Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Reopening of Prosecution After Appeal
In view of the Pre-Appeal Brief filed on 10/31/2021, PROSECUTION IS HEREBY REOPENED. A new ground of rejection set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
/JEFFREY NICKERSON/             Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                           




DETAILED ACTION
This Office Action is in response to Reopening of Prosecution After Pre-Appeal Brief filed on 10/31/2021. In the Office Action, claim 1-20 have been received for consideration and have been examined.  
Response to Arguments
Rejection of Claims 1-20 under 35 U.S.C. § 103
	Applicant’s arguments regarding the secondary reference of Batson (Page # 1-5) are persuasive and therefore the prosecution has been reopened. 
Applicant’s remarks regarding primary reference of Subramanian (Page # 5) are also persuasive and therefore examiner has relied upon a new reference to teach the limitation of “execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network”. However, Subramanian still teaches the limitations of “receive a call over a network from an application that is executing remote to the system” and “the call indicating an identity policy that is one of a plurality of identity policies for dynamic deployment on behalf of the application”. See Office Action for details. 

Claim Rejections – 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Subramanian et al., (US20180075231A1) in view of NPL Document Titled “Federated Identity Pattern” published 2017 hereinafter referred as NPL # 1 and further in view of NPL Document Titled “Microsoft Azure” published 2015 hereinafter referred as NPL # 2.
Regarding claim 1, Subramanian discloses:
A system comprising:
at least one memory configured to store program logic; and
at least one processor configured to access the at least one memory and to execute the program logic, the program logic comprising: 
communicator logic (see FIG. 1; i.e. Identity Cloud Service (IDCS) 118) configured to:
receive a call over a network from an application that is executing remote to the system (See [0076] disclosing applications/services make HTTP calls to Identity Cloud Service (IDCS) & [0171] in FIG. 9 where variety of applications/services 902 may make HTTP calls to IDCS APIs to use IDCS services),
the call indicating an identity policy that is one of a plurality of identity policies for dynamic deployment on behalf of the application ([0125] discloses an access to application is determined by the IDCS by checking the header of the request which includes particular policy that needs to be applied; See [0126] which teaches access policies such as login/password change/password reset/token based authentication etc., for a tenant to access a resource; Also see [0129‐0131] disclose Cloud Gate 702 implementing corresponding policy for accessing the resource).
Subramanian reference fails to disclose:
receive a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system; and policy executor logic configured to: subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network; verify the identity claim; and provide a token over the network to the application for consumption, via the communicator logic, to complete the token request.
However, NPL # 1 discloses:
receive a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system (See Page # 4, Figure under Solution discloses Identity Provider issuing security tokens along with information referred to as claims which contains user’s identity, role membership and access rights; See Page # 5, Figure under Example discloses how tenants authenticate with their own identity provider (ADFS) (step 1), in this case ADFS. After successfully authenticating a tenant, ADFS issues a token [which contains information referred as Claims mentioned in Solution section]. The client browser forwards this token to the SaaS application’s federation provider [construed as system in the instant claims], which trusts tokens issued by the tenant’s ADFS, in order to get back a token that is valid for the SaaS federation provider (step 2). If necessary, the SaaS federation provider performs a transformation on the claims in the token into claims that the application recognizes (step 3) before returning the new token to the client browser. The application trusts tokens issued by the SaaS federation provider and uses the claims in the token to apply authorization rules (step 4)); and 
verify the identity claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust); and 
provide a token over the network to the application for consumption, via the communicator logic, to complete the token request (See Page # 5, Figure under Example discloses this action in step 3 where Federation Provider).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Subramanian reference and implement an authentication mechanism that can use federated identity, as disclosed by NPL # 1.
The motivation to have the authentication mechanism that can use federated identity is to simplify development, minimize the requirement for user administration, and improve the user experience of the application.
The combination of Subramanian and NPL # 1 fails to disclose:
policy executor logic configured to: 
subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network.
However, NPL # 2 discloses:
	subsequent to receiving the call (i.e., when user types in the SaaS application URL via Azure Access Panel) and based on an identity policy indicator (i.e., the Azure Access Panel shows all SaaS application authorized to the user) received from the application according to a user selection of the identity policy via the application (See Page # 293; Figure 10-11 showing a landing page where users can see and launch SaaS apps to which they have access to),
execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network (See Pages # 293‐294; End‐User Experience “The concept of the Access Panel is a single landing page where users can see and launch SaaS apps to which they have access without having to remember or bookmark each SaaS app’s URL”. 
