Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are pending.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 10-14 and 16 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Fletcher et al., US 2019/0394187.

Regarding claim 1, Fletcher discloses a computer implemented method for authenticating a user, the computer implemented method comprising: 
receiving credentials identifying a user; authenticating the credentials identifying the user  (fig. 4, first mobile application 402, to verify the identity of a user (such as an end-user) based on the authentication performed by the authorization server 408); 
identifying a first computing system and a second computing system the user is authorized to access from a plurality of computing systems (0095: The authentication layer provides clients, including the mobile applications (e.g., applications 402 and 404) and the system browsers described herein (e.g., browser 406), to request and receive information about authenticated sessions and users.); 
transmitting a first token to the user that provides access to the first computing system and a second token to the user that provides access to the second computing system (Fig. 5, step 516: obtain token, valid tokens for the first and second mobile applications exist, the user remains logged in to both applications, respectively, without having to log in to the second mobile application with a separate login interface for the second mobile application. At this point, the native SSO has been implemented.); and 
wherein the first token does not provides access to the second computing system and the second token does not provide access to the first computing system (0132: If that session expires, all refresh tokens associated with the session are invalidated such as by the authorization server 408 at step 429. As an alternative to the identification token, the authorization server 408 or an associate second server can add a requested token type parameter and return the value of the identification token.).Regarding claim 2, Fletcher discloses the computer implemented method as recited in claim 1, wherein identifying the plurality of computing systems comprises communicating with the plurality of computing systems to determine which of the plurality of computing systems the user is authorized to access (Fig. 4 and paragraph 0104: In step 414, the authorization server 408 acting as the authentication services provider authenticates the user, the first mobile application 402, and/or the system browser 406 according to information sent to it in step 412, and obtains authorization for the user, the first mobile application, and/or the system browser through steps 416 and 417 as well.).
Regarding claim 10, Fletcher discloses the computer implemented method as recited in claim 1, wherein the first token is configured to identify the user to the first computing system, and the first computing system is configured to provide access to the user in accordance with the identity of the user provided by the token (0047: The client application may further provide information that identifies itself, including a type, capability, name, and the like. In one embodiment, mobile devices 102-104 may uniquely identify themselves through any of a variety of mechanisms, including a phone number, Mobile Identification Number (MIN), an electronic serial number (ESN), or another mobile device identifier. 0057: he application server 108, whereby a user is able to utilize such service upon the user being authenticated, verified or identified by the service.  Fig. 4, to verify the identity of a user (such as an end-user) based on the authentication performed by the authorization server 408).

As per claims 11 and 16, this is a non-transitory computer readable medium and system version of the claimed method discussed above in claims 1-2 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Regarding claim 12, Fletcher discloses the non-transitory computer-readable storage medium as recited in claim 1, wherein the steps further include: periodically communicating with the plurality of computing systems to determine which of the plurality of computing systems the user still has authorization to access; transmitting updated tokens to the user for computing systems that the user is determined to still have access; and transmitting new tokens to the user that provide access to computing systems that the user is determined to have gained access (paragraph 0103: The client can provide the connector code to the token endpoint during refresh token requests (such as refresh token requests implemented in steps 422 and 428). 0132:  the authorization server 408 can issue a token response object containing a refresh token, access token and identification token issued to the client identification of the mobile application making the request, such as the identification of second mobile application 404. ).Regarding claim 13, Fletcher discloses the non-transitory computer-readable storage medium as recited in claim 12, wherein the tokens transmitted to the user are stored in a data repository that allows the user to access the computing systems the user is authorized to access (0079: tokens and/or codes, and the data and metadata of such things processed according to the disclosed systems and methods, and stored in a shared security mechanism 320, can be any type of authentication credentials. ).Regarding claim 14, Fletcher discloses the non-transitory computer-readable storage medium as recited in claim 12, wherein none of the updated tokens provide access to the same computing system (0101: The new scope value can be defined as a specific device SSO scope parameter. When such a scope value is present on the authorization request, when the authorization code is exchanged for tokens, a new connector code will be returned.).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-4, 6 are rejected under 35 U.S.C. 103 as being unpatentable over Fletcher as applied to claims 1-2 above, and further in view of Kleinpeter et al., US 10,037,339.
