owned by the shared services provider 806.  The IWD/IPAS security service verifies the secret and, at step 824, sends the monitor console 804 a shared services user token 825 – Chao: par. 0084), and compares the new cryptographic signature with the received cryptographic signature to authenticate the silent authentication request (when an administrator or deployer clicks on a first icon representing a service to be deployed, the system sends a secret token that represents the administrator or deployer to the service.  Using a security server, the service exchanges the secret token with a user security token that represents the credentials of the administrator or the deployer.  The service then validates the user security token by extracting user identity, group, security role, and resource identifier information.  Using the extracted information, the service then makes access control decisions.  In this approach, the user identity management, authentication and access control are managed by the cloud computing infrastructure.  A service being deployed just needs to exchange and validate the user security token, validate the trust relationship, and then enforce the access control policy – Chao: par. 0088).

Per claim 14, Chao-Stein discloses the information handling system of claim 13, wherein the modified message comprises at least one modified parameter, and wherein the modification comprises at least one inverse math function that uses at least one modifier variable to convert the at least one modified parameter into at least one original parameter to regenerate the message from the modified message (The relying party module 606 of the concentrator provides (634) the global unique ID for the subject user and, in return, the ClearTrust module 608 provides (636) the necessary credentials for authentication at the target system.  Using these credentials, the trusted relying party module 606 requests access (638) to the target system on the user's behalf.  The request is made to the target system's receiving FIMM 610, which extracts the list of attribute values and names and the local user name of the now authenticated user.  The attributes may be written to a local repository or, more usefully, to an HTTP cookie or similar object.  Thus, the relying party FIMM performs an inverse function of the asserting party FIMM – Stein: par. 0045).
The same motivation to modify Chao in view of Stein applied to claim 4 above applies here.

Per claim 17, Chao-Stein discloses the method of claim 16, wherein the modifying a message comprises applying at least one math function using at least one modifier variable to at least one parameter of the message (an application 602 presents (620) an authenticated user to the local application's asserting federated identity management module (FIMM) 604.  A FIMM, in this context, is a local program module (i.e., local to the subject node/application) responsible for communications with the federated identity concentrator.  An asserting party's FIMM reads in attributes associated with an authenticated user from a local attribute repository.  The authenticated user's name is the user name as it appears in the local authentication system.  The attributes are read and placed into internal objects that eventually become an AttributeStatement within an SAML assertion (discussed below).  The asserting party FIMM then converts or maps the local user name into a format (e.g., an e-mail address, a Windows.TM.  domain qualified user name, a SAML X.509 subject name, etc.) defined/supported by the SAML specification – Stein: par. 0042).
The same motivation to modify Chao in view of Stein applied to claim 4 above applies here.

Per claim 18, Chao-Stein discloses the method of claim 16, further comprising: 
receiving the silent authentication request (The user is represented within the system (the IWD/IPAS console 800 and the IWD/IPAS security service 802) by a first token 805.  This token is not provided (or exposed) to the user but, rather, is just an internal system data structure.  The token, which identifies what privileges the user has and resources he or she can access, typically is maintained in the system in the clear and affords the user all deployment privileges suitable to the user's status – Chao: par. 0082); 
reversing the modification to the modified message to regenerate the message (At step 812, the first user token 805 is signed and provided to the IWD/IPAS security service 802 …The security service 802 receives the token 805, which is provided as cleartext, and, at step 814, returns to the IWD/IPAS console 800 a secret 816.  The secret is protected by encryption and thus is opaque (and suitable for transport over the public network).  At step 818, the console 808 sends the secret 816 to the monitor console 804 – Chao: par. 0084 - Note; 
applying the cryptographic function on the regenerated message to provide a new cryptographic signature (At step 820, the monitor console signs request messages with the secret with its private key that is specified by a second "shared services" token 815 and, at step 822, sends the signed messages and secret back to the IWD/IPAS security service 802.  The "shared services" token 815 is owned by the shared services provider 806.  The IWD/IPAS security service verifies the secret and, at step 824, sends the monitor console 804 a shared services user token 825 – Chao: par. 0084); and
comparing the received cryptographic signature with the new cryptographic signature to authenticate the silent authentication request (when an administrator or deployer clicks on a first icon representing a service to be deployed, the system sends a secret token that represents the administrator or deployer to the service.  Using a security server, the service exchanges the secret token with a user security token that represents the credentials of the administrator or the deployer.  The service then validates the user security token by extracting user identity, group, security role, and resource identifier information.  Using the extracted information, the service then makes access control decisions.  In this approach, the user identity management, authentication and access control are managed by the cloud computing infrastructure.  A service being deployed just needs to exchange and validate the user security token, validate the trust relationship, and then enforce the access control policy – Chao: par. 0088).