Examiner Notes that NPL’s above mentioned pages clearly disclose that user authentication process is performed through an identity provider selection page where user is provider with a single landing page where user can see and launch different applications and get authenticated as per application identity provider policy).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the Subramanian and NPL # 1 references and authenticate the user based on application defined policy user interface (UI), as disclosed by NPL # 2.
The motivation to authenticate the user based on application defined policy user interface (UI) is to streamline and improve the user authentication process while maintaining authentication security for the accessed application by the user. 
Regarding claim 2, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 1, wherein the policy executor logic, to verify the identity claim, is configured to:
provide the identity claim to a verification provider according to the identity policy (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust);
receive a response claim from the verification provider (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2); and
verify the identity claim against the response claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust).
Regarding claim 3, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 2, wherein the verification provider is one or more of:
an identity provider, an attribute provider, a directory provider, a multi-factor authentication (MFA) provider, an email validation provider, or self-asserted attribute provider (Subramanian: [0082] the integration of IDCS as OIDC RP with social OIDC OP (e.g., Facebook, Google, etc.) enables customers to allow social identities policy-based access to applications; [0196] the SSO service is a common controller system that can be used for any protocol (e.g., OAuth, SAML, social token, social service, etc., or any newly developed specification)).
Regarding claim 4, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 2, wherein the policy executor logic is configured to:
transform the identity claim to a transformed claim, using at least one parameter associated with the claim, prior to providing the identity claim to the verification provider according to the identity policy (NPL # 1: Page # 2; If the authentication is successful, the IdP returns a token containing the claims that identify the user to the STS (note that the IdP and STS can be the same service). The STS can transform and augment the claims in the token based on predefined rules, before returning it to the client. The client application can then pass this token to the service as proof of its identity);
provide the transformed claim to the verification provider instead of the identity claim (NPL # 1: If the authentication is successful, the IdP returns a token containing the claims that identify the user to the STS (note that the IdP and STS can be the same service). The STS can transform and augment the claims in the token based on predefined rules, before returning it to the client. The client application can then pass this token to the service as proof of its identity); and
transform the response claim, that is based on the transformed claim, received from the verification provider prior to verifying the identity claim (NPL # 1: Page # 5; If necessary, the SaaS federation provider performs a transformation on the claims in the token into claims that the application recognizes (step 3) before returning the new token to the client browser).
Regarding claim 5, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 1, wherein the at least one memory is configured to store the plurality of identity policies, one of the plurality of identity policies being:
provided to the at least one memory from a remote identity operator; or a child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application (Subramanian: [0120] In one embodiment, Cloud Gate is implemented by a web server plugin that enables web applications to externalize user SSO to an identity management system (e.g., IDCS), similar to WebGate or WebAgent technologies that work with enterprise IDM stacks; [0127] the policies are specified in a file managed by the Cloud Gate. In one embodiment, the file is stored locally at the Cloud Gate. In an alternative or additional embodiment, the file may be stored on the server side within IDCS (e.g., in a policy store)).
Regarding claim 6, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 1, further comprising policy portal logic configured to:
provide access for customer entities to a base identity policy of the plurality of identity policies, the customer entities including one or more of at least one application service provider or at least one identity operator (Subramanian: [0138] FIG. 7A is an example block diagram 700B illustrating how a Cloud Gate 702B handles host identifiers. Each host identifier represents a logical web domain associated with an application protected by Cloud Gate 702B);
	perform one or more of:
receive a customer entity base identity policy that includes one or more modifications to the base identity policy from which it derives; or receive a customer entity application identity policy that includes one or more additional modifications to the customer entity base identity policy from which it derives, the one or more additional modifications being related to the application (Subramanian: [0139] more than one host identifiers may be used by the IDCS routing tier for an application, and each request passing through Cloud Gate 702B is processed in the context of the respective host identifier, including scoping of the local session cookie and resolving the access policy file. For example, when Cloud Gate 702B receives a URL, it looks at the corresponding host identifier and determines what policy needs to be applied); and
store received customer entity base identity policies or customer entity application identity policies as a portion of the plurality of identity policies (Subramanian: [0127] the policies are specified in a file managed by the Cloud Gate. In one embodiment, the file is stored locally at the Cloud Gate. In an alternative or additional embodiment, the file may be stored on the server side within IDCS (e.g., in a policy store)).
Regarding claim 7, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 1, wherein the UI is defined by the identity policy that is called by the application and is configured in accordance with one or more verification providers specified by the identity policy (NPL # 2; See Page # (See Pages # 293‐294; End‐User Experience). 
