DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 03/14/2022. Claims 1, 4, 6-9, 11, 13, 16 and 18 are amended, claim 21 is newly added and claims 1-21 are pending.

Response to Arguments
Applicant's arguments filed 03/14/2022 have been fully considered but they are not persuasive. 
Applicant argues “In contrast to amended claim 1, paragraph 0084 of Chao (cited on pages 4-5 of the Office Action) merely states that “[a]t step 812, the first user token 805 is signed and provided to the IWD/IPAS security service 802”. The “first user token 805” provided to “IWD/IPAS security service 802” of Chao’s paragraph 0084 does not teach or suggest anything regarding the redirection by an identity provider server of an authenticated user across the second network to a user management server coupled to the identity provider server by a different first network or a first_ communication bus in the manner recited by amended independent claim 1. Nor does Chao’s paragraph 0084 teach or suggest anything about the response to this redirection by the user management server to present a resource page across the second network to the authenticated user” – Remarks: page 14.
Examiner respectfully disagrees.
Chao discloses, in par. 0026, “distributed data processing system 100 is the Internet with network 102 representing a worldwide collection of networks”, wherein as shown in Fig. 2, par. 0039 “entities communicate with one another over a network, such as the Internet, an intranet, an extranet, a private network, or any other communications medium or link”, note that “Internet” by definition and also explicitly here “represents a world wild collection of networks” – par.  0026. Applicant relies on the instant Fig. 2 to argue the alleged distinction has not been factually supported in the argument. It is noted that nowhere in this figure Applicant explicitly places the instant components: Federation Server 204 and Identity Management System 202, in separate networks beyond illustrating components 206 (Web Servers 1 through N) a collection of Web servers/resources that are separate from 204 and 202(Emphasis added). The cloud computing model as disclosed in Chao describes a multi-tenant model that allows “resource pooling”, as described in par. 0044, to dynamically allow consumers access to/possession of resources, wherein these resources are defined as, e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) throughout the Web/Internet/a world-wide collection of networks. 
As such, Chao anticipates the newly amended feature “across a second network” because it explicitly discloses trust relationships are established back to cloud providers, preferably across different security domains – Chao: par. 0072 (Emphasis added).
Furthermore, Chao discloses extending infrastructure security to services by way of a security model that “provides a seamless layer of security infrastructure to an application (with its own security infrastructure) running on a virtual machine in the cloud environment. A user (e.g., an administrator) registers to the layer of security infrastructure. Upon receiving a request by the user to add a service (e.g., a shared service) to the application (or to use that service, if previously deployed and enabled), the layer of security infrastructure is used to authenticate the user, preferably by communicating to the application using a private key. The application security infrastructure then adds (or enables access to) the service without requiring direct authentication from the user to the application security infrastructure” – Chao: par. 0079 – Note: an application is equivalent to an APP provided on a Web server.
Nonetheless, in response to amendments, an updated search has been conducted and a new ground of rejection follows.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 9, 11, 15-16 and 20 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by Hinton, US2006/0136990.

