DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to application 16/891,756 filed on 6/3/2020.
Claims 1-20 have been examined and are pending in this application.


Claim Objections
Claims 7 and 15-20 are objected to because of the following informalities:  

Regarding Claims 7 and 20; claims 7 and 20 recites the acronym OAuth without spelling out in full at its first occurrence. The examiner notes the acronym OAuth should be spelled out with it first occurrence. Appropriate correction is required. 

Regarding Claims 15-20; claims 15-20 recites in the preamble “The non-transitory computer readable of claim...”. The examiner notes for better clarity to further amend the preamble to “The non-transitory computer readable medium of claim...”.   Appropriate correction is required.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-6 and 8-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Georgieva (US 2016/0028833 A1) in view of Maxted (US 2012/0278425 A1) and Wray (US 2011/0320820 A1).

Regarding Claim 1;
Georgieva discloses a multi-tenant computing system, comprising: 
one or more hardware processors (FIG. 6); and 
memory storing instructions that, when executed by the one or more hardware processors (FIG. 6) cause the multi-tenant computing system to perform: 
receiving, from a client computer, a user interface request and a particular user interface session token ([0016] - At runtime, the request to access the cloud application 130 is received. In one embodiment, a tenant (e.g., one of 110A to 110D) accesses the cloud application 130 through a dedicated uniform resource locator (URL). When the request to access the cloud application 130 is received at the cloud platform 120, the tenant aware session manager 150 checks for a communication session corresponding to the received request by comparing a current communication session ID associated with the request and communication session IDs stored in the structure of the tenant aware session manager 150 and [0019] - In one exemplary embodiment, the communication session is identified by a communication session token or ID, in the form of a hash generated by a hash function that is generated and sent from a server to the tenant to identify the current communication session.);
determining whether a cache entry corresponding to the particular user interface session token is present in a user interface session cache comprising a plurality of the cache entries ([0016] - At runtime, the request to access the cloud application 130 is received. In one embodiment, a tenant (e.g., one of 110A to 110D) accesses the cloud application 130 through a dedicated uniform resource locator (URL). When the request to access the cloud application 130 is received at the cloud platform 120, the tenant aware session manager 150 checks for a communication session corresponding to the received request by comparing a current communication session ID associated with the request and communication session IDs stored in the structure of the tenant aware session manager 150 and [0019] - In one exemplary embodiment, the communication session is identified by a communication session token or ID, in the form of a hash generated by a hash function that is generated and sent from a server to the tenant to identify the current communication session and [0024]-[0025] - When the request is received by the cloud application 305, an instruction to fetch the communication session corresponding to a communication session ID associated with the received request is sent to the cache 310 using query “getSession( )”, for instance (e.g., 330))  As reasonably constructed the use of a token or a session ID appears to be interchangeable, thus represent the same object, thus the request can be based on a token/session ID  and the cache entries can be based on the token/session ID, wherein each of the cache entries comprises a respective session identifier, a respective tenant identifier... ([0026] - Further, the cache 310 sends a request to the tenant aware session manager 320 to find the communication session corresponding to the session ID associated with the request using query “findSession(JSESSIONID, TenantID), wherein the tenant identifier identifies one of a plurality of tenants of the multi-tenant computing system (FIG. 1 and [0013] - tenants); and 
when a cache entry corresponding to the particular user interface session token is present in the user interface session cache([0026] - Further, the cache 310 sends a request to the tenant aware session manager 320 to find the communication session corresponding to the session ID associated with the request using query “findSession(JSESSIONID, TenantID): 
