DETAILED ACTION
1. 	This Non-Final Office Action is in response to application filed on 05/20/2021.  	Claims 21-40 are being considered on the merits. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Drawings
2. 	The drawings filed on 05/20/2021 are accepted. 
Information Disclosure Statement
3.	The information disclosure statements (IDS) submitted on 05/20/2021, 07/20/2021, 08/17/2021, 12/06/2021, 02/11/2022 and 03/03/2022 have been considered. The submissions are compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copies of the Applicant’s IDS forms 1449 filed on 05/20/2021, 07/20/2021, 08/17/2021, 12/06/2021, 02/11/2022 and 03/03/2022 are attached to this office action. 

Double Patenting
4.	Claims 21-40 of this application is patentably indistinct from claims 1-20 of U.S. Patent No. 11,050,730. Pursuant to 37 CFR 1.78(f), when two or more applications filed by the same applicant or assignee contain patentably indistinct claims, elimination of such claims from all but one application may be required in the absence of good and sufficient reason for their retention during pendency in more than one application. Applicant is required to either cancel the patentably indistinct claims from all but one application or maintain a clear line of demarcation between the applications. See MPEP § 822.
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-40 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,050,730. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims disclose a method, system and non-transitory computer-readable storage medium for authentication and access management. The method of claim 21, the system of claim 31 and the non-transitory computer-readable storage medium of claim 40 include the same limitations of the method of claim 1, the system of claim 11 and the computer-readable storage medium of claim 20 disclosed in U.S. Patent No. 11,050,730. 
Likewise regarding dependent claims:
Claims 22-30 and 32-39 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 2-10 and 12-19 of U.S. Patent No. 11,050,730.

As indicated in the table below, these dependent claims of the instant application are anticipated by the corresponding claims of U.S. Patent No. 11,050,730, because the subject matter claimed in the following dependent claims of the instant application is fully disclosed and covered by the corresponding claims of US Patent No. 11,050,730.

Instant application. Application No. 17/325,636
U.S. Patent No. 11,050,730
Claim 21: receiving, by an access management agent implemented using a computer system comprising at least one hardware processor and a memory, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user; 
storing, by the access management agent, for the session, the identifier that identifies the first access manager, wherein the first access manager is part of a plurality of access managers; receiving, by the access management agent, from the user during the session, a request for authentication or authorization of the user; 
determining, by the access management agent, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request; and 
in response to the determining, sending, by the access management agent, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user.
Claim 1: authenticating, by a first access manager, implemented using a computer system comprising at least one hardware processor and a memory, a user of a client device based on an authentication request received from the client device, wherein the first access manager is part of a plurality of access managers available for processing authentication requests;
creating, by the first access manager, a session in response to successful authentication of the user;
generating, by the first access manager, an identifier that identifies the first access manager;
generating, by the first access manager, a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager;
sending, by the first access manager, to an access management agent for storage, the token including the identifier that identifies the first access manager;
receiving, by the first access manager and from the access manager agent, a second request received from the client device for authentication or authorization of the user during the session, wherein the second request is received by the first access manager based on the identifier in the stored token identifying the first access manager; and
processing; by the first access manager, the second request to authenticate or authorize the user of the client device while maintaining the same session.
Claim 22: wherein the request for authentication or authorization of the user is second request, and further comprising: generating, by the access management agent, a first request that is an authentication request; and sending, by the access management agent, the first request to the first access manager, wherein the first access manager authenticates the user, creates the session, and generates the token based on the first request.
Claim 1:
… creating, by the first access manager, a session in response to successful authentication of the user;
generating, by the first access manager, an identifier that identifies the first access manager;
generating, by the first access manager, a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager…
Claim 23: receiving, by the access management agent, from the user, a user request for a protected resource; determining, by the access management agent, that authentication is needed; sending, by the access management agent, to the user, a request for credential information; and receiving, by the access management agent, from the user, credential information, wherein the credential information is included in the first request.
Claim 1: …receive from the access management agent, a second request received from the client device for authentication or authorization of the user during the session, wherein the second request is received by the first access manager based on the identifier in the stored token identifying the first access manager; and
process the second request to authenticate or authorize the user of the client device while maintaining the same session…
Claim 24: wherein the first access manager generates the identifier that identifies the first access manager.
Claim 1: …generate an identifier that identifies the first access manager; generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager…
Claim 25: wherein the token is either an authentication token or an authorization token.
Claim 1: …generate an identifier that identifies the first access manager; generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager….
Claim 26: wherein the request for authentication or authorization of the user includes the token, and wherein the first access manager processes the request based on the token.
Claim 1: …generate an identifier that identifies the first access manager; generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager….
Claim 27: wherein the access managers in the plurality of access managers belong to different server clusters in a data center, and wherein the identifier that identifies the first access manager includes information identifying a server cluster to which the first access manager belongs.
Claim 3: wherein the access managers in the plurality of access managers belong to different server clusters in a data center, and wherein the identifier includes information identifying a server cluster to which the first access manager belongs.

