Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received March 06, 2009.  Claims 1, 3-5, 7, 11, 13, 14, 16-20 have been amended.  Therefore, claims 1-20 are pending and addressed below. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Delos Reyes et al. (US2012/0084449 A1, publish date 04/05/2012) in view of Mathai et al. (US2017/0238245 A1, publish date 08/17/2017) further in view of Grayson et al. (US2019/0215692 A1, file date 01/11/2018). (on Applicant’s IDS filed 12/09/2020)

Claim 1:
With respect to claim 1, Delos Reyes et al. discloses a method for use in facilitating an authentication of a device by an identity provider to permit guest access of the device (MME 132 may be involved in a bearer activation/deactivation process (e.g., for UE 110) and may choose a SGW for UE 110 at an initial attach and at a time of intra-LTE handover. MME 132 may authenticate UE 110 (e.g., via interaction with HSS 142, generate and allocate temporary identities to UEs (e.g., UE 110), 0023) in a Third Generation Partnership Project (3GPP) based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022) (network 100 may include a UE 110, a LTE network 120, an EPC network 130, an IP multimedia subsystem (IMS) network 140, multiple PDN(s) 150, and a DNS server 160, 0017) (Figures 1 and 3), the method comprising: 
at one or more control plane functions of the 3GPP- based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022), 
receiving, from the device, a message which requests access to the 3GPP-based network; obtaining, from the message, an identity associated with the device (MME 132 may receive a PDN connection request from UE 110, and may exchange, with HSS 142, authentication and/or authorization information associated with UE 110, 0024);  
deriving a realm name of a realm from information in the identity (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160, MME 132 may determine a PGW FQDN with a closest match to the SGW FQDN to be a primary PGW 136, and may determine PGW(s) 136 residing within a same area as SGW 134 to be backup PGW(s) 136, 0024);
obtaining, from a response to one or more queries to a domain name system (DNS) server, an address of a server that is mapped to the realm name and provides an authentication service for the authentication (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160. MME 132 may receive, from DNS server 160, FQDNs of PGWs 136 that contain the APN FQDN, and may compare the FQDNs of PGWs 136 with a FQDN of SGW 134.  MME 132 may send, to DNS server 160, queries based on the primary and backup PGW FQDNs, may receive, based on the queries and from DNS server 160, IP addresses matching the primary/backup PGW FQDNs, and may store the IP addresses in memory. If the primary PGW 136 is available, MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (the DNS may translate domain names into numerical (e.g., binary) identifiers associated with network devices for the purpose of locating and addressing these network devices. DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030) (0040-0042, Figure 3), the server being external to the 3GPP-based network and associated with the identity provider (Figures 1 and 3); 
establishing a secure connection with the server (MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (PGW 136 may provide connectivity of UE 110 to external PDNs (e.g., to PDNs 150) by being a traffic exit/entry point for UE 110, 0026); and 
participating in an authentication procedure over the secure connection using the authentication service of the server (home subscriber server, HSS 142 may include a master user database that supports devices of IMS network 140 that handle calls. HSS 142 may include subscription-related information (e.g., subscriber profiles), (may perform authentication and authorization of a user, and may provide information about a subscriber's location and IP information, 0028), for authenticating the device based on credentials associated with the identity, for permitting the guest access of the device in the 3GPP-based network (A UE first communicates with a MME during a UE authentication and authorization process. the MME interacts with a home subscriber server (HSS) in order to authenticate and/or authorize the UE. The HSS provides the MME with UE (or subscriber) profile data that includes a static or dynamic field (e.g., a PGW allocation type field). When the field is static, the HSS provides the MME with a fully qualified domain name (FQDN) of the PGW to be used by the UE to access the PDN. However, when the field is dynamic, the MME forms the FQDN by selecting a geographically closest PGW to the UE. 0003) (During the exchange of authentication and/or authorization information, HSS 142 may provide, to MME 132, profile data 330 associated with UE 110, 0040).

Mathai et al. teaches a realm name of a realm based on information in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Mathai et al. in Delos Reyes et al. for a realm name of a realm based on information in the identity as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by obtaining vSGW information from subscription information of the UE from HSS, vSGW and vPGW Selection Using Subscription Info and DNS Info (see Mathai et al. 0080).  

Neither Delos Reyes et al. nor Mathai et al. discloses the identity provider which is registered in an identity federation as claimed. 