retrieving, from the user interface session cache, the cache entry corresponding to the particular user interface session token ([0026] – Further, the cache 310 sends a request to the tenant aware session manager 320 to find the communication session corresponding to the session ID associated with the request using query “findSession(JSESSIONID, TenantID),” for instance (e.g., 345). In the example, the communication session corresponding to the session ID exists, thereby the tenant aware session manager 320 validates a current tenant ID with a tenant ID associated with the communication session.exists), 
obtaining the session identifier, the tenant identifier, ... from the retrieved cache entry ([0026] -  At 360, the tenant ID associated with the communication session and the current tenant ID are compared using query “Validate(TenantId, CurrentTenantId),” for instance. In the example, the tenant ID and the current tenant ID matches and the information is communicated to the cache 310 (e.g., 365)), and 
providing the user interface request, the obtained session identifier, the obtained tenant identifier, ... to a user interface application (FIG. 3 – Return).
wherein the user interface application selects one or more of the sessions according to the session identifier... (FIG. 2 – provide the communication session to execute the cloud application and [0021] and [0028] - The communication session corresponding to the current communication session ID of the request is provided to the cloud application (e.g., 415) for executing the cloud application 305.); and 
...retrieves tenant-specific data according to the obtained tenant identifier, and performs a service using the retrieved tenant-specific data according to the user interface request ([0015] - In one embodiment, tenant aware session manager 150 keeps track on communication sessions (e.g., hypertext transfer protocol (HTTP) sessions) created for accessing the cloud application 130. An HTTP session is a sequence of network request-response transactions. The tenant (e.g., 110A to 110D) initiates a request by establishing a Transmission Control Protocol (TCP) connection to a particular port on a server associated with the cloud application 130. HTTP defines methods to indicate the desired action to be performed on the identified resource associated with the cloud application 130. When the tenant (e.g., 110A to 110D) login for a first time to access the cloud application 130, a communication session is created and a session ID associated with the created communication session is stored in the tenant aware session manager 150. In one exemplary embodiment, the tenant aware session manager 150 includes a structure to store the communication session IDs associated with the communication sessions. The communication session IDs or session token is a piece of data that is used in network communications (often over HTTP) to identify the communication session and a series of related message exchanges. Further, a tenant ID is extracted from the login credentials of the tenant (e.g., 110A to 110D) and [0026] – Further, the cache 310 sends a request to the tenant aware session manager 320 to find the communication session corresponding to the session ID associated with the request using query “findSession(JSESSIONID, TenantID),” for instance (e.g., 345). In the example, the communication session corresponding to the session ID exists, thereby the tenant aware session manager 320 validates a current tenant ID with a tenant ID associated with the communication session.exists),
Georgieva fails to explicitly disclose 
wherein each of the cache entries comprises ... a respective authentication credential.
....
obtaining the ... the authentication credential from the retrieved cache entry, and 
providing the user interface request, ... the obtained authentication credential to a user interface application having a plurality of sessions with respective services; 
wherein the user interface application selects one or more of the sessions according to the session identifier, and transmits the user interface request, the obtained tenant identifier, and the obtained authentication credential over the selected one or more of the sessions to one or more of the services; and 
wherein each of the selected one or more of the services authenticates the user using the obtained authentication credential, retrieves tenant-specific data according to the obtained tenant identifier, and performs a service using the retrieved tenant-specific data according to the user interface request.	
However, in an analogous art, Maxted teaches concepts of disclose 
wherein each of the cache entries comprises ... a respective authentication credential (Maxted, FIG. 3 and [0035] – The user credentials may be obtained from a local user credential cache 306, accessible to the transactor and/or policy administrator)
....
obtaining the ... the authentication credential from the retrieved cache entry (Maxted, FIG. 3 and [0035] – he user credentials may be obtained from a local user credential cache 306, accessible to the transactor and/or policy administrator), and 
