DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to the communication filed on 8/29/2022.
Claims 1 and 8 have been amended.
Claims 1-14 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/29/2022 has been entered.
 

Response to Arguments
Applicant’s arguments (i.e., wherein the token was generated by an authentication component based on a set of characteristics sent by the authentication component to an authorization component) with respect to claim(s) 1-14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 5-6, 8, 10 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al. (US 20110167256) (hereinafter Lee) in view of Pelykh (US 20140196115) (hereinafter Pelykh).
Regarding claim 1, Lee discloses a method, comprising: 
managing user access to an application hosted by a computing system (Lee: see figure 1 
    PNG
    media_image1.png
    689
    1003
    media_image1.png
    Greyscale
; and paragraphs 0031-0033 and 0040, “End users can use security tokens, such as smart cards, to store user certificates, and can be used for applications such as single sign-on access and client authentication.”… “The certificate system 120 may be one or more machines including one or more server computers, gateways or other computing systems. In one embodiment, the certificate system 120 resides on multiple servers, including a certificate authority (CA) server that hosts the certificate manager 125, and another server that hosts the TPS 126. The client 102 and the TPS client 103 can interact with the certificate system 120 via the network”), by performing operations comprising:
receiving at the application, a token from an authorization/authentication service, wherein the token includes an application role and an associated privilege mask (Lee: paragraphs 0044 and 0047, “The token database access manager 228 can access token profile records stored in the profile table 225. The profile table 225 stores the available token profiles, where each token profile specifies a token group and a corresponding role for access privileges to entries corresponding to the token group”), wherein the application role corresponds to an entity based on a role of that entity with respect to the  application, and the privilege mask defines one or more privileges that can be granted to the entity with respect to the application upon authentication of the entity, and wherein the one or more privileges are included in the privilege mask based on the role of the entity (Lee: paragraphs 0047 and 0048, “the token database access manager 228 assigns the token profiles to the TPS user by storing a user-related entry for the TPS user in the token database with the assigned token profiles, as described below with respect to FIG. 3B. In another embodiment, the token database access manager 228 assigns the TPS user 201 the token profile by adding a token profile ID attribute to each of the LDAP entries 246 corresponding to the tokens of the group, and adding an auxiliary class (e.g., tpsProfile) with a multi-value attribute that can be attached to a user-related entry in the token database to identify that the TPS user 201 belongs to the particular group and has a particular role”); 
receiving at the application, by way of the authorization/authentication service with which the application is in communication, an authentication request from the entity seeking access to the application (Lee: paragraphs 0049 and 0052, “the token database access manager 228 receives a request from the TPS user 201 to access the token database, and the token database access manager 228 authenticates the TPS user 201, and determines token profiles of the TPS user 201 to determine the TPS user's access privileges to the LDAP entries 246. For example, in one embodiment, the TPS user 201 uses a web browser to access a GUI (interface 220), provided by the token database access manager 228, to request operations to be performed on the LDAP entries”); 
comparing information in the authentication request with the token (Lee: paragraphs 0048, 0052, 0067 and 0078-0079, “when requested by the TPS user 201, the token database access manager 228 lists the LDAP entries 246 of the token database for each of the groups for which the token profile ID of the TPS user 201 matches a set of token profile IDs permitted by each of the groups”); 
approving the authentication request when the information in the authentication request matches the token, and granting, to the entity, access to the application when the authentication request has been approved (Lee: see figure 2; figure 6; and paragraphs 0044, 0048, 0067 and 0078-0079, “when requested by the TPS user 201, the token database access manager 228 lists the LDAP entries 246 of the token database for each of the groups for which the token profile ID of the TPS user 201 matches a set of token profile IDs permitted by each of the groups”… “the TPS services menu 602 presents only a list of permitted operations available to the TPS user 201 based on the token profiles associated with the TPS user 201”), and granting the entity access to the application comprises enabling the entity to access and run one or more functions of the application (Lee: see figure 2, figure 4C, figure 6, and paragraphs 0048-0050, 0052 and 0078-0079, “the TPS services menu 602 presents only a list of permitted operations available to the TPS user 201 based on the token profiles associated with the TPS user 201”); and 