Claim 28: wherein the access managers in the plurality of access managers belong to different data centers, and wherein the request to authenticate or authorize the user is sent to a data center of the first access manager based on the identifier that identifies the first access manager.
 
Claim 4: wherein the access managers in the plurality of access managers belong to different data centers, and wherein the second request is sent to a data center of the first access manager based on the identifier.
Claim 29: wherein the request for authentication or authorization of the user is a request to re-authenticate the user.
Claim 7: wherein the second request is a request to re-authenticate the user or a request to authorize the user to access a resource.
Claim 30: wherein the request for authentication or authorization of the user is a request to authorize the user to access a resource.

Claim 11: wherein the second request is a request to authorize the user to access a resource at a computer system that is separate from the first access manager, and further comprising:
in response to processing the second request, granting, by the first access manager, access to the resource at the computer system that is separate from the first access manager.
Claim 31: receive, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user; store, for the session, the identifier that identifies the first access manager, wherein the first access manager is part of a plurality of access managers; receive, from the user during the session, a request for authentication or authorization of the user; determine, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request; and in response to the determining, send, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user.
Claim 12: authenticate a user of a client device based on an authentication request received from the client device, wherein the first access manager is part of the plurality of access managers available for processing authentication requests;
create a session in response to successful authentication of the user;
generate an identifier that identifies the first access manager;
generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager;
send, to an access management agent for storage, the token including the identifier that identifies the first access manager;
receive from the access management agent, a second request received from the client device for authentication or authorization of the user during the session, wherein the second request is received by the first access manager based on the identifier in the stored token identifying the first access manager; and
process the second request to authenticate or authorize the user of the client device while maintaining the same session.
Claim 32: the first access manager configured to: authenticate the user; create the session in response to the successful authentication of the user; generate the token that includes the identifier that identifies the first access manager; send, to the access management agent for storage, the token including the identifier that identifies the first access manager; receive, from the access management agent, the request for authentication or authorization of the user; and process the request to authenticate or authorize the user.
Claim 12: … authenticate a user of a client device based on an authentication request received from the client device, wherein the first access manager is part oft plurality of access managers available for processing authentication requests;
create a session in response to successful authentication of the user;
generate an identifier that identifies the first access manager;
generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager…
Claim 33: a data center, wherein the access managers in the plurality of access managers belong to different server clusters in the data center, and wherein the identifier that identifies the first access manager includes information identifying a server cluster to which the first access manager belongs.
Claim 14: a data center, wherein the access managers in the plurality of access managers belong to different server clusters in the data center, and wherein the identifier includes information identifying a server cluster to which the first access manager belongs.

Claim 34: a first data center including the first access manager, wherein at least some of the access managers in the plurality of access managers belong to a second data center, and wherein the request to authenticate or authorize the user is sent to the first data center based on the identifier that identifies the first access manager.
Claim 15: a first data center including the first access manager, wherein at least some of the access managers in the plurality of access managers belong to a second data center, and wherein the second request is sent to the first data center based on the identifier.