Per claim 9, Hinton discloses an information handling system, comprising: 
a programmable integrated circuit (the system may have one or more processors, such as an Intel.RTM. Pentium.RTM.-based processor and a digital signal processor (DSP) – Hinton: par. 0058); and 
a memory (one or more types of volatile and non-volatile memory – Hinton: par. 0058) storing an authentication application, which when executed by the programmable integrated circuit configures the information handling system into a silent authentication system (Hinton: Fig. 2C as an example of a federated architecture in accordance with an implementation of Hinton); 
wherein the silent authentication system processes a silent authentication request in response to a resource request provided across a second network by performing a cryptographic function on a message to provide a cryptographic signature (Federated user lifecycle management functionality provides single-sign-on services (along with other federated operations) because these operations involve interaction with third parties, such as identity providers, and not just end-users; federated user lifecycle management functionality relies on the point-of-contact functionality for session management services. Federated user lifecycle management functionality requires or relies on a trust service that is provided by some other component, as explained in more detail hereinbelow; the trust service may be implemented in a manner such that it is logically separate, including distributed components or a logically separate component that is co-resident with the federated user lifecycle management components, or alternatively, the trust service may be implemented together with the federated user lifecycle management as part of a single application – Hinton: par. 0202 – Note: a user’s participation in the disclosed federation provides for a federated identity management environment wherein a user authenticates/logins through a first entity, i.e., user’s home domain and then on services residing in disparate security domains to securely interoperate and collaborate even though there may be differences in the underlying security mechanisms and operating system platforms at these disparate domains – par. 0094-0096), and by translating between the message and a modified message (see federation architecture as the basis of the disclosed embodiments – Hinton: par. 0111-0114) by either: 
applying a modification to the message to provide the modified message (In response to being triggered for an assertion, the issuing domain's point-of-contact server requests the assertion from the issuing domain's trust proxy (step 304), which generates the assertion (step 306), along with adding trust information, such as encryption/signature of the assertion/token…After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process – Hinton: par. 0146),
converting the resource request into the silent authentication request and including the modified message in the silent authentication request (The relying domain's trust proxy extracts information from the assertion, including the token received from the issuing domain (step 326); the relying domain's trust proxy will invoke the security token service to validate this token, including the information in the token and the trust information on the token such as encryption and signatures, thereafter returning a locally valid token for the user if appropriate – Hinton: par. 0146 and 0148), and 
providing the silent authentication request including the modified message to a first network or first communication bus that is different than the second network (After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process – Hinton: par. 0146 – Note: the outgoing HTTP or SOAP message is generated and digitally signed (using asymmetric encryption) in the issuing domain before being sent to the relying party’s domain that can in turn recover/understand the assertion/token and silently authenticate the authentic user), or 
receiving the modified message in the silent authentication request from across the first network or first communication bus, and applying the modification to the modified message (an STS component may receive a request to issue a Kerberos token. As part of the authentication information of the user for whom the token is to be created, the request may contain a binary token containing a username and password. The STS component will validate the username and password against, e.g., an LDAP runtime (typical authentication) and will invoke a Kerberos KDC (Key Distribution Center) to generate a Kerberos ticket for this user. This token is returned to the trust proxy for use within the enterprise; however, this use may include externalizing the token for transfer to another domain in the federation – Hinton: par. 0119 – Note: bootstrap process may include the establishment of shared secret keys and rules that define the expected and/or allowed token types and identifier translations… As a second example, the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust (using symmetric encryption) – par. 0133-0135).

Per claim 11, Hinton discloses the information handling system of claim 9, wherein: 
the authentication application comprises a user management application that configures the information handling system into a user management server (Federated User Lifecycle Management (FLUM) server – Hinton: Fig. 2B; and 
wherein in response to the resource request provided across the second network, the user management server applies the cryptographic function to the message to provide the cryptographic signature, applies the modification to the message to provide the modified message (there are a number of possible mechanisms for establishing trust in a federated business model. In a federation model, a fundamental notion of trust between the federation participants is required for business reasons in order to provide a level of assurance that the assertions (including tokens and attribute information) that are transferred between the participants are valid… For example, a large corporation may want to link several thousand global customers, and the corporation could use prior art solutions… the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust – Hinton: par. 0134-0135 – Note: using secret/session key to encrypt messages exchanged between trust parties), and 
transmits the cryptographic signature and the modified message as the silent authentication request across the first network or first communication bus (an STS component may receive a request to issue a Kerberos token. As part of the authentication information of the user for whom the token is to be created, the request may contain a binary token containing a username and password. The STS component will validate the username and password against, e.g., an LDAP runtime (typical authentication) and will invoke a Kerberos KDC (Key Distribution Center) to generate a Kerberos ticket for this user. This token is returned to the trust proxy for use within the enterprise; however, this use may include externalizing the token for transfer to another domain in the federation – Hinton: par. 0119 – Note: bootstrap process may include the establishment of shared secret keys and rules that define the expected and/or allowed token types and identifier translations… As a second example, the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust (using symmetric encryption) – par. 0133-0135).

Per claim 15, Hinton discloses the information handling system of claim 9, wherein the cryptographic function comprises a cryptographic hash function applied to the message using a secret key to generate the cryptographic signature (there are a number of possible mechanisms for establishing trust in a federated business model. In a federation model, a fundamental notion of trust between the federation participants is required for business reasons in order to provide a level of assurance that the assertions (including tokens and attribute information) that are transferred between the participants are valid… For example, a large corporation may want to link several thousand global customers, and the corporation could use prior art solutions… the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust – Hinton: par. 0134-0135 – Note: using secret/session key to sign messages exchanged between trust parties).