However, Grayson et al. teaches the identity provider which is registered in an identity federation (in order for identity and access services engine 110 to validate an identity provider 140, the engine may be configured to identify the identity provider by their AAA address. The AAA address will be Domain Name System (DNS) resolved and, thus, will be associated with a domain name. In addition, the identity provider may be associated with a realm name that maps the identity provider to its owner. In certain embodiments, identity and access services engine 110 may be configured to validate the identity provider by verifying the ownership of the domain name and realm name that are associated with the identity provider through the DNS. If and when the identity provider 140 is validated, identity and access services engine 110 may issue security credentials (e.g., a certificate) to the identity provider indicating its membership in the identity and access federation. In certain embodiments, the identity and access federation must include at least one identity provider before it can on-board an access provider, 0016) (Federated Identity and Access Services, Figures 1-3).

Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grayson et al. in Delos Reyes et al. and Mathia et al. for the identity provider which is registered in an identity federation as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by the federation may allow for flexibility regarding the terms and conditions that each access provider and identity provider adheres to and/or enforce, the federation may serve as a trust anchor (see Grayson et al. 0011).

Claims 2, 15:
With respect to claims 2, 15, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 14, as addressed. 

Delos Reyes et al. discloses further comprising: at the one or more control plane functions of the 3GPP-based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022).

Grayson et al. teaches performing a mutual authentication procedure with the server based on digital certificates that are distributed via the identity federation, wherein establishing the secure connection with the server is based on a result of performing the mutual authentication procedure (if an access provider 120 elects to join the identity and access federation and is validated by identity and access services engine 110, it becomes of member of the federation and is trusted by identity providers 140 that are also members of the federation, identity and access services engine 110 may distribute certificates to the access provider or identity provider indicating that it is a trusted member of the identity and access federation, access providers 120 and identity providers 140 that are trusted by identity and access services engine 110, as evidenced by the certificates they have been issued by identity and access services engine 110, may automatically establish a trust relationship with each other based on their trust relationships with identity and access services engine 110, 0012).

Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

The motivation for combining Delos Reyes et al., Mathai et al., and Grayson et al. is recited in claims 1 and 14.


Claims 3:
With respect to claim 3, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claim 1, as addressed. 

Mathai et al. teaches wherein the message which requests access to the 3GPP-based network comprises an Initial UE message for registration (MME 132 may receive a PDN connection request from UE 110, and may exchange, with HSS 142, authentication and/or authorization information associated with UE 110, 0024),
the identity associated with the device comprises an International Mobile Subscriber Identity (IMSI) (identities and PLMN-IDs for use in the present node selection, IMSI, 0117-0119) (an International Mobile Subscriber Identity (IMSI) Attach for Low Priority User Equipment (UE), 0131), and 
the identity associated with the device is not recognizable by the 3GPP-based network (Node selection generally was defined by the 3rd Generation Partnership Project (3GPP), node selection mechanisms may select a node in a given neighborhood. There is no differentiation between users that belong to a certain community, enterprise, company, or between any other desired grouping of devices. As a result, traditional node selection mechanisms can be difficult to steer devices to desired nodes. 0032-0034).
Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

The motivation for combining Delos Reyes et al., Mathai et al., and Grayson et al. is recited in claim 1.

Claims 4, 17:
With respect to claims 4, 17, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses further comprising: at the one or more control plane functions of the 3GPP-based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022).

Mathia et al. teaches permitting or denying the guest access of the device in the 3GPP-based network based on a result of the authentication procedure (AAA server 130 can provide authentication, access control, and accounting to the network, the access control can involve granting or denying access to specific services, 0022).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

The motivation for combining Delos Reyes et al. and Mathai et al. is recited in claims 1 and 16.

Claims 5, 17:
With respect to claims 5, 17, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses further comprising: at the one or more control plane functions of the 3GPP-based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022), applying one or more policies for the guest access or communication of the device in the 3GPP-based network based on the identity or permanent identity or other attributes received from the identity provider in the authentication procedure (PGW 136 may perform policy enforcement, 0026).

Mathia et al. teaches applying one or more policies for the guest access or communications of the device in the 3GPP-based network based on the identity or permanent identity or other attributes received from the identity provider in the authentication procedure (The PGW performs policy enforcement, The PGW also provides an anchor for mobility between 3GPP and non-3GPP technologies, 0025).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

The motivation for combining Delos Reyes et al. and Mathai et al. is recited in claims 1 and 16.