providing ... the obtained authentication credential to a [entity] (Maxted, FIG. 3 [0023] and [0035]);
...
wherein each of the selected one or more of the services authenticates the user using the obtained authentication credential, ... and performs a service ... (Maxted, [0033] and [0035] - the user is user identified, the policy evaluator determines what the user is then allowed to do (i.e., authorization))
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Maxted to the cache entries of Georgieva to include wherein each of the cache entries comprises ...a respective authentication credential ...obtaining the ...the authentication credential from the retrieved cache entry, and  providing ...the obtained authentication credential to a [entity];  ...wherein each of the selected one or more of the services authenticates the user using the obtained authentication credential, ...and performs a service.
One would have been motivated to combine the teachings of Maxted to Georgieva to do so as it provides / allows enforcement in a network device which services multiple customers and tenants (Maxted, [0001]). 
Further, in an analogous art,  teaches concepts of Wray 
providing [to a] user interface request, ... [data]  to a user interface application having a plurality of sessions with respective services (Wray, FIG. 6 and FIG. 7 – Request Migration Cookie from the Requestor and [0084] and [0089])
wherein the user interface application selects one or more of the sessions according to the session identifier, and transmits [the data] over the selected one or more of the sessions to one or more of the services (Wray, [0081]-[0082] - Cookie 500 contains session ID 508. Session ID 508 corresponds to session ID 408 in FIG. 4. Session ID 508 identifies a session on the server that generated the data contained in cookie 500 and [0089]-[0090] - The migration cookie contains a session identifier and information. The information in the migration cookie is used when the cached information for the session is unavailable and a subsequent request for access to the resource is made. The process then generates the cached information for the session using the migration cookie (operation 712)); and 
wherein each of the selected one or more of the services authenticates the user using the [data], retrieves tenant-specific data according to the obtained [data], and performs a service using the retrieved tenant-specific data according to the user interface request (Wray, [0081]-[0082] -  In this illustrative example, domain 506 is ibm.com/login.php. Domain 506 is restricted to login.php because cookie 500 may only be sent to an authentication script, such as authentication script 350 in FIG. 3. Cookie 500 is used to recreate a session on a server that does not contain cached information, such as cached information 348... Authenticated user identity 512 is also contained in cookie 500. Authenticated user identity 512 identifies a user or an account on the server that generated the data contained in cookie 500. In this illustrative example, authenticated user identity 512 is JSmith. JSmith is the user name of the user with an account on the server at ibm.com. The server receiving cookie 500 uses authenticated user identity 512 to recreate the session with session ID 508 that has a number of privileges associated with the user account JSmith and [0089]-[0090] - The migration cookie contains a session identifier and information. The information in the migration cookie is used when the cached information for the session is unavailable and a subsequent request for access to the resource is made. The process then generates the cached information for the session using the migration cookie (operation 712))
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Wray to the session identifier, the tenant identifier, and authentication credential of Georgieva and Maxted to include providing [to a] user interface request, ... [data]  to a user interface application having a plurality of sessions with respective services, wherein the user interface application selects one or more of the sessions according to the session identifier, and transmits [the data] over the selected one or more of the sessions to one or more of the services and wherein each of the selected one or more of the services authenticates the user using the [data], retrieves tenant-specific data according to the obtained [data], and performs a service using the retrieved tenant-specific data according to the user interface request, thus making it obvious to one of ordinary skill in the art that the data (i.e., cookie) of Wray can be or include session identifier, the tenant identifier, and authentication credential of Georgieva and Maxted
One would have been motivated to combine the teachings of Wray to Georgieva and Maxted to do so as it provides / allows restoring secure sessions (Wray, [0003]). 