Per claim 16, Hinton discloses a method, comprising receiving a resource request across a second network, and responding to receipt of the resource request by:
applying a cryptographic function on a message to provide a cryptographic signature (In response to being triggered for an assertion, the issuing domain's point-of-contact server requests the assertion from the issuing domain's trust proxy (step 304), which generates the assertion (step 306), along with adding trust information, such as encryption/signature of the assertion/token…After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process…The relying domain's trust proxy extracts information from the assertion, including the token received from the issuing domain (step 326); the relying domain's trust proxy will invoke the security token service to validate this token, including the information in the token and the trust information on the token such as encryption and signatures, thereafter returning a locally valid token for the user if appropriate – Hinton: par. 0146 and 0148);
modifying a message by applying a modification to provide a modified message (In response to being triggered for an assertion, the issuing domain's point-of-contact server requests the assertion from the issuing domain's trust proxy (step 304), which generates the assertion (step 306), along with adding trust information, such as encryption/signature of the assertion/token – Hinton: par. 0146); and
sending the cryptographic signature and the modified message across a first network or first communication bus that is different than the second network as a silent authentication request (After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process…The relying domain's trust proxy extracts information from the assertion, including the token received from the issuing domain (step 326); the relying domain's trust proxy will invoke the security token service to validate this token, including the information in the token and the trust information on the token such as encryption and signatures, thereafter returning a locally valid token for the user if appropriate – Hinton: par. 0146 and 0148).

Per claim 20, Hinton discloses the method of claim 16, wherein the applying a cryptographic function comprises applying a cryptographic hash function to the message using a secret key to generate the cryptographic signature (there are a number of possible mechanisms for establishing trust in a federated business model. In a federation model, a fundamental notion of trust between the federation participants is required for business reasons in order to provide a level of assurance that the assertions (including tokens and attribute information) that are transferred between the participants are valid… For example, a large corporation may want to link several thousand global customers, and the corporation could use prior art solutions… the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust – Hinton: par. 0134-0135 – Note: using secret/session key to encrypt messages exchanged between trust parties).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 10, 12-14, 17-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hinton, US2006/0136990 in view of Mohassel, US2021/0243026.