Claims 6, 20:
With respect to claims 6, 20, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses wherein the address of the server is obtained based on the one or more queries to the DNS server by: sending to the DNS server a request for a record lookup based on the realm name, and receiving from the DNS server a response including one or more records indicating one or more host servers respectively associated with one or more authentication services (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160. MME 132 may receive, from DNS server 160, FQDNs of PGWs 136 that contain the APN FQDN, and may compare the FQDNs of PGWs 136 with a FQDN of SGW 134.  MME 132 may send, to DNS server 160, queries based on the primary and backup PGW FQDNs, may receive, based on the queries and from DNS server 160, IP addresses matching the primary/backup PGW FQDNs, and may store the IP addresses in memory. If the primary PGW 136 is available, MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (the DNS may translate domain names into numerical (e.g., binary) identifiers associated with network devices for the purpose of locating and addressing these network devices. DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030) (0040-0042, Figure 3). 

Mathai et al. teaches a realm name of a realm based on information in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

The motivation for combing Delos Reyes et al. and Mathai et al. is recited in claims 1 and 16.

Claims 7, 20:
With respect to claims 7, 20, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses wherein the address of the server is obtained based on the one or more queries to the DNS server further by: 
selecting one of the one or more authentication services as a selected authentication service according to a requirement or a preference (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160. MME 132 may receive, from DNS server 160, FQDNs of PGWs 136 that contain the APN FQDN, and may compare the FQDNs of PGWs 136 with a FQDN of SGW 134.  MME 132 may send, to DNS server 160, queries based on the primary and backup PGW FQDNs, may receive, based on the queries and from DNS server 160, IP addresses matching the primary/backup PGW FQDNs, and may store the IP addresses in memory. If the primary PGW 136 is available, MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (the DNS may translate domain names into numerical (e.g., binary) identifiers associated with network devices for the purpose of locating and addressing these network devices. DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030) (0040-0042, Figure 3), and 
sending to the DNS server a request for a service record lookup based on a selected one of the one or more records corresponding to the selected authentication service, and receiving from the DNS server a response including one or more service records (NAPTR query 340 may be a query that includes one or more resource records used in DNS server 160, DNS server 160 may respond to NAPTR query 340 with FQDNs 350 of all PGWs 136 that include the APN FQDN, 0041) (Figure 3, 350, 360).

Claims 8, 20:
With respect to claims 8, 20, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses wherein the address of the server is obtained based on the one or more queries to the DNS server by: sending to the DNS server a request for an address record lookup based on a selected one of the one or more service records, and receiving from the DNS server a response including the address of the server (to generate primary/backup PGW FQDN queries 360 that request IP addresses, DNS server 160 may respond to queries 360 with IP addresses 370, 0044) (Figure 3, 370).

Claims 9, 20:
With respect to claims 9, 20, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses wherein the one or more records comprise one or more Name Authority Pointer (NAPTR) records (may provide NAPTR query 340 to DNS server 160. NAPTR query 340 may be a query that includes one or more resource records used in DNS server 160, 0041) and the one or more service records comprises one or more service (SRV) records (NAPTR query 340 may be a query that includes one or more resource records used in DNS server 160, DNS server 160 may respond to NAPTR query 340 with FQDNs 350 of all PGWs 136 that include the APN FQDN, 0041) (Figure 3, 350, 360).

Mathia et al. teaches wherein the one or more records comprise one or more Name Authority Pointer (NAPTR) records (The network records may include Name Authority Pointer (NAPTR) records, 0080). 

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

The motivation or combining Delos Reyes et al. and Mathai et al. is recited in claims 1 and 16.

Claim 10:
With respect to claim 10, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claim 1, as addressed. 

Grayson et al. teaches wherein the authentication service comprises one of a Remote Authentication Dial-In User Service (RADIUS), a Diameter service, a Representational State Transfer (REST) Application Programming Interface (API) authentication service, or an open standard protocol for authorization service or OAuth (may exchange messages in accordance with the Remote Authentication Dial-In User Service (RADIUS) networking protocol, 0018).

Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

The motivation for combining Delos Reyes et al., Mathai et al., and Grayson et al. is recited in claim 1.

Claim 11:
With respect to claim 11, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claim 1, as addressed. 