Per claim 19, Chao-Stein discloses the method of claim 18, wherein the reversing the modification comprises applying an inverse of at least one math function using at least one modifier variable on at least one parameter of the modified message (the trusted relying party module 606 requests access (638) to the target system on the user's behalf.  The request is made to the target system's receiving FIMM 610, which extracts the list of attribute values and names and the local user name of the now authenticated user.  The attributes may be written to a local repository or, more usefully, to an HTTP cookie or similar object.  Thus, the relying party FIMM performs an inverse function of the asserting party FIMM.  It starts with the SAL assertion and converts the information about authentication back into a format known by the local system – Stein: par. 0045 – Note: a function that has an inverse function is an obvious variation of a math function).
The same motivation to modify Chao in view of Stein applied to claim 4 above applies here.

2.	Claims 5, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chao, US2014/0317716A1 in view of Stein, US2008/0168539A1 as applied to claims 1, 9 and 16 above, and further in view of Hyland, US2014/0310792A1.

Per claim 5, Chao-Stein discloses the identity management system of claim 1.
Chao-Stein is not relied on to explicitly disclose but Hyland discloses wherein the cryptographic function comprises a cryptographic hash function applied to the message using a secret key to generate the cryptographic signature (The manners in which authentication and authorization is carried out may differ from one SSO architecture to another SSO architecture.  Client system 100 may utilize any security engine that supports any authentication mechanism using any encryption and hashing technologies.  Client system 100, for example, may support one of many symmetric encryption algorithms, e.g., SAML version 2.0, while another client system may utilize Triple Data Encryption Algorithm (TDEA or Triple DES) encryption technology in providing authentication services.  Accordingly, a Triple DES assertion would be made at a second system, rather than a SAML assertion – Hyland: par. 0032).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Chao-Stein further in view of Hyland to include wherein the cryptographic function comprises a cryptographic hash function applied to the message using a secret key to generate the cryptographic signature.
One of ordinary skill in the art would have been motivated because it would allow to “utilize any security engine that supports any authentication mechanism using any encryption and hashing technologies” – Hyland: par. 0032.

Per claim 15, Chao-Stein discloses the information handling system of claim 9.
Chao-Stein is not relied on to explicitly disclose but Hyland discloses wherein the cryptographic function comprises a cryptographic hash function applied to the message using a secret key to generate the cryptographic signature (The manners in which authentication and authorization is carried out may differ from one SSO architecture to another SSO architecture.  Client system 100 may utilize any security engine that supports any authentication mechanism using any encryption and hashing technologies.  Client system 100, for example, may support one of many symmetric encryption algorithms, e.g., SAML version 2.0, while another client system may utilize Triple Data Encryption Algorithm (TDEA or Triple DES) encryption technology in providing authentication services.  Accordingly, a Triple DES assertion would be made at a second system, rather than a SAML assertion – Hyland: par. 0032).
The same motivation to modify Chao-Stein further in view of Hyland applied to claim 5 above applies here.

Per claim 20, Chao-Stein discloses the method of claim 16.
Chao-Stein is not relied on to explicitly disclose but Hyland discloses wherein the applying a cryptographic function comprises applying a cryptographic hash function to the message using a secret key to generate the cryptographic signature (The manners in which authentication and authorization is carried out may differ from one SSO architecture to another SSO architecture.  Client system 100 may utilize any security engine that supports any authentication mechanism using any encryption and hashing technologies.  Client system 100, for example, may support one of many symmetric encryption algorithms, e.g., SAML version 2.0, while another client system may utilize Triple Data Encryption Algorithm (TDEA or Triple DES) encryption technology in providing authentication services.  Accordingly, a Triple DES assertion would be made at a second system, rather than a SAML assertion – Hyland: par. 0032).
The same motivation to modify Chao-Stein further in view of Hyland applied to claim 5 above applies here.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Cha, US20140230027A1 is included in the attached  PTO – 892.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2434