Per claim 1, Hinton discloses an identity management system, comprising: 
an identity provider server coupled to a user management server by a first network or a first communication bus (The domain's legacy functionality can be integrated into a federated environment through the use of federated front-end processing 240, which includes point-of-contact server 242 and trust proxy server 244 (or more simply, trust proxy 244 or trust service 244) which itself interacts with Security Token Service (STS) 245, along with federated user lifecycle management server/service 246…Legacy or pre-existing authentication services at a given enterprise may use various, well known, authentication methods or tokens, such as username/password or smart card token-based information. However, with the present invention, the functionality of a legacy authentication service can be used in a federated environment through the use of point-of-contact servers – Hinton: par. 011-0112 – Note: Authentication Manager 192 which is local/within the home domain as shown in Fig. 1E performs domain’s legacy functionality to log the user into the home domain, i.e., a typical login procedure); 
where the identity provider server comprises a programmable integrated circuit that is programmed to: 
authenticate a user across a second network that is different than the first network or first communication bus, and then redirect the authenticated user across the second network to the user management server (User 202 initiates a transaction through a request for a protected resource at enterprise 204. If user 202 has been authenticated by enterprise 204 or will eventually be authenticated by enterprise 204 during the course of a transaction, then enterprise 204 is the user's home domain, i.e. the user's identity provider, for this federated session. Assuming that the transaction requires some type of operation by enterprise 206 and enterprise 204 transfers an assertion to enterprise 206, then enterprise 204 is the issuing domain with respect to the particular operation, and enterprise 206 is the relying domain for the operation; in other words, enterprise 206 is the service provider for the current transaction – Hinton: par. 0097 and Fig. 2A – Note: enterprise 204/user’s home domain is the first domain/network and enterprise 206 receiving the assertion is the second domain/network).
verify that a silent authentication request on behalf of the authenticated user that is received across the first network or first communication bus from the user management server, the silent authentication request including a cryptographic signature and a modified message (In response to being triggered for an assertion, the issuing domain's point-of-contact server requests the assertion from the issuing domain's trust proxy (step 304), which generates the assertion (step 306), along with adding trust information, such as encryption/signature of the assertion/token…After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process…The relying domain's trust proxy extracts information from the assertion, including the token received from the issuing domain (step 326); the relying domain's trust proxy will invoke the security token service to validate this token, including the information in the token and the trust information on the token such as encryption and signatures, thereafter returning a locally valid token for the user if appropriate – Hinton: par. 0146 and 0148), and then 
provide a site token across the second network in response to the verification of the silent authentication request, the site token being for access to a resource requested by the authenticated user (Assuming that the assertion is validated, then the relying domain's trust proxy builds the local information that is required for the user (step 330). For example, the local information may include authentication credentials that are required by a back-end legacy application. The relying domain's trust proxy returns the required information to the relying domain's point-of-contact server (step 332), which builds a local session for the user – Hinton: par. 0150); and 
where the user management server comprises a programmable integrated circuit that is programmed to: 
present a resource page across the second network to the authenticated user in response to the redirection of the authenticated user to the user management server from the identity provider server (the user may invoke a federated single-sign-on operation to a resource in domain 420 via point-of-contact server 412, e.g., by selecting a special link on a web page that is hosted within domain 410 or by requesting a portal page that is hosted within domain 410 but that displays resources hosted in domain 420 – Hinton: par. 0172 – Note: in response to user’s request a portal page provides links to one or more domains/subservient servers that are needed to complete user’s transaction that cascades into one or more operations), then 
convert a resource request received across the second network from the authenticated user via the presented resource page into the silent authentication request by applying a cryptographic function to a message to provide the cryptographic signature and by applying a modification to the message to provide the modified message (Domain 420 receives the token that is issued by domain 410 at point-of-contract server 422, which invokes trust proxy 424 to validate the token and perform identity mapping. In this case, since trust proxy 424 is not able to map the user from a local identifier for domain 410 to a local identifier for domain 420, trust proxy 424 invokes trust broker 450, which validates the token and performs the identifier mapping. After obtaining the local identifier for the user, trust proxy 424, possibly through its security token service, can generate any local tokens that are required by the back-end applications at domain 420, e.g., a Kerberos token may be required to facilitate single-sign-on from the point-of-contact server to the application server. After obtaining a locally valid token, if required, the point-of-contact server is able to build a local session for the user – Hinton: par. 0177 – Note: The point-of-contact server provides session management, protocol conversion, and possibly initiates authentication and/or attribute assertion conversion. For example, the point-of-contact server may translate HTTP or HTTPS messages to SOAP and vice versa. As explained in more detail further below, the point-of-contact server may also be used to invoke a trust proxy to translate assertions, e.g., a SAML token received from an issuing party can be translated into a Kerberos token understood by a receiving party – par. 0114);
converts a resource request from the authenticated user into the silent authentication request by applying a cryptographic function to a message to provide the cryptographic signature (the issuing domain, i.e. domain 410, is able to provide the relying domain, i.e. domain 420, with a user identifier that is valid in domain 420. In that scenario, the relying domain did not need to invoke any identity mapping functionality. Trust proxy 424 at domain 420 will generate a security token for the user that will "vouch-for" this user. The types of tokens that are accepted, the signatures that are required on tokens, and other requirements are all pre-established as part of the federation's business agreements. The rules and algorithms that govern identifier translation are also pre-established as part of the federation's business agreements - Hinton: par. 0175 – Note: The request may be embedded within or accompanied by a security token that indicates that the identity provider can trust the communication from the service provider; preferably, trust between the service provider and the identity provider is provided by signatures and encryption on the request message – par. 0209), then 
send the silent authentication request to the identity provider server across the first network or first communication bus (The point-of-contact entity at the identity provider then sends the received request for the federated user lifecycle management function or operation that has been requested by the federated user lifecycle management application at the service provider to the federated user lifecycle management application at the identity provider (step 616). After analyzing the request, the federated user lifecycle management application at the identity provider builds (step 618) a response that contains or is accompanied by the end-user-specific information that is sought by the federated user lifecycle management application at the service provider – Hinton: par. 0212), and then 
redirect the authenticated user across the second network to the requested resource of the resource page when the site token is provided (The federated user lifecycle management application at the identity provider then sends the response to the end-user application (step 620), e.g., using an HTTP POST/Redirect message, which then redirects the message to the federated user lifecycle management application at the service provider (step 622) – Hinton: par. 0213); and 
where the cryptographic function and the modification are known only by the identity provider server and the user management server (One result of a direct trust relationship and the business agreements required to establish such a relationship is that at least one party, either the issuing domain or the relying domain or both, will know how to translate the information provided by the issuing domain into an identifier valid at the relying domain… In the case of a direct trust relationship between two participants, the identifier translation algorithms will have been established for those two parties and may not be relevant for any other parties in the federation – Hinton: par. 0175).
In the alternative where one argues that Hinton does not anticipate “applying a cryptographic function to a message to provide the cryptographic signature, where the cryptographic function and the modification are known only by the identity provider server and the user management server”, Mohassel discloses applying a cryptographic function to a message to provide the cryptographic signature, where the cryptographic function and the modification are known only by the identity provider server and the user management server (A “message authentication code” (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message and confirm that the message has not been changed and came from the stated sender. Thus, a MAC may protect both a message's data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content. A MAC may function similar to a cryptographic hash function and must resist existential forgery under chosen-plaintext attacks. A MAC differs from a digital signature, in that a MAC is both generated and verified using the same secret key. Thus, the sender and receiver of a MAC must agree on the same secret key prior to initiating communications (e.g., symmetric encryption) – Mohassel: par. 0042).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Mohassel to additionally include where the cryptographic function and the modification are known only by the identity provider server and the user management server.
One of ordinary skill in the art would have been motivated because it would allow using key-binding “verifiers to detect any changes to the message content” – Mohassel: par. 0042.