denying access to the application when the information in the authentication request does not match the token (Lee: paragraphs 0050 and 0078-0079, “If the TPS user is not an administrator at block 490, the processing logic denies access to the entries of the token database for the group”… “the TPS user 201 is permitted various operations, including token-related operations and user-related entries, such as list/search tokens, add new tokens, add users, list users, search users, and list/search activities. In other embodiments, the TPS user 201 may have more or less operations on than presented in the menu 602, such as operations to modify tokens in the token groups for which the TPS user 201 belongs”), 
wherein the comparing, approving, granting, and denying processes are performed by the application to which the entity is seeking access (Lee: paragraphs 0033, 0073 and 0083, “4A-4C are flow diagrams of various embodiments of operations of methods 400, 450, and 470 performed by the token database access manager 238. …the methods 400, 450, and 470 are performed by the profile-based access control module 128 of FIGS. 1 and 2B. Alternatively, the methods 400, 450, and 470 are performed by the token database access manager”), and 
wherein when the entity, or a different entity, seeks access to another application, user access to the another application is controlled by the another application (Lee: paragraphs 0031-0033, “End users can use security tokens, such as smart cards, to store user certificates, and can be used for applications such as single sign-on access and client authentication”).  
Lee does not explicitly disclose the following limitation which is disclosed by Pelykh, wherein the token was generated by an authentication component based on a set of characteristics sent by the authentication component to an authorization component (Pelykh: see figure 1; and paragraphs 0046-0056 and 0143, “Role mapping component 116 establishes the mapping between permission groups retrieved from OpenLDAP 126 with local roles stored in the local database. [0054] 8) Role mapping component 116 delegates back to authentication module 122 a list of resolved roles for user 104 and authentication module 122 creates a session object for user… Final session object includes information about user 104, such as username, first name, last name, along with a list of roles assigned to user” … “This allows the system to utilize a remote OpenLDAP server 306 for username lookups”, //Notes: the session object is mapped to the token.  The role mapping component is mapped to the authorization component.  The authentication module is mapped to the authentication component).
Lee and Pelykh are analogous art because they are from the same field of endeavor, access control model.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Lee and Pelykh before him or her, to modify the system of Lee to include a token was generated by an authentication component based on a set of characteristics sent by the authentication component to an authorization component of Pelykh.  The suggestion/motivation for doing so would have been to monitoring of authorization-exceeding activity by users, it is also important to provide such solutions in environments that support multi-tenancy (Pelykh: paragraph 0010).
Regarding claim 8, claim 8 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 8 and rejected for the same reasons.
Regarding claims 3 and 10, Lee as modified further discloses wherein approval of the authentication request is based on authorization information in the token indicating that tenant characteristics match a tenant authorization profile associated with the application (Lee: paragraphs 0022, 0067, 0079 and 0081-0082, “the processing logic allows the TPS user to view, search, and modify any user-related entry of the token group”… “the predefined access of the operator role allows the TPS user to have read-only permissions to view token-related entries of the group; 2) the predefined access of the agent role allows the TPS user to have read and write permissions to view and modify the token-related entries of the group; and 3) the predefined access of the administrator role allows the TPS user to have read-only permissions to view the token-related entries of the group”).  
Regarding claims 5 and 12, Lee as modified further discloses wherein the method is performed in a tenant environment that provides intra-application tenancy in which a user in the tenant environment does not have access to all aspects of the application (Lee: paragraph 0050, “the TPS user 201 is permitted various operations, including token-related operations and user-related entries, such as list/search tokens, add new tokens, add users, list users, search users, and list/search activities. In other embodiments, the TPS user 201 may have more or less operations than presented in the menu 602, such as operations to modify tokens in the token groups for which the TPS user 201 belongs”).  