Regarding claim 8, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The system of claim 1, wherein the policy executor logic is configured to:
execute the user authentication process at least in part as a security token service (STS) defined by the identity policy (NPL # 1; : [0133] displaying the login page in the browser and authenticating the credentials provided by the user; [0164] Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (“STS”)); and
mint the token according to the STS and the token request to include claims required by the application and the identity policy (Subramanian: [0167] a client assertion token includes at least a claim/statement indicating the client tenant name, and a claim/statement indicating the name of the OAuth client making the request).
Regarding claim 9, Subramanian discloses:
A method implemented by a computing system that comprises a multi-sided identity experience framework configured to support a plurality of remote identity operators, a plurality of remote verification providers, and a plurality of remote application service providers for user authentication to applications, the method comprising:
receiving a call over a network from an application that is executing remote to the system (i.e. a program or application client 708), the call indicating an identity policy (i.e. a policy) that is one of a plurality of identity policies for dynamic deployment (i.e. corresponding policy) on behalf of the application ([0126] In one embodiment, a policy dictates if access to a particular resource identified through a request endpoint is allowed and what particular method of access is allowed to gain access to the resource [0129] In the embodiment of FIG. 7, a program or application client 708 may be attempting to access resources 714 protected by Cloud Gate 702, or an end user 710 may use a web browser 706 on their computer to access resources 714 protected by Cloud Gate 702; [0130] when a user browser 706 sends a request to IDCS for a login of a user 710; [0131] In one embodiment, for example, in order to access resource 714, user 710 may type in a corresponding URL in browser 706. Browser 706 takes user 710 to web server 712. Cloud Gate 702 then loads the corresponding policy. If the policy indicates that resource 714 is protected, Cloud Gate 702 initiates any required authentication process); and
Subramanian reference fails to disclose:
receiving a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system; and policy executor logic configured to: subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, executing a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network; verify the identity claim; and provide a token over the network to the application for consumption, via the communicator logic, to complete the token request.
However, NPL # 1 discloses:
receiving a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system (See Page # 4, Figure under Solution discloses Identity Provider issuing security tokens along with information referred to as claims which contains user’s identity, role membership and access rights; See Page # 5, Figure under Example discloses how tenants authenticate with their own identity provider (ADFS) (step 1), in this case ADFS. After successfully authenticating a tenant, ADFS issues a token [which contains information referred as Claims mentioned in Solution section]. The client browser forwards this token to the SaaS application’s federation provider [construed as system in the instant claims], which trusts tokens issued by the tenant’s ADFS, in order to get back a token that is valid for the SaaS federation provider (step 2). If necessary, the SaaS federation provider performs a transformation on the claims in the token into claims that the application recognizes (step 3) before returning the new token to the client browser. The application trusts tokens issued by the SaaS federation provider and uses the claims in the token to apply authorization rules (step 4)); and 
verifying the identity claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust); and 
providing a token over the network to the application for consumption, via the communicator logic, to complete the token request (See Page # 5, Figure under Example discloses this action in step 3 where Federation Provider).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Subramanian reference and implement an authentication mechanism that can use federated identity, as disclosed by NPL # 1.
The motivation to have the authentication mechanism that can use federated identity is to simplify development, minimize the requirement for user administration, and improve the user experience of the application.
The combination of Subramanian and NPL # 1 fails to disclose:
policy executor logic configured to: 
subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network.
However, NPL # 2 discloses:
	subsequent to receiving the call (i.e., when user types in the SaaS application URL via Azure Access Panel) and based on an identity policy indicator (i.e., the Azure Access Panel shows all SaaS application authorized to the user) received from the application according to a user selection of the identity policy via the application (See Page # 293; Figure 10-11 showing a landing page where users can see and launch SaaS apps to which they have access to),
executing a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network (See Pages # 293‐294; End‐User Experience “The concept of the Access Panel is a single landing page where users can see and launch SaaS apps to which they have access without having to remember or bookmark each SaaS app’s URL”. 
Examiner Notes that NPL’s above mentioned pages clearly disclose that user authentication process is performed through an identity provider selection page where user is provider with a single landing page where user can see and launch different applications and get authenticated as per application identity provider policy).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the Subramanian and NPL # 1 references and authenticate the user based on application defined policy user interface (UI), as disclosed by NPL.
The motivation to authenticate the user based on application defined policy user interface (UI) is to simplify and improve the user authentication process while maintaining authentication security for the accessed application by the user. 
Regarding claim 10, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The method of claim 9, further comprising:
providing the identity claim to a verification provider according to the identity policy (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust);
receiving a response claim from the verification provider (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2); and
verifying the identity claim against the response claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust).