Per claim 2, Hinton in view of Mohassel discloses the identity management system of claim 1, wherein the message comprises a plurality of parameters, and wherein the modified message comprises the plurality of parameters including the modification applied to at least one of the plurality of parameters (After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process – Hinton: par. 0146). 

Per claim 3, Hinton in view of Mohassel discloses the identity management system of claim 2, wherein the modification comprises at least one math function using at least one modifier variable applied to the at least one of the plurality of parameters to generate at least one modified parameter (a key-binding symmetric-key encryption scheme may be used so that, when a ciphertext is decrypted with a wrong key, decryption fails. Key-binding can be obtained … by appending a hash of the secret key to every ciphertext – Mohassel: par. 0176 – Note: the message at least comprises the ciphertext).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Hinton in view of Mohassel to include wherein the modification comprises at least one math function using at least one modifier variable applied to the at least one of the plurality of parameters to generate at least one modified parameter.
One of ordinary skill in the art would have been motivated because it would allow modifying the instant identity provider server “to build a PbTA scheme that provides strong password-safety and unforgeability guarantees” – Mohassel: par. 0171 and to obtain efficient key-binding in random Oracle model – par: 0176.

Per claim 4, Hinton in view of Mohassel discloses the identity management system of claim 3, wherein the programmable integrated circuit of the user management server is programmed to apply the at least one math function using the at least one modifier variable to the at least one of the plurality of parameters to generate the at least one modified parameter (the client 1005 may blind the hashed password to create a blinded hash of the hashed password. For instance, the hash can be blinded by raising to a power of a random value R. [0195] The client 1005 may send the user identifier, blinded hash of the hashed password, and/or corresponding secret share to each server. For instance, message 1001 to the first server 1012 may contain the user identifier and a blinded hash, and potentially a secret share sk.sub.1. – Mohassel: par. 0194-0195), and wherein the programmable integrated circuit of the identity provider server is programmed to apply an inverse of the at least one math function using the at least one modifier variable to the at least one modified parameter to generate at least one unmodified parameter used to regenerate the message (For each partial answer received, the client 1005 processes and deblinds the received partial answer, thereby obtaining a hash portion h.sub.1, which may be sent back to the respective server. For example, for the partial answer received from server 1002, the client 1005 can remove R by raising the partial answer to the power of the inverse of R, thereby obtaining hash portion h.sub.1 (the hash of the password raised to the power of sk.sub.1). Each of the servers then stores the respective hash portion it received, with the hash portion being stored based on the user identifier – Mohassel: par. 0197 – Note: client is equivalent to the claimed identity provider – Each of n servers (5 in this example; servers 1112, 1114, 1116, 1118, and 1120), may have received and stored a secret share (sk.sub.i) and a hash portion (h.sub.i) that corresponds with a user identifier (e.g., username) from a previous registration phase – par. 0203).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 5, Hinton in view of Mohassel discloses the identity management system of claim 1, wherein the cryptographic function comprises a cryptographic hash function applied to the message using a secret key to generate the cryptographic signature (there are a number of possible mechanisms for establishing trust in a federated business model. In a federation model, a fundamental notion of trust between the federation participants is required for business reasons in order to provide a level of assurance that the assertions (including tokens and attribute information) that are transferred between the participants are valid… For example, a large corporation may want to link several thousand global customers, and the corporation could use prior art solutions… the corporation could implement third-party trust using Kerberos; the corporation and its global customers could implement a trusted third-party Kerberos domain service that implements shared-secret-based trust – Hinton: par. 0134-0135 – Note: using secret/session key to sign messages exchanged between trust parties).

Per claim 6,  Hinton in view of Mohassel identity management system of claim 1, further comprising: 
a federation server coupled to the identity provider server by the first network or the first communication bus, the programmable integrated circuit of the identity provider server being programmed to access the federation server across the first network or the first communication bus to obtain an identity token to authenticate the user when the user comprises a resource administrator or a privileged consumer (With reference now to FIG. 13B, a diagram depicts a graphical user interface window within a federation relationship management application for use by an administrative user for establishing a federation relationship between federation partners… building of a trust relationship may involve using existing information for the administrative user's enterprise, such as existing private keys, digital certificates, tokens, identity mapping information, etc.; the administrative user could then configure the remainder of the trust relationship using known information for the trusted partner if available, e.g., public keys, digital certificates, identity mapping information, etc. – Hinton: par. 0269); and 
a data store system coupled to the identity provider server by the first network or the first communication bus, the programmable integrated circuit of the identity provider server being programmed to access the data store system across the first network or the first communication bus to obtain an identity token to authenticate the user when the user comprises a resource consumer (a trust relationship between two partners is represented as a tuple of security-related information, specifically a set of information items comprising {cryptographic keys, security tokens, and identity transformations}. Thus, trust service 704 enables the exchange of information about expected token formats 1108, cryptographic keys 1110, and identity transformations 1112, which are then stored in trust relationship database 1114 by trust relationship management console application 1106 or trust service 704. It should be noted that each trust relationship that is represented within trust relationship database 1114 may have additional information for describing or implementing the trust relationship – Hinton: par. 0254).