Claim 35: a load balancer configured to direct the request to authenticate or authorize the user to the first access manager based on the identifier that identifies the first access manager being included in the request.
Claim 19: a load balancer configured to direct the second request to the first access manager based on the identifier being included in the second request.
Claim 36: wherein the request for authentication or authorization of the user is second request, and wherein the access management agent is further configured to: generate a first request that is an authentication request; and send the first request to the first access manager, wherein the first access manager authenticates the user, creates the session, and generates the token based on the first request.
Claim 12: create a session in response to successful authentication of the user;
generate an identifier that identifies the first access manager;
generate a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager;
Claim 37: wherein the second request includes the token, and wherein the token includes session information.
Claim 18: wherein the second request includes the token
Claim 38: wherein the access management agent is further configured to send the first request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols.
Claim 16: wherein the first access manager is further configured to receive the authentication request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols.
Claim 39: wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP).

Claim 17: wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP).

Claim 40: receive, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user; store, for the session, the identifier that identifies the first access manager, wherein the first access manager is part of a plurality of access managers; receive, from the user during the session, a request for authentication or authorization of the user; determine, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request; and in response to the determining, send, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user.
Claim 20: authenticate, by a first access manager, a user of a client device based on an authentication request received from the client device, wherein the first access manager is part of a plurality of access managers available for processing authentication requests;
create, by the first access manager, a session in response to successful authentication of the user;
generate, by the first access manager, an identifier identifying the first access manager;
generate, by the first access manager, a token that is either an authentication token or an authorization token, the token including the identifier that identifies the first access manager;
send, by the first access manager, to an access management agent for storage, the token including the identifier that identifies the first access manager;
receive, by the first access manager from the access manager agent, a second request received from the client device for authentication or authorization of the user during the session, wherein the second request is received by the first access manager based on the identifier in the stored token identifying the first access manager; and
process, by the first access manager, the second request to authenticate or authorize the user of the client device while maintaining the same session.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



5.	Claims 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2018/0191701 A1 to Kong, (hereinafter, “Kong”), as disclosed in IDS submitted on 05/20/2021, in view of US Pub. No. US 2015/0089614 A1 to Mathew, (hereinafter, “Mathew”), as disclosed in IDS submitted on 05/20/2021.
As per claims 21, 31 and 40, Kong teaches a computer-implemented method, a system and a non-transitory computer-readable storage medium storing a plurality of instructions, respectively, that when executed by one or more processors of a computer system, cause the one or more processors to execute, the system comprising:
an access management agent implemented using a computer system comprising at least one hardware processor and a memory (Kong, para. [0031] “FIG. 7 illustrates how a virtual session manager may manage authentication of multiple devices and allow the devices to share a single session.” And para. [0100] “FIG. 8 depicts a block diagram of hardware that may be used to contain or implement program instructions, such as those of a hosted service, a monitoring service for a hosted service, an electronic device that is accessing a hosted service, or a virtual machine or container that serves in any of these roles.” And para. [0101] “A memory device 810 is a hardware element or segment of a hardware element on which programming instructions, data, or both may be stored. Read only memory (ROM) and random access memory (RAM) constitute examples of memory devices, along with cloud storage services.”), the method comprising: 
receiving, by an access management agent implemented using a computer system comprising at least one hardware processor and a memory, from a first access manager, a token that includes an identifier that identifies the first access manager, wherein the first access manager created a session and generated the token and in response to successful authentication of a user (Kong, para. [0049] “If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201. The user agent 201 will store the access token and the grant token in a memory of its associated electronic device. The user agent 201 can then present the access token to the web resource 202 in order to be granted access the web resource 202.”); 
storing, by the access management agent, for the session, the identifier that identifies the first access manager (Kong, para. [0049] “If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201. The user agent 201 will store the access token and the grant token in a memory of its associated electronic device. The user agent 201 can then present the access token to the web resource 202 in order to be granted access the web resource 202.”); 
receiving, by the access management agent, from the user during the session, a request for authentication or authorization of the user (Kong, para. [0050] “When the access token is expired or about to expire, the user agent 201 can send a re-authentication request to a re-authentication endpoint 205. The re-authentication endpoint 205 may be separate from the login endpoint 204 as shown, or the two endpoint devices may share one or more hardware elements. Upon validating of the re-authentication request, the re-authentication endpoint 205 will return a new access token to the user agent 201 so that the user agent 201 can maintain the session with the web resource 202.”); 
in response to the determining, sending, by the access management agent, to the first access manager, the request for authentication or authorization of the user, wherein the first access manager processes the request to authenticate or authorize the user (Kong, para. [0053] “This process is further illustrated in the flow diagram of FIG. 3. In order to request access to a web resource, a user agent may transmit an authentication request to a login endpoint 301 by transmitting a credential to an address of the login endpoint. The credential can be any credential that the login endpoint can use validate the credential 302 and thus determine whether the user agent is authorized to access the web resource, such as a passphrase, a biometric identifier, a key or any other credential.”).