Regarding claims 3-4, Fletcher lacks or does not expressly disclose a namespace.  However, Kleinpeter discloses wherein access to the first computing system is based at least in part upon roles defined by a namespace within which the first computing system resides further comprising synchronizing namespace role bindings with the first computing system (Col. 35, lines 17-31 and Fig. 11A, step 468, file journal interface 404 receives a request from client device 150 to synchronize operations …the cursor can also include the FSAuth token including the user ID, and the last observed access permissions to the NS_ID provided in the cursor. Each of the operations can include a namespace or a content item associated with a namespace.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Kleinpeter to include synchronizing namespaces in order to synchronize operations pertaining to content items associated with a user account, as taught by Kleinpeter, col. 35, lines 17-31.Regarding claim 6, Fletcher discloses the computer implemented method as recited in claim 1, further comprising transmitting a third token to the user that provides access to both a third computing system and a fourth computing system (fig. 5 and paragraph 0144: a third mobile application and/or the system browser can use a profile to obtain a token for the third mobile application based on the at least one token and the second connector code.).  Fletcher lacks or does not expressly disclose a name space.  However, Kleinpeter discloses sharing the same namespace (Col. 35, lines 17-31 and Fig. 11A, step 468, file journal interface 404 receives a request from client device 150 to synchronize operations …the cursor can also include the FSAuth token including the user ID, and the last observed access permissions to the NS_ID provided in the cursor. Each of the operations can include a namespace or a content item associated with a namespace.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Kleinpeter to include sharing a namespace in order to synchronize operations pertaining to content items associated with a user account, as taught by Kleinpeter, col. 35, lines 17-31.
Claim 5, 7, 8, 15, 17-20 are rejected under 35 U.S.C. 103 as being obvious over Fletcher as applied to claims 1-2 above, and further in view of Rosoff et al., US 2021/0311764.
The applied reference has a common Assignee with the instant application. Based upon the earlier effectively filed date of the reference, it constitutes prior art under 35 U.S.C. 102(a)(2). 
This rejection under 35 U.S.C. 103 might be overcome by: (1) a showing under 37 CFR 1.130(a) that the subject matter disclosed in the reference was obtained directly or indirectly from the inventor or a joint inventor of this application and is thus not prior art in accordance with 35 U.S.C.102(b)(2)(A); (2) a showing under 37 CFR 1.130(b) of a prior public disclosure under 35 U.S.C. 102(b)(2)(B); or (3) a statement pursuant to 35 U.S.C. 102(b)(2)(C) establishing that, not later than the effective filing date of the claimed invention, the subject matter disclosed and the claimed invention were either owned by the same person or subject to an obligation of assignment to the same person or subject to a joint research agreement. See generally MPEP § 717.02.

Regarding claim 5, Fletcher lacks or does not expressly disclose wherein the first computing system comprises a plurality of workloads running within a supervisor cluster and the second computing system comprises a guest cluster.
However, Rosoff discloses wherein the first computing system comprises a plurality of workloads running within a supervisor cluster and the second computing system comprises a guest cluster (paragraph 0051: the supervisor cluster is leveraged to deliver a “guest cluster” as a custom object (“managed cluster objects 336”). The guest cluster comprises a standard Kubernetes control plane and associated nodes, as well as components for interfacing the underlying supervisor cluster. The guest cluster executes within compute objects of managed by the supervisor cluster (e.g., native VMs or both native VMs and pod VMs) and utilizes networking and storage exposed by the supervisor cluster. In this manner, a guest cluster is a virtual extension of an underlying management cluster (i.e., the supervisor cluster). Guest clusters build on the workload management functionality provided by the supervisor cluster, which provides development teams with familiar control over cluster configuration and cluster lifecycle.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Rosoff to include a plurality of workloads running within a supervisor cluster in order to build on the workload management functionality provide control over configurations, as taught by Rosoff, paragraph 0051.