Per claim 7, Hinton in view of Mohassel discloses the identity management system of claim 6, wherein the programmable integrated circuit of the identity provider server is programmed to: 
authenticate the resource administrator or privileged consumer based on a predetermined trust relationship identified by access to an internal login link (With reference now to FIG. 3C, a flowchart depicts a specific process for pushing an assertion from an issuing domain to a relying domain in response to a user action at the issuing domain. The process begins when a user accesses a link to the relying domain from a Web page or similar resource within the issuing domain (step 342), thereby invoking some form of CGI-type (Common Gateway Interface) processing to build a particular assertion – Hinton: par. 0153); and 
authenticate the resource consumer based on user credentials provided by the user (The ability of the issuing domain to recognize the need for an assertion by the relying domain implies a tight integration with an existing legacy system on which the federated infrastructure of the present invention is implemented – Hinton: par. 0153 – Note: Legacy or pre-existing authentication services at a given enterprise may use various, well known, authentication methods or tokens, such as username/password or smart card token-based information – par. 0112).

Per claim 8, Hinton in view of Mohassel discloses the identity management system of claim 1, further comprising: 
a plurality of subservient web servers coupled to the second network (domains 193, 195, and 197 represent typical web service providers… a complicated online transaction with e-commerce domain 197 in which the user is attempting to purchase an on-line service …may involve domains 191, 193, 195, and 197 – Hinton: par. 0072-0073 – Fig. 1E), each of the subservient web servers comprising a programmable integrated circuit and hosting at least one of a corresponding plurality of applications; 
wherein the message identifies one of the plurality of subservient web servers and one of the plurality of applications as the requested resource (domains 193, 195, and 197 represent typical web service providers. Government domain 193 supports authentication manager 194 that authenticates users for completing various government-related transactions. Banking domain 195 supports authentication manager 196 that authenticates users for completing transactions with an online bank. E-commerce domain 197 supports authentication manager 198 that authenticates users for completing online purchases – Hinton: par. 0072-0073 – Note: user 190 is able to authenticate to domain 191 and then have domain 191 provide the appropriate assertions to each downstream domain that might be involved in a transaction – par. 0090); and 
wherein the programmable integrated circuit of the identity provider server is programmed to provide a site token across the second network to the identified one of the plurality of subservient web servers to enable access of the one of the plurality of applications across the second network by the authenticated user (These downstream domains need to be able to understand and trust authentication assertions and/or other types of assertions, even though there are no pre-established assertion formats between domain 191 and these other downstream domains. In addition to recognizing the assertions, the downstream domains need to be able to translate the identity contained within an assertion to an identity that represents user 190 within a particular domain, even though there is no pre-established identity mapping relationship – Hinton: par. 0090).