Kong teaches all the limitations of claims 21, 31 and 40 above, however fails to explicitly teach, but Mathew teaches:
wherein the first access manager is part of a plurality of access managers (Mathew, para. [0036] “multiple access manager servers can be deployed as an access manager cluster in a data center, which allows for scalability and high availability. Multiple such geographically dispersed data centers with access manager clusters can be connected (wired or wirelessly) to constitute an access manager Multi Data Center (MDC).”); 
determining, by the access management agent, based on the identifier that identifies the first access manager being stored for the session, that, from among the plurality of access managers, the first access manager is to be used for processing the request (Mathew, para. [0037] “A data center may identify each user session uniquely by generating a session identifier. When the system is operated as a MDC, a user request for one or more resources can hop across data centers within a single SSO session, requiring all the visited data centers to generate unique identifiers for servicing the user request. In some embodiments, the access manager server may use a session management engine to generate this unique session identifier per user per data center.” And para. [0038] “The access manager server authenticates the user 102 upon receiving the proper credentials by validating the credentials against those stored in a user directory. As a result, the user 102 is logged into the data center 110 and a session is created for the user in the data center 110 with a session identifier (ID) S1. The session is represented by session object 112. Once logged in, the user 102 may access resources for which the user is authorized to access, such as running different applications, accessing cloud storage, or the like.” And para. [0041] “The lightweight cookie includes a minimal set of information that can be used by a disparate data center (e.g., data center 114) to identify and contact data center 110 in order to obtain session information that allows the disparate data center to create a local session object. For example, the "USERID: weblogic" is a user identifier that is specific to the user 102. The "IdStoreRef:oid1" indicates a directory (e.g., a lightweight directory access protocol (LDAP) ID store) that is used to store and retrieve the user's identity information relating to the session.”); and 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to manage multiple network requests efficiently using a single-sign on procedure (Mathew, para. [0006]). 

As per claims 22 and 36, the combination of Kong and Mathew teach the method of claim 21 and the system of claim 31, respectively, further comprising:  wherein the request for authentication or authorization of the user is second request, and further comprising: generating, by the access management agent, a first request that is an authentication request; and sending, by the access management agent, the first request to the first access manager, wherein the first access manager authenticates the user, creates the session, and generates the token based on the first request (Kong, para. [0049] “FIG. 2 provides a high-level overview of a method of authenticated session management using a two-token model. In the two -token model, two authentication tokens are used to manage a session between a user agent 201 of an electronic device and a web resource 202. When the user agent 201 issues an authentication request for the web resource 202, it will present a credential to a login endpoint 204. If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201.”).

As per claim 23, the combination of Kong and Mathew teach the method of claim 22, further comprising: receiving, by the access management agent, from the user, a user request for a protected resource; determining, by the access management agent, that authentication is needed; sending, by the access management agent, to the user, a request for credential information; and receiving, by the access management agent, from the user, credential information, wherein the credential information is included in the first request (Kong, para. [0049] “FIG. 2 provides a high-level overview of a method of authenticated session management using a two-token model. In the two-token model, two authentication tokens are used to manage a session between a user agent 201 of an electronic device and a web resource 202. When the user agent 201 issues an authentication request for the web resource 202, it will present a credential to a login endpoint 204. If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201. The user agent 201 will store the access token and the grant token in a memory of its associated electronic device. The user agent 201 can then present the access token to the web resource 202 in order to be granted access the web resource 202.” And para. [0050] “When the access token is expired or about to expire, the user agent 201 can send a re-authentication request to a re-authentication endpoint 205. The re-authentication endpoint 205 may be separate from the login endpoint 204 as shown, or the two endpoint devices may share one or more hardware elements. Upon validating of the re-authentication request, the re-authentication endpoint 205 will return a new access token to the user agent 201 so that the user agent 201 can maintain the session with the web resource 202.”).