Regarding claim 11, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The method of claim 10, wherein the verification provider is one or more of: an identity provider, an attribute provider, a directory provider, a multi-factor
authentication (MFA) provider, an email validation provider, or self-asserted attribute provider (Subramanian: [0082] the integration of IDCS as OIDC RP with social OIDC OP (e.g., Facebook, Google, etc.) enables customers to allow social identities policy-based access to applications; [0196] the SSO service is a common controller system that can be used for any protocol (e.g., OAuth, SAML, social token, social service, etc., or any newly developed specification)).
Regarding claim 12, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The method of claim 9, further comprising:
storing the plurality of identity policies in at least one memory of the computing system, wherein one of the plurality of identity policies is provided to the at least one memory from a remote identity operator (Subramanian: [0120] In one embodiment, Cloud Gate is implemented by a web server plugin that enables web applications to externalize user SSO to an identity management system (e.g., IDCS), similar to WebGate or WebAgent technologies that work with enterprise IDM stacks; [0127] the policies are specified in a file managed by the Cloud Gate. In one embodiment, the file is stored locally at the Cloud Gate. In an alternative or additional embodiment, the file may be stored on the server side within IDCS (e.g., in a policy store)).
Regarding claim 13, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The method of claim 12, wherein the identity policy is a child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application (Subramanian: [0123] Cloud Gate supports multi-tenancy by determining a particular tenant from the header values of the requests that are passed to it. Cloud Gate substitutes the tenancies in various URLs, and uses the URLs to look up application/host specific policies; [0125] Cloud Gate infers the tenancy from the request and looks up the particular policy that needs to be applied for that tenancy. Cloud Gate then applies the policy to that request).
Regarding claim 14, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The method of claim 9, wherein the method further comprises:
executing the user authentication process at least in part as a security token service (STS) (Subramanian: [0133] displaying the login page in the browser and authenticating the credentials provided by the user; [0164] Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (“STS”)); and
minting the token according to the identity policy and the token request to include claims required by the application and the identity policy (Subramanian: [0167] a client assertion token includes at least a claim/statement indicating the client tenant name, and a claim/statement indicating the name of the OAuth client making the request).
Regarding claim 15, Subramanian discloses:
A computer-readable storage medium comprising computer-executable instructions that, when executed by at least one processor, perform a method comprising:
receiving a call over a network from an application that is executing remote to the system (i.e. a program or application client 708), the call indicating an identity policy (i.e. a policy) that is one of a plurality of identity policies for dynamic deployment (i.e. corresponding policy) on behalf of the application ([0126] In one embodiment, a policy dictates if access to a particular resource identified through a request endpoint is allowed and what particular method of access is allowed to gain access to the resource [0129] In the embodiment of FIG. 7, a program or application client 708 may be attempting to access resources 714 protected by Cloud Gate 702, or an end user 710 may use a web browser 706 on their computer to access resources 714 protected by Cloud Gate 702; [0130] when a user browser 706 sends a request to IDCS for a login of a user 710; [0131] In one embodiment, for example, in order to access resource 714, user 710 may type in a corresponding URL in browser 706. Browser 706 takes user 710 to web server 712. Cloud Gate 702 then loads the corresponding policy. If the policy indicates that resource 714 is protected, Cloud Gate 702 initiates any required authentication process); and
Subramanian reference fails to disclose:
receiving a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system; and policy executor logic configured to: subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, executing a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network; verify the identity claim; and provide a token over the network to the application for consumption, via the communicator logic, to complete the token request.
However, NPL # 1 discloses:
receiving a token request and an identity claim over the network from the application responsive to user interaction with a user interface (UI) that is associated with the identity policy and that is provided to the application from the system (See Page # 4, Figure under Solution discloses Identity Provider issuing security tokens along with information referred to as claims which contains user’s identity, role membership and access rights; See Page # 5, Figure under Example discloses how tenants authenticate with their own identity provider (ADFS) (step 1), in this case ADFS. After successfully authenticating a tenant, ADFS issues a token [which contains information referred as Claims mentioned in Solution section]. The client browser forwards this token to the SaaS application’s federation provider [construed as system in the instant claims], which trusts tokens issued by the tenant’s ADFS, in order to get back a token that is valid for the SaaS federation provider (step 2). If necessary, the SaaS federation provider performs a transformation on the claims in the token into claims that the application recognizes (step 3) before returning the new token to the client browser. The application trusts tokens issued by the SaaS federation provider and uses the claims in the token to apply authorization rules (step 4)); and 
verifying the identity claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust); and 
providing a token over the network to the application for consumption, via the communicator logic, to complete the token request (See Page # 5, Figure under Example discloses this action in step 3 where Federation Provider).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Subramanian reference and implement an authentication mechanism that can use federated identity, as disclosed by NPL # 1.