Regarding Claim 2;
Georgieva and Maxted and Wray disclose the system to Claim 1. 
	Georgieva further discloses wherein the instructions further cause the one or more processors to perform: receiving, from the user interface application, a user interface response corresponding to the user interface request (FIG. 1 and FIG. 2 – 110 → Cloud Application); and sending the user interface response to the client computer (FIG. 1 and FIG. 2- Provide the communication session to execute the cloud application).

Regarding Claim 3;
Georgieva and Maxted and Wray disclose the system to Claim 1. 
	Georgieva discloses cache entries ([0016]).
	Wray further teaches wherein the instructions further cause the one or more processors to perform: when no cache entry corresponding to the user interface session token is present in the user interface session cache, directing the user interface request to a login service ([0096]-[0097] - . If the process determines that the signature and/or encryption is valid, the process determines whether the session has expired (operation 922). The session is determined to have expired if a last access time in the session cookie and/or a created time in the session cookie exceeds predetermined limits contained in a policy identifier such as policy identifier 414... if the process determines at operation 922 that the session has expired, the process deletes the session cookie and the migration cookie and requests that the client reauthenticate (operation 926)).  As reasonably constructed the session (i.e., cache entry) has expired (i.e., form of no cache entry) reauthentication is necessary.

Regarding Claim 4;
Georgieva and Maxted and Wray disclose the system to Claim 3. 
	Georgieva discloses cache entries ([0016]).
Wray further teaches wherein the instructions further cause the one or more processors to perform: when the login service receives valid login credentials from the client computer, sending a new user interface session token to the client computer ([0056] - Once computer system 304 identifies number of privileges 308, computer system 304 creates session 318. In these examples, session 318 is secure session 320. Secure session 320 is secure at least because number of privileges 308 were identified based on authentication information 316. Secure session 320 may also be secure because request 312 and/or resource 306 are transmitted over an encrypted connection. In these examples, session 318 is not stored on computer system 304. Instead, computer system 304 creates number of cookies 322. Number of cookies 322 consists of session cookie 324 and migration cookie 326. A cookie is data stored on computer system 302 based on information received from computer system 304. A cookie consists of one or more name-value pairs of data. In this illustrative embodiment, session cookie 324 contains session identifier 332, creation time 334, last used time 336, and policy identifier 338 and [0097]).







Regarding Claim 5;
Georgieva and Maxted and Wray disclose the system to Claim 1. 
	Georgieva discloses cache entries ([0016]).
Wray further teaches wherein the instructions further cause the one or more processors to perform: invalidating the cache entries in the user interface session cache according to a cache expiry policy ([0096]); and determining whether the cache entry corresponding to the particular user interface session token is valid ([0096]).

Regarding Claim 6;
Georgieva and Maxted and Wray disclose the system to Claim 1. 
	Georgieva further discloses wherein the user interface question session token consists of a single value ([0019] - In one exemplary embodiment, the communication session is identified by a communication session token or ID, in the form of a hash generated by a hash function that is generated and sent from a server to the tenant to identify the current communication session).

Regarding Claim(s) 8-13; claim(s) 8-13 is/are directed to a/an method associated with the system claimed in claim(s) 1-6. Claim(s) 8-13 is/are similar in scope to claim(s) 1-6, and is/are therefore rejected under similar rationale.

Regarding Claim(s) 14-19; claim(s) 14-19 is/are directed to a/an medium associated with the system claimed in claim(s) 1-6. Claim(s) 14-19 is/are similar in scope to claim(s) 1-6, and is/are therefore rejected under similar rationale.

Claims 7 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Georgieva (US 2016/0028833 A1) in view of Maxted (US 2012/0278425 A1) and Wray (US 2011/0320820 A1) and further in view of Doraiswamy et al. (US 10,120,734 B1).

Regarding Claim 7;
Georgieva and Maxted and Wray disclose the system to Claim 1. 
	Maxted further teaches the authentication credential (Maxted, FIG. 3 and [0035])
Georgieva and Maxted and Wray fail to explicitly disclose wherein the authentication credential is an OAuth bearer token.
However, in an analogous art, Doraiswamy wherein the authentication credential is an OAuth bearer token (Doraiswamy, col. 7, lines 49-52 - API gateway 114 may receive and provide an API authorization token (such as an OAuth 2.0 authorization token) back to the user application 131A for future invocations of APIs 132).
Therefore, it would have been obvious to one of ordinarily skill in the art before the effective filing date of the claimed invention to combine the teachings of Doraiswamy to authentication credential of Georgieva and Maxted and Wray to include wherein the authentication credential is an OAuth bearer token
One would have been motivated to combine the teachings of Doraiswamy to Georgieva and Maxted and Wray to do so as it provides / allows facilitate[ing] application-level, and in some cases user- or application data-level, multi-tenancy for a backend-as-a-service (BaaS) infrastructure (Doraiswamy, col. 1, lines 45-48).

Regarding Claim(s) 20; claim(s) 20 is/are directed to a/an medium associated with the system claimed in claim(s) 7. Claim(s) 20 is/are similar in scope to claim(s) 7, and is/are therefore rejected under similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439