Per claim 10, Hinton discloses the information handling system of claim 9. 
Hinton is not relied on to explicitly disclose Mohassel discloses wherein the message and the modified message each comprise at least one parameter, wherein the modification comprises at least one math function that uses at least one modification variable to modify the at least one parameter (the client 1005 may blind the hashed password to create a blinded hash of the hashed password. For instance, the hash can be blinded by raising to a power of a random value R. [0195] The client 1005 may send the user identifier, blinded hash of the hashed password, and/or corresponding secret share to each server. For instance, message 1001 to the first server 1012 may contain the user identifier and a blinded hash, and potentially a secret share sk.sub.1. – Mohassel: par. 0194-0195).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 12, Hinton discloses the information handling system of claim 11.
Hinton is not relied on to explicitly disclose but Mohassel discloses wherein the message comprises at least one parameter, and wherein the modification comprises at least one math function that uses at least one modifier variable to modify the at least one parameter to convert the message into the modified message (the client 1005 may blind the hashed password to create a blinded hash of the hashed password. For instance, the hash can be blinded by raising to a power of a random value R. [0195] The client 1005 may send the user identifier, blinded hash of the hashed password, and/or corresponding secret share to each server. For instance, message 1001 to the first server 1012 may contain the user identifier and a blinded hash, and potentially a secret share sk.sub.1. – Mohassel: par. 0194-0195).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 13, Hinton discloses the information handling system of claim 9, wherein: 
the authentication application comprises an identification provider application that configures the information handling system into an identity provider server (Hinton: Federation Configuration Application 248 in Fig. 2B); and 
wherein the identity provider server receives from across the first network or first communication bus the silent authentication request comprising the cryptographic signature and the modified message (In response to being triggered for an assertion, the issuing domain's point-of-contact server requests the assertion from the issuing domain's trust proxy (step 304), which generates the assertion (step 306), along with adding trust information, such as encryption/signature of the assertion/token; the issuing domain's trust proxy may request assistance from a trust broker to generate the required assertion if necessary. After generating the assertion, the issuing domain's trust proxy then returns the assertion to the issuing domain's point-of-contact server (step 308), which then injects the assertion into the output datastream in an appropriate manner (step 310), e.g., by inserting the assertion into an outgoing HTTP or SOAP message, thereby completing the process – Hinton: par. 0146), 
Hinton is not relied on to explicitly disclose but Mohassel discloses applies the modification to the modified message to regenerate the original message, applies the cryptographic function to the original message to generate a new cryptographic signature (For each partial answer received, the client 1005 processes and deblinds the received partial answer, thereby obtaining a hash portion h.sub.1, which may be sent back to the respective server. For example, for the partial answer received from server 1002, the client 1005 can remove R by raising the partial answer to the power of the inverse of R, thereby obtaining hash portion h.sub.1 (the hash of the password raised to the power of sk.sub.1). Each of the servers then stores the respective hash portion it received, with the hash portion being stored based on the user identifier – Mohassel: par. 0197 – Note: client is equivalent to the claimed user management server and each of n servers (5 in this example; servers 1112, 1114, 1116, 1118, and 1120), may have received and stored a secret share (sk.sub.i) and a hash portion (h.sub.i) that corresponds with a user identifier (e.g., username) from a previous registration phase – par. 0203), and compares the new cryptographic signature with the received cryptographic signature to authenticate the silent authentication request (A token share encrypted with hash portion can be decrypted by the client using a newly generated hash portion when it matches the hash portions saved at the servers, which would be the case when the initial user credential matches the newly received user credential – Mohassel: par. 0010 – Note: matching initial user credential with the newly generated user credential).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 14, Hinton in view of Mohassel discloses the information handling system of claim 13, wherein the modified message comprises at least one modified parameter, and wherein the modification comprises at least one inverse math function that uses at least one modifier variable to convert the at least one modified parameter into at least one original parameter to regenerate the message from the modified message (For each partial answer received, the client 1005 processes and deblinds the received partial answer, thereby obtaining a hash portion h.sub.1, which may be sent back to the respective server. For example, for the partial answer received from server 1002, the client 1005 can remove R by raising the partial answer to the power of the inverse of R, thereby obtaining hash portion h.sub.1 (the hash of the password raised to the power of sk.sub.1). Each of the servers then stores the respective hash portion it received, with the hash portion being stored based on the user identifier – Mohassel: par. 0197 – Note: client is equivalent to the claimed user management server and each of n servers (5 in this example; servers 1112, 1114, 1116, 1118, and 1120), may have received and stored a secret share (sk.sub.i) and a hash portion (h.sub.i) that corresponds with a user identifier (e.g., username) from a previous registration phase – par. 0203).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 17, Hinton discloses the method of claim 16.
Hinton is not relied on to explicitly disclose but Mohassel discloses wherein the modifying a message comprises applying at least one math function using at least one modifier variable to at least one parameter of the message (the client 1005 may blind the hashed password to create a blinded hash of the hashed password. For instance, the hash can be blinded by raising to a power of a random value R. [0195] The client 1005 may send the user identifier, blinded hash of the hashed password, and/or corresponding secret share to each server. For instance, message 1001 to the first server 1012 may contain the user identifier and a blinded hash, and potentially a secret share sk.sub.1. – Mohassel: par. 0194-0195).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 18, Hinton discloses the method of claim 16, further comprising: 
receiving the silent authentication request from across the first network or first communication bus (User 202 initiates a transaction through a request for a protected resource at enterprise 204. If user 202 has been authenticated by enterprise 204 or will eventually be authenticated by enterprise 204 during the course of a transaction, then enterprise 204 is the user's home domain, i.e. the user's identity provider, for this federated session – Hinton: par. 0097); 
Although Hinton discloses “the relying domain is a domain that receives an assertion from an issuing party. The relying party is able to accept, trust, and understand an assertion that is issued by a third party on behalf of the user, i.e. the issuing domain. It is generally the relying party's duty to use an appropriate authentication authority to interpret an authentication assertion” – Hinton: par. 0105, Hinton is not relied on to explicitly disclose but Mohassel discloses reversing the modification to the modified message to regenerate the message (The partial hash response will be different for each server since the secret share is different for each server. In some embodiments, each server may send the partial answer back to the client 1005. For instance, server 1012 may send it via message 1002. [0197] For each partial answer received, the client 1005 processes and deblinds the received partial answer, thereby obtaining a hash portion h.sub.1, removing R by raising the partial answer to the power of the inverse of R, thereby obtaining hash portion h.sub.1 (the hash of the password raised to the power of sk.sub.1., which may be sent back to the respective server – Mohassel: par. 0196-0197 – Note: generating password-based token based on threshold secret shares without involving user); 
applying the cryptographic function on the regenerated message to provide a new cryptographic signature (To obtain a token, a client can send a newly generated blinded hash using a newly received user credential, which can again be encrypted by the servers using a respective secret share – Mohassel: par. 0010); and 
comparing the received cryptographic signature with the new cryptographic signature to authenticate the silent authentication request (A token share encrypted with hash portion can be decrypted by the client using a newly generated hash portion when it matches the hash portions saved at the servers, which would be the case when the initial user credential matches the newly received user credential – Mohassel: par. 0010 – Note: matching initial user credential with the newly generated user credential).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 19, Hinton in view of Mohassel discloses the method of claim 18, wherein the reversing the modification comprises applying an inverse of at least one math function using at least one modifier variable on at least one parameter of the modified message (For each partial answer received, the client 1005 processes and deblinds the received partial answer, thereby obtaining a hash portion h.sub.1, which may be sent back to the respective server. For example, for the partial answer received from server 1002, the client 1005 can remove R by raising the partial answer to the power of the inverse of R, thereby obtaining hash portion h.sub.1 (the hash of the password raised to the power of sk.sub.1). Each of the servers then stores the respective hash portion it received, with the hash portion being stored based on the user identifier – Mohassel: par. 0197 – Note: client is equivalent to the claimed user management server and each of n servers (5 in this example; servers 1112, 1114, 1116, 1118, and 1120), may have received and stored a secret share (sk.sub.i) and a hash portion (h.sub.i) that corresponds with a user identifier (e.g., username) from a previous registration phase – par. 0203).
The same motivation to modify Hinton in view of Mohassel applied to claims 1 and 3 above applies here.