The motivation to have the authentication mechanism that can use federated identity is to simplify development, minimize the requirement for user administration, and improve the user experience of the application.
The combination of Subramanian and NPL # 1 fails to disclose:
policy executor logic configured to: 
subsequent to receiving the call and prior to receiving the token request, and based on an identity policy indicator received from the application according to a user selection of the identity policy via the application, execute a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network.
However, NPL # 2 discloses:
	subsequent to receiving the call (i.e., when user types in the SaaS application URL via Azure Access Panel) and based on an identity policy indicator (i.e., the Azure Access Panel shows all SaaS application authorized to the user) received from the application according to a user selection of the identity policy via the application (See Page # 293; Figure 10-11 showing a landing page where users can see and launch SaaS apps to which they have access to),
executing a user authentication process that is defined by the identity policy and that includes providing the UI to the application over the network (See Pages # 293‐294; End‐User Experience “The concept of the Access Panel is a single landing page where users can see and launch SaaS apps to which they have access without having to remember or bookmark each SaaS app’s URL”. 
Examiner Notes that NPL’s above mentioned pages clearly disclose that user authentication process is performed through an identity provider selection page where user is provider with a single landing page where user can see and launch different applications and get authenticated as per application identity provider policy).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the Subramanian and NPL # 1 references and authenticate the user based on application defined policy user interface (UI), as disclosed by NPL.
The motivation to authenticate the user based on application defined policy user interface (UI) is to simplify and improve the user authentication process while maintaining authentication security for the accessed application by the user. 
Regarding claim 16, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The computer-readable storage medium of claim 15, wherein the method further comprises:
providing the identity claim to a verification provider according to the identity policy (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust);
receiving a response claim from the verification provider (NPL # 1: See Page # 5, Figure under Example discloses this action in step 2); and
verifying the identity claim against the response claim (See Page # 5, Figure under Example discloses this action in step 2 where Federation Provider verifies the identity claim with the Identity Provider based on trust).
Regarding claim 17, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The computer-readable storage medium of claim 16, wherein the verification provider is one or more of:
an identity provider, an attribute provider, a directory provider, a multi-factor authentication (MFA) provider, an email validation provider, or self-asserted attribute provider (Subramanian: [0082] the integration of IDCS as OIDC RP with social OIDC OP (e.g., Facebook, Google, etc.) enables customers to allow social identities policy-based access to applications; [0196] the SSO service is a common controller system that can be used for any protocol (e.g., OAuth, SAML, social token, social service, etc., or any newly developed specification)).
Regarding claim 18, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The computer-readable storage medium of claim 15, wherein the method further comprises:
storing the plurality of identity policies in at least one memory, wherein one of the plurality of identity policies is provided to the at least one memory from a remote identity operator (Subramanian: [0120] In one embodiment, Cloud Gate is implemented by a web server plugin that enables web applications to externalize user SSO to an identity management system (e.g., IDCS), similar to WebGate or WebAgent technologies that work with enterprise IDM stacks; [0127] the policies are specified in a file managed by the Cloud Gate. In one embodiment, the file is stored locally at the Cloud Gate. In an alternative or additional embodiment, the file may be stored on the server side within IDCS (e.g., in a policy store)).
Regarding claim 19, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The computer-readable storage medium of claim 18, wherein the identity policy is a child identity policy comprising a base parent identity policy and one or more changes thereto specified by an application service provider that provides the application (Subramanian: [0123] Cloud Gate supports multi-tenancy by determining a particular tenant from the header values of the requests that are passed to it. Cloud Gate substitutes the tenancies in various URLs, and uses the URLs to look up application/host specific policies; [0125] Cloud Gate infers the tenancy from the request and looks up the particular policy that needs to be applied for that tenancy. Cloud Gate then applies the policy to that request).
Regarding claim 20, the combination of Subramanian, NPL # 1 and NPL # 2 discloses:
The computer-readable storage medium of claim 15, wherein the method further comprises:
executing the user authentication process at least in part as a security token service (STS) (Subramanian: [0133] displaying the login page in the browser and authenticating the credentials provided by the user; [0164] Claims are issued by a provider, and they are given one or more values and then packaged in security tokens that are issued by an issuer, commonly known as a security token service (“STS”)); and
minting the token according to the identity policy and the token request to include claims required by the application and the identity policy (Subramanian: [0167] a client assertion token includes at least a claim/statement indicating the client tenant name, and a claim/statement indicating the name of the OAuth client making the request).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432