Mathia et al. teaches wherein the 3GPP-based network comprises an enterprise private 3GPP network (Node selection generally was defined by the 3rd Generation Partnership Project (3GPP), 0032) (enterprise, 0034) and the one or more control plane functions of the 3GPP- based network (The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088) comprise one or more control plane functions of the enterprise private 3GPP network (Virtual private network (VPN) subsystem, 0245).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

The motivation for combining Delos Reyes et al. and Mathai et al. is recited in claim 1.

Claims 12, 18:
With respect to claims 12, 18, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1 and 16, as addressed. 

Delos Reyes et al. discloses wherein participating in the authentication procedure comprises: participating in the authentication procedure for authenticating the device based on the credentials that are associated with a subscriber identity module (SIM) (A UE first communicates with a MME during a UE authentication and authorization process. the MME interacts with a home subscriber server (HSS) in order to authenticate and/or authorize the UE. The HSS provides the MME with UE (or subscriber) profile data that includes a static or dynamic field (e.g., a PGW allocation type field). When the field is static, the HSS provides the MME with a fully qualified domain name (FQDN) of the PGW to be used by the UE to access the PDN. However, when the field is dynamic, the MME forms the FQDN by selecting a geographically closest PGW to the UE. 0003) (a network interface card (NIC), 0025) for the device for 3GPP access to a public 3GPP network (DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030).

Claims 13, 19:
With respect to claims 13, 19, the combination of Delos Reyes et al., Mathai et al., and Grayson et al. discloses the limitations of claims 1, 16, as addressed. 

Mathai et al. teaches wherein the message which requests access to the 3GPP-based network comprises an Initial UE message for registration (MME 132 may receive a PDN connection request from UE 110, and may exchange, with HSS 142, authentication and/or authorization information associated with UE 110, 0024),
the identity associated with the device has a format of <IMSI> @ <realm>, where the IMSI is an International Mobile Subscriber Identity associated with a subscription of the device in a home 3GPP-based network (identities and PLMN-IDs for use in the present node selection, IMSI, 0117-0119) (an International Mobile Subscriber Identity (IMSI) Attach for Low Priority User Equipment (UE), 0131), and 
the information from which the realm name is derived comprises the realm in the identity or the IMSI in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088).

Claim 14:
With respect to claim 14, Delos Reyes et al. discloses a computer program product (type of magnetic or optical recording medium, 0034) (A computer-readable medium may be defined as a physical or logical memory device, 0037) comprising: 
a non-transitory computer readable medium; instructions stored in the non-transitory computer readable medium; the instructions being executable by one or more processors (device 200 may perform certain operations in response to processing unit 220 executing software instructions contained in a computer-readable medium, 0037) for facilitating an authentication of a device by an identity provider to permit guest access of the device (MME 132 may be involved in a bearer activation/deactivation process (e.g., for UE 110) and may choose a SGW for UE 110 at an initial attach and at a time of intra-LTE handover. MME 132 may authenticate UE 110 (e.g., via interaction with HSS 142, generate and allocate temporary identities to UEs (e.g., UE 110), 0023) in a Third Generation Partnership Project (3GPP) based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022) (network 100 may include a UE 110, a LTE network 120, an EPC network 130, an IP multimedia subsystem (IMS) network 140, multiple PDN(s) 150, and a DNS server 160, 0017) (Figures 1 and 3), by:
receiving, from the device, a message which requests access to the 3GPP-based network; obtaining, from the message, an identity associated with the device (MME 132 may receive a PDN connection request from UE 110, and may exchange, with HSS 142, authentication and/or authorization information associated with UE 110, 0024);  
deriving a realm name of a realm from information in the identity (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160, MME 132 may determine a PGW FQDN with a closest match to the SGW FQDN to be a primary PGW 136, and may determine PGW(s) 136 residing within a same area as SGW 134 to be backup PGW(s) 136, 0024);
obtaining, from a response to one or more queries to a domain name system (DNS) server, an address of a server that is mapped to the realm name and provides an authentication service for the authentication (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160. MME 132 may receive, from DNS server 160, FQDNs of PGWs 136 that contain the APN FQDN, and may compare the FQDNs of PGWs 136 with a FQDN of SGW 134.  MME 132 may send, to DNS server 160, queries based on the primary and backup PGW FQDNs, may receive, based on the queries and from DNS server 160, IP addresses matching the primary/backup PGW FQDNs, and may store the IP addresses in memory. If the primary PGW 136 is available, MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (the DNS may translate domain names into numerical (e.g., binary) identifiers associated with network devices for the purpose of locating and addressing these network devices. DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030) (0040-0042, Figure 3), the server being external to the 3GPP-based network and associated with the identity provider (Figures 1 and 3); 
establishing a secure connection with the server (MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (PGW 136 may provide connectivity of UE 110 to external PDNs (e.g., to PDNs 150) by being a traffic exit/entry point for UE 110, 0026); and 
participating in an authentication procedure over the secure connection using the authentication service of the server (home subscriber server, HSS 142 may include a master user database that supports devices of IMS network 140 that handle calls. HSS 142 may include subscription-related information (e.g., subscriber profiles), (may perform authentication and authorization of a user, and may provide information about a subscriber's location and IP information, 0028), for authenticating the device based on credentials associated with the identity; and permitting or denying the guest access of the device in the 3GPP-based network (A UE first communicates with a MME during a UE authentication and authorization process. the MME interacts with a home subscriber server (HSS) in order to authenticate and/or authorize the UE. The HSS provides the MME with UE (or subscriber) profile data that includes a static or dynamic field (e.g., a PGW allocation type field). When the field is static, the HSS provides the MME with a fully qualified domain name (FQDN) of the PGW to be used by the UE to access the PDN. However, when the field is dynamic, the MME forms the FQDN by selecting a geographically closest PGW to the UE. 0003) (During the exchange of authentication and/or authorization information, HSS 142 may provide, to MME 132, profile data 330 associated with UE 110, 0040).