As per claim 24, the combination of Kong and Mathew teach the method of claim 21, wherein the first access manager generates the identifier that identifies the first access manager (Mathew, para. [0037] “A data center may identify each user session uniquely by generating a session identifier. When the system is operated as a MDC, a user request for one or more resources can hop across data centers within a single SSO session, requiring all the visited data centers to generate unique identifiers for servicing the user request. In some embodiments, the access manager server may use a session management engine to generate this unique session identifier per user per data center.” And para. [0092] “the user may attempt to access a first resource, such as application 1 (APP1). Based on the user's affinity with NYDC, the user is authenticated by NYDC. Upon a successful authentication, the access manager ID cookie is augmented with a unique data center identifier referencing NYDC (e.g., the cluster ID of NYDC). A subsequent authorization call will also be served by the NYDC as the NYDC is the primary server for the accessed resource (e.g., the end point for the web gate protecting the resource). The authorization flow will generate the authorization cookie, which will include the NYDC unique identifier. Upon successful authentication and authorization, the user will be granted SSO access to the resource APP1.”). 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 25, the combination of Kong and Mathew teach the method of claim 21, wherein the token is either an authentication token or an authorization token (Kong, para. [0049] “FIG. 2 provides a high-level overview of a method of authenticated session management using a two-token model. In the two -token model, two authentication tokens are used to manage a session between a user agent 201 of an electronic device and a web resource 202. When the user agent 201 issues an authentication request for the web resource 202, it will present a credential to a login endpoint 204. If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201.”).

As per claim 26, the combination of Kong and Mathew teach the method of claim 21, wherein the request for authentication or authorization of the user includes the token, and wherein the first access manager processes the request based on the token (Kong, para. [0049] “FIG. 2 provides a high-level overview of a method of authenticated session management using a two-token model. In the two -token model, two authentication tokens are used to manage a session between a user agent 201 of an electronic device and a web resource 202. When the user agent 201 issues an authentication request for the web resource 202, it will present a credential to a login endpoint 204. If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201.” And para. [0056] “When an access token has expired or is about to expire 305 (i.e., within a threshold period of time or other unit of measure from anticipated expiration), the user agent can send a re-authentication request 306 to the re-authentication endpoint to request a new access token. The re-authentication request may include the grant token, or it may include another token that is derived from the grant token.”).

As per claims 27 and 33, the combination of Kong and Mathew teach the method of claim 21 and the system of claim 31, respectively, wherein the access managers in the plurality of access managers belong to different server clusters in a data center, and wherein the identifier that identifies the first access manager includes information identifying a server cluster to which the first access manager belongs (Mathew, para. [0088] “The access manager server in DC1 may then update the access manager ID cookie with its data center identifier, such as its cluster ID (e.g., data center chaining is recorded in the access manager ID cookie).”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 28, the combination of Kong and Mathew teach the method of claim 21, wherein the access managers in the plurality of access managers belong to different data centers, and wherein the request to authenticate or authorize the user is sent to a data center of the first access manager based on the identifier that identifies the first access manager (Mathew, para. [0049] Once it is verified that a valid session exists in data center 110, one or more policies applicable to the data center 114 may direct the data center 114 to create a new session and to provide SSO access for the user 102 to the particular resource. The data center 114 may direct the data center 110 to send session information relating to the session 1. For example, the session retrieval request may direct the data center 110 to respond with session information from session object 112 in the event a valid session exists in data center 110. Once the data center 114 receives the session object 112, it may read the session information from session object 112 and may use the information to create a local session within data center 114 with session ID 2 and session object 116. The local session object 116 may then be instantiated and/or initialized in order to authenticate the user 102. Once authenticated, the user 102 may access the second resource stored and/or managed by data center 114. After session 2 is created in data center 114, the lightweight cookie may be updated to include, for example, the cluster ID and the session ID of data center 114.).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 
As per claim 29, the combination of Kong and Mathew teach the method of claim 21, wherein the request for authentication or authorization of the user is a request to re-authenticate the user (Kong, para. [0050] “When the access token is expired or about to expire, the user agent 201 can send a re-authentication request to a re-authentication endpoint 205. The re-authentication endpoint 205 may be separate from the login endpoint 204 as shown, or the two endpoint devices may share one or more hardware elements. Upon validating of the re-authentication request, the re-authentication endpoint 205 will return a new access token to the user agent 201 so that the user agent 201 can maintain the session with the web resource 202.”).