Regarding claim 7, Fletcher lacks or does not expressly disclose a security policy.  However, Rosoff teaches receiving an updated security policy from at least one computing system of the plurality of computing systems; and when the user has an active token granting access to the at least one computing system and the updated security policy is stricter than any of previously established security policies, requesting the user provide new authentication credentials conforming with the updated security policy (Paragraph 0061: resource policy applied by the supervisor namespace in which it is deployed. 0071: host 120, there are two important functions with respect to container lifecycle management that require state to be stored about the result and control decisions made—the management of init containers and restart policy.  0076: At step 1004, network plugin 312 in supervisor Kubernetes master 104 cooperates with network manager 112 to obtain a new virtual IP address for the service. ).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Rosoff to include an updated security policy in order to update the routing rules, as taught by Rosoff, paragraph 0079.Regarding claim 8, Fletcher, as modified above further discloses the computer implemented method as recited in claim 7, further comprising: transmitting a notification to the user informing the user of when the active token granting access to the at least one computing system will expire if the new authentication credentials are not received (0133: The response can also include an indication of when the access token expires…if any of the parameters of the response are not valid the authorization server can notify the user with a corresponding error message.).
Regarding claim 15, Fletcher lacks or does not expressly disclose security policies.  However, Rosoff discloses wherein authenticating the credentials identifying the user comprises confirming the received credentials comply with security policies associated with the identified computing systems; and wherein identifying computing systems from the plurality of computing systems comprises receiving lists of authorized users from the plurality of computing systems (paragraph 0061:  Guest cluster 526 is constrained by the authorization and resource policy applied by the supervisor namespace in which it is deployed.  Paragraph 0066: Resource scheduler 108 selects zero or one node from the list of a plurality of candidate nodes provided by scheduler extender 306.).It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Rosoff to include a security policy in order to update the routing rules, as taught by Rosoff, paragraph 0079.
Regarding claim 17-20, Fletcher lacks or does not expressly disclose a server cluster.  
However, Rosoff discloses wherein the computer system includes a trusted authentication system running in a master virtual machine positioned in a first server cluster (abstract: a host cluster having a virtualization layer directly executing on hardware platforms of hosts, the virtualization layer supporting execution of virtual machines (VMs)); 
wherein the first computing system is located in the first server cluster and the second computing system is positioned in a second server cluster (0027:  VM management server 116 logically groups hosts 120 into cluster 118 to provide cluster-level functions to hosts 120, such as VM migration between hosts 120);
wherein the first computing system and the second computing system are both positioned in the first server cluster; wherein the first and second server clusters are managed by the same management server (0034: Each supervisor namespace 117 includes a portion within orchestration control plane 115, which allows users to provision applications in supervisor cluster 101 within the scope of supervisor namespaces 117.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Fletcher with Rosoff to include server clusters in order to control execution of the virtual machine as taught by Rosoff, abstract.
Allowable Subject Matter
Claim 9 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  
The prior art lacks or fails to make obvious:
receiving log data from a log analytics system showing one of the tokens issued to the user granting access to the first computing system has been used in an attempt to access a third computing system that the token is not configured to grant access to; and reducing a trust level for the first computing system, wherein the first computing system is a guest cluster and the computer implemented method further comprises transmitting a notification to the guest cluster informing the guest cluster of the reason for the reduced trust level.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2016/0127855 to Zhang et al., US 2016/0127855 teaches receiving client 104B transmits 518 the token to content management system 102 with a request for the content item to be added to the receiving user's namespace. Based on the request and the token, content management system 102 identifies 520 the content item in the sharing user's namespace. Content management system 102 adds 522 the content item to the receiving user's namespace. Content management system 102 transmits 524 a confirmation message to receiving client 104B indicating that the content item has been added to the receiving user's namespace. In one embodiment, if receiving client 104B maintains a synchronized local copy of the receiving's users namespace, the content item is provided to receiving client 104B and added by receiving client 104B to the local copy of the namespace.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434