Mathai et al. teaches a realm name of a realm based on information in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088); 
permitting or denying device access to the 3GPP-based network based on a result of the authentication procedure (AAA server 130 can provide authentication, access control, and accounting to the network, the access control can involve granting or denying access to specific services, 0022).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Mathai et al. in Delos Reyes et al. for a realm name of a realm based on information in the identity; permitting or denying device access to the 3GPP-based network based on a result of the authentication procedure as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by obtaining vSGW information from subscription information of the UE from HSS, vSGW and vPGW Selection Using Subscription Info and DNS Info (see Mathai et al. 0080).  

Neither Delos Reyes et al. nor Mathai et al. discloses the identity provider which is registered in an identity federation as claimed. 

However, Grayson et al. teaches the identity provider which is registered in an identity federation (in order for identity and access services engine 110 to validate an identity provider 140, the engine may be configured to identify the identity provider by their AAA address. The AAA address will be Domain Name System (DNS) resolved and, thus, will be associated with a domain name. In addition, the identity provider may be associated with a realm name that maps the identity provider to its owner. In certain embodiments, identity and access services engine 110 may be configured to validate the identity provider by verifying the ownership of the domain name and realm name that are associated with the identity provider through the DNS. If and when the identity provider 140 is validated, identity and access services engine 110 may issue security credentials (e.g., a certificate) to the identity provider indicating its membership in the identity and access federation. In certain embodiments, the identity and access federation must include at least one identity provider before it can on-board an access provider, 0016) (Federated Identity and Access Services, Figures 1-3).

Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grayson et al. in Delos Reyes et al. and Mathia et al. for the identity provider which is registered in an identity federation as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by the federation may allow for flexibility regarding the terms and conditions that each access provider and identity provider adheres to and/or enforce, the federation may serve as a trust anchor (see Grayson et al. 0011).