As per claim 30, the combination of Kong and Mathew teach the method of claim 21, wherein the request for authentication or authorization of the user is a request to authorize the user to access a resource (Kong, para. [0049] “FIG. 2 provides a high-level overview of a method of authenticated session management using a two-token model. In the two -token model, two authentication tokens are used to manage a session between a user agent 201 of an electronic device and a web resource 202. When the user agent 201 issues an authentication request for the web resource 202, it will present a credential to a login endpoint 204. If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201.”).


As per claim 32, the combination of Kong and Mathew teach the system of claim 31, further comprising: the first access manager configured to: authenticate the user; create the session in response to the successful authentication of the user; receive, from the access management agent, the request for authentication or authorization of the user; and process the request to authenticate or authorize the user (Kong, para. [0049] “If the credential is valid (i.e., if it permits the user agent to access the web resource), the login endpoint 204 will establish the session by issuing an access token and a grant token to the user agent 201. The user agent 201 will store the access token and the grant token in a memory of its associated electronic device. The user agent 201 can then present the access token to the web resource 202 in order to be granted access the web resource 202.” and para. [0050] “When the access token is expired or about to expire, the user agent 201 can send a re-authentication request to a re-authentication endpoint 205. The re-authentication endpoint 205 may be separate from the login endpoint 204 as shown, or the two endpoint devices may share one or more hardware elements. Upon validating of the re-authentication request, the re-authentication endpoint 205 will return a new access token to the user agent 201 so that the user agent 201 can maintain the session with the web resource 202.” And para. [0053] “This process is further illustrated in the flow diagram of FIG. 3. In order to request access to a web resource, a user agent may transmit an authentication request to a login endpoint 301 by transmitting a credential to an address of the login endpoint. The credential can be any credential that the login endpoint can use validate the credential 302 and thus determine whether the user agent is authorized to access the web resource, such as a passphrase, a biometric identifier, a key or any other credential.”)