Per claim 21, Hinton in view of Mohassel discloses the method of claim 18, further comprising: 
presenting a resource page across the second network, and where the receiving the resource request across the second network comprises receiving the resource request via the resource page (the user may invoke a federated single-sign-on operation to a resource in domain 420 via point-of-contact server 412, e.g., by selecting a special link on a web page that is hosted within domain 410 or by requesting a portal page that is hosted within domain 410 but that displays resources hosted in domain 420 – Hinton: par. 0172 – Note: in response to user’s request a portal page provides links to one or more domains/subservient servers that are needed to complete user’s transaction that cascades into one or more operations); 
where the method further comprises, in response to the authentication of the silent authentication request, providing a site token across the second network to a subservient web server that hosts a requested resource of the received resource request (the user initiates a transaction at a federation partner, such as enterprise 420 that also supports a federated domain, thereby triggering a federated single-sign-on operation. For example, a user may initiate a new transaction at domain 420, or the user's original transaction may cascade into one or more additional transactions at other domains – Hinton: par. 0172); and 
where the site token is for access to the requested resource hosted on the subservient web server (The trust relationship between domains 410 and 420 ensures that domain 420 can understand and trust the security token presented by domain 410 on behalf of the user – Hinton: par. 0174 – Note: Domain 420 is one of the subservient servers that are required to perform an operation to complete a requested transaction comprising multiple operations).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Feijoo (CN111052706A) is directed to “Single-point Login Extended To Joint Relying Party Provider Login”.
Gangawayne (CN109639687B) is directed to providing cloud-based identity and access management using an SSO microserevice.
Abetisov (US2020/0067907A1) is directed to “FEDERATED IDENTITY MANAGEMENT WITH DECENTRALIZED COMPUTING PLATFORMS”.
Totale (US2019/0007409A1) is directed to “HYBRID AUTHENTICATION SYSTEMS AND METHODS”.
Hinton (US2006/00482016A1) is directed to “Method And System For Enabling Federated User Lifecycle Management”.
Hinton (US2006/0020679A1) is directed to “Method And System For Pluggability Of Federation Protocol Runtimes For Federated User Lifecycle Management”.
Hinton (US2006/0021017A1) is directed to “Method And System For Establishing Federation Relationships Through Imported Configuration Files”.
Hinton (US2006/0021018A1) is directed to “Method And System For Enabling Trust Infrastructure Support For Federated User Lifecycle Management”.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494