Regarding claims 6 and 13, Lee as modified further discloses wherein the method enables single sign-on (SSO) functionality that permits an authorized user to gain access to multiple independent hardware and/or software (Lee: paragraph 0031, “End users can use security tokens, such as smart cards, to store user certificates, and can be used for applications such as single sign-on access and client authentication”).

Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Pelykh, and further in view of Law et al. (US 20070130463) (Law).
Regarding claims 2 and 9, Lee discloses wherein the operations further comprise receiving an updated token (Lee: paragraphs 0063 and 0070, “the method 300 may be performed to update the token profile records in the profile table. The method 300 may be performed in response to input from an administrator that has access privileges to associate tokens with groups, define the roles, and associate the roles with particular token profiles”). 
Lee in view of Pelykh does not explicitly disclose the following limitation which is disclosed by Law, evaluating the authentication request based on the updated token (Law: paragraphs 0080, 0085-0086, 0090 and 0092, “n response, the secured authentication and key system 330 transmits 744 back an encrypted version of an updated token transaction list 746 together with a cryptographic response code to the service provider 320. The cryptographic challenge-response mechanism is one common means for mutual authentication. Upon successful mutual authentication using the cryptographic challenge-response mechanism, the service provider 320 updates its database with this synchronized information.”).  
Lee in view of Pelykh and Law are analogous art because they are from the same field of endeavor, secured electronic communication. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Lee in view of Pelykh and Law before him or her, to modify the system of Lee in view of Pelykh to include the step of evaluating an authentication request based on an updated token of Law.  The suggestion/motivation for doing so would have been to centralize token management for issuance, revocation and re-issuance by an authority and also allow participating service providers to authenticate the user identity directly (Law: paragraph 0016).

Claims 4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Pelykh, and further in view of Cason et al. (US 20150135296) (Cason).
Regarding claims 4 and 11, Lee in view of Pelykh does not explicitly disclose the following limitation which is disclosed by Cason, wherein one of the tokens is a Security Assertion Markup Language (SAML) token (Cason: paragraph 0002-0003, “In some examples deployed for public access (for example, through internet entry points into networked resources) Security Assertion Markup Language (SAML) SSO is used is to authenticate a user to an Identity Provider (IdP). Upon successful authentication of the user, the IdP sends a SAML security token to a service provider (SP) in order to authenticate the user to the SP and thereby enable access to the network resource by the user via the SP”).  
Lee in view of Pelykh and Cason are analogous art because they are from the same field of endeavor, secured electronic communication. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Lee in view of Pelykh and Cason before him or her, to modify the system of Lee in view of Pelykh to include the one of the tokens is SAML token of Cason.  The suggestion/motivation for doing so would have been to gain access to different networked resources on behalf of the user via each of the different external applications (Cason: paragraph 0003).

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Lee in view of Pelykh, and further in view of Ravi et al. (US 20150254450) (Ravi).
Regarding claims 7 and 14, Lee in view of Pelykh does not explicitly disclose the following limitation which is disclosed by Ravi, wherein one of the application and the another application is a backup application (Ravi: paragraphs 0024, “These software processes and/or services may comprise routing process/services 470 and backup protection process 480 that may, for example, evaluate the disposition of SSO requests for accessing a secure source in a cloud environment, such as, for example, a federated cloud application.”).  
Lee in view of Pelykh and Ravi are analogous art because they are from the same field of endeavor, secured electronic communication. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Lee in view of Pelykh and Ravi before him or her, to modify the system of Lee in view of Pelykh to include the one of the application and the another application is a backup application of Ravi.  The suggestion/motivation for doing so would have been for controlling the disposition of single sign on (SSO) requests (Ravi: paragraph 0002).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed below:
Koeten discloses (US 20150215348) “a virtual identity and context module may generate a virtual identity for a user. Virtual identities for different categories of users may be sourced from disparate identity services”.
Prasad discloses (US 20140215595) “security token based user authentication in a multi-tenanted application”.
Carson (20150135296) “CATALOG DRIVEN ORDER MANAGEMENT FOR RULE DEFINITION” 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431