Claim 16:
With respect to claim 16, Delos Reyes et al. discloses a Third Generation Partnership Project 3GPP-based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022) comprising: 
one or more 3GPP base stations for communication with a device (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022); and 
a control plane function for mobility management and/or proxy (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022) thereof which is operative to facilitating an authentication of a device by an identity provider to permit guest access of the device (MME 132 may be involved in a bearer activation/deactivation process (e.g., for UE 110) and may choose a SGW for UE 110 at an initial attach and at a time of intra-LTE handover. MME 132 may authenticate UE 110 (e.g., via interaction with HSS 142, generate and allocate temporary identities to UEs (e.g., UE 110), 0023) in a Third Generation Partnership Project (3GPP) based network (EPC network 130 may include a core network architecture of the Third Generation Partnership Project (3GPP) LTE wireless communication standard, 0022) (network 100 may include a UE 110, a LTE network 120, an EPC network 130, an IP multimedia subsystem (IMS) network 140, multiple PDN(s) 150, and a DNS server 160, 0017) (Figures 1 and 3), by being configured to:
receiving, from the device, a message which requests access to the 3GPP-based network; obtaining, from the message, an identity associated with the device (MME 132 may receive a PDN connection request from UE 110, and may exchange, with HSS 142, authentication and/or authorization information associated with UE 110, 0024);  
deriving a realm name of a realm from information in the identity (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160, MME 132 may determine a PGW FQDN with a closest match to the SGW FQDN to be a primary PGW 136, and may determine PGW(s) 136 residing within a same area as SGW 134 to be backup PGW(s) 136, 0024);
obtaining, from a response to one or more queries to a domain name system (DNS) server, an address of a server that is mapped to the realm name and provides an authentication service for the authentication (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160. MME 132 may receive, from DNS server 160, FQDNs of PGWs 136 that contain the APN FQDN, and may compare the FQDNs of PGWs 136 with a FQDN of SGW 134.  MME 132 may send, to DNS server 160, queries based on the primary and backup PGW FQDNs, may receive, based on the queries and from DNS server 160, IP addresses matching the primary/backup PGW FQDNs, and may store the IP addresses in memory. If the primary PGW 136 is available, MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (the DNS may translate domain names into numerical (e.g., binary) identifiers associated with network devices for the purpose of locating and addressing these network devices. DNS server 160 may execute special-purpose networking software, may include a public IP address, and may provide a database of network names and IP addresses for network devices (e.g., PGW(s) 136), 0030) (0040-0042, Figure 3), the server being external to the 3GPP-based network and associated with the identity provider (Figures 1 and 3); 
establish a secure connection with the server (MME 132 may provide the primary PGW IP address to UE 110 so that UE 110 can connect to the primary PGW 136, 0024) (PGW 136 may provide connectivity of UE 110 to external PDNs (e.g., to PDNs 150) by being a traffic exit/entry point for UE 110, 0026); and 
participate in an authentication procedure over the secure connection using the authentication service of the server (home subscriber server, HSS 142 may include a master user database that supports devices of IMS network 140 that handle calls. HSS 142 may include subscription-related information (e.g., subscriber profiles), (may perform authentication and authorization of a user, and may provide information about a subscriber's location and IP information, 0028), for authenticating the device based on credentials associated with the identity, for permitting the guest access of the device in the 3GPP-based network (A UE first communicates with a MME during a UE authentication and authorization process. the MME interacts with a home subscriber server (HSS) in order to authenticate and/or authorize the UE. The HSS provides the MME with UE (or subscriber) profile data that includes a static or dynamic field (e.g., a PGW allocation type field). When the field is static, the HSS provides the MME with a fully qualified domain name (FQDN) of the PGW to be used by the UE to access the PDN. However, when the field is dynamic, the MME forms the FQDN by selecting a geographically closest PGW to the UE. 0003) (During the exchange of authentication and/or authorization information, HSS 142 may provide, to MME 132, profile data 330 associated with UE 110, 0040).

Mathai et al. teaches the one or more control plane functions of the 3GPP- based network (The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088) private 3GPP network (Virtual private network (VPN) subsystem, 0245); a realm name of a realm based on information in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088).

Delos Reyes et al. and Mathai et al. are analogous art because they are from the same field of endeavor of 3GPP networks.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Mathai et al. in Delos Reyes et al. for the one or more control plane functions of the 3GPP- based network, private 3GPP network ; a realm name of a realm based on information in the identity as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by obtaining vSGW information from subscription information of the UE from HSS, vSGW and vPGW Selection Using Subscription Info and DNS Info (see Mathai et al. 0080).  

Neither Delos Reyes et al. nor Mathai et al. discloses the identity provider which is registered in an identity federation as claimed. 

However, Grayson et al. teaches the identity provider which is registered in an identity federation (in order for identity and access services engine 110 to validate an identity provider 140, the engine may be configured to identify the identity provider by their AAA address. The AAA address will be Domain Name System (DNS) resolved and, thus, will be associated with a domain name. In addition, the identity provider may be associated with a realm name that maps the identity provider to its owner. In certain embodiments, identity and access services engine 110 may be configured to validate the identity provider by verifying the ownership of the domain name and realm name that are associated with the identity provider through the DNS. If and when the identity provider 140 is validated, identity and access services engine 110 may issue security credentials (e.g., a certificate) to the identity provider indicating its membership in the