generate the token that includes the identifier that identifies the first access manager; send, to the access management agent for storage, the token including the identifier that identifies the first access manager (Mathew, para. [0037] “A data center may identify each user session uniquely by generating a session identifier. When the system is operated as a MDC, a user request for one or more resources can hop across data centers within a single SSO session, requiring all the visited data centers to generate unique identifiers for servicing the user request. In some embodiments, the access manager server may use a session management engine to generate this unique session identifier per user per data center.” And para. [0092] “the user may attempt to access a first resource, such as application 1 (APP1). Based on the user's affinity with NYDC, the user is authenticated by NYDC. Upon a successful authentication, the access manager ID cookie is augmented with a unique data center identifier referencing NYDC (e.g., the cluster ID of NYDC). A subsequent authorization call will also be served by the NYDC as the NYDC is the primary server for the accessed resource (e.g., the end point for the web gate protecting the resource). The authorization flow will generate the authorization cookie, which will include the NYDC unique identifier. Upon successful authentication and authorization, the user will be granted SSO access to the resource APP1.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 34, the combination of Kong and Mathew teach the system of claim 31, further comprising: a first data center including the first access manager, wherein at least some of the access managers in the plurality of access managers belong to a second data center, and wherein the request to authenticate or authorize the user is sent to the first data center based on the identifier that identifies the first access manager (Mathew, para. [0049] “Once it is verified that a valid session exists in data center 110, one or more policies applicable to the data center 114 may direct the data center 114 to create a new session and to provide SSO access for the user 102 to the particular resource. The data center 114 may direct the data center 110 to send session information relating to the session 1.” And para. [0089] “The user may then request a resource that is stored and/or managed by a second data center (referred to as "data center 2 (DC2)"). The user request is routed to data center 2 (DC2) by a global load balancer. The access manager server in DC2 is presented with the access manager ID cookie issued by DC1. Upon a successful validation, the access manager server knows that this is user coming from a remote DC1. The access manager server in DC2 may look up the session adoption policy (no re-authentication, but with remote session invalidation and remote session data retrieval) in order to determine the parameters for which to create a local session. Based upon these policies, the access manager server in DC2 may make a back-channel (e.g., an OAP protocol) call to access manager server in DC1 to retrieve session data (using ID) (according to the remote session data retrieval policy) followed by a termination of the session (according to the remote session invalidation policy).”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 35, the combination of Kong and Mathew teach the system of claim 31, further comprising: a load balancer configured to direct the request to authenticate or authorize the user to the first access manager based on the identifier that identifies the first access manager being included in the request (Mathew, para. [0089] “The user may then request a resource that is stored and/or managed by a second data center (referred to as "data center 2 (DC2)"). The user request is routed to data center 2 (DC2) by a global load balancer. The access manager server in DC2 is presented with the access manager ID cookie issued by DC1. Upon a successful validation, the access manager server knows that this is user coming from a remote DC1. The access manager server in DC2 may look up the session adoption policy (no re-authentication, but with remote session invalidation and remote session data retrieval) in order to determine the parameters for which to create a local session. Based upon these policies, the access manager server in DC2 may make a back-channel (e.g., an OAP protocol) call to access manager server in DC1 to retrieve session data (using ID) (according to the remote session data retrieval policy) followed by a termination of the session (according to the remote session invalidation policy).”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 37, the combination of Kong and Mathew teach the system of claim 36, wherein the second request includes the token, and wherein the token includes session information (Mathew, para. [0049] “Once it is verified that a valid session exists in data center 110, one or more policies applicable to the data center 114 may direct the data center 114 to create a new session and to provide SSO access for the user 102 to the particular resource. The data center 114 may direct the data center 110 to send session information relating to the session 1. For example, the session retrieval request may direct the data center 110 to respond with session information from session object 112 in the event a valid session exists in data center 110. Once the data center 114 receives the session object 112, it may read the session information from session object 112 and may use the information to create a local session within data center 114 with session ID 2 and session object 116. The local session object 116 may then be instantiated and/or initialized in order to authenticate the user 102. Once authenticated, the user 102 may access the second resource stored and/or managed by data center 114. After session 2 is created in data center 114, the lightweight cookie may be updated to include, for example, the cluster ID and the session ID of data center 114.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 38, the combination of Kong and Mathew teach the system of claim 36, wherein the access management agent is further configured to send the first request over a first channel and the second request over a second channel, and wherein the first channel and the second channel use different communication protocols (Mathew, para. [0035] “front -channel communications may use a hypertext transfer protocol secure (HTTPS) protocol while a back -channel operation communication may use an open access protocol (OAP)” and para. [0089] “The user is then authenticated by DC 1. Upon successful authentication, the access manager ID cookie is augmented with a unique data center identifier referencing DC1 (e.g., the cluster ID of DC1). Once authenticated, the user can access the access manager protected resource in DC1. The user may then request a resource that is stored and/or managed by a second data center (referred to as "data center 2 (DC2)"). The user request is routed to data center 2 (DC2) by a global load balancer…The access manager server in DC2 may look up the session adoption policy (no re-authentication, but with remote session invalidation and remote session data retrieval) in order to determine the parameters for which to create a local session. Based upon these policies, the access manager server in DC2 may make a back -channel (e.g., an OAP protocol) call to access manager server in DC1 to retrieve session data (using ID) (according to the remote session data retrieval policy)”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

As per claim 39, the combination of Kong and Mathew teach the system of claim 38, wherein the first channel uses Hypertext Transfer Protocol (HTTP) and the second channel uses Oracle Access Protocol (OAP) (Mathew, para. [0035] “front-channel communications may use a hypertext transfer protocol secure ( HTTPS) protocol while a back-channel operation communication may use an open access protocol ( OAP), or vice versa.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mathew’s single sign-on between multiple data centers into Kong’s authenticated session management across multiple electronic devices using a virtual session manager, with a motivation to protect the data center and any resources within the data center against external and internal web-based threats (Mathew, para. [0033]). 

Conclusion
6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20110154465 A1 – Accessing desktop applications using federated identity.
US 20020133723 A1 – Manage secure access to computer systems from an external client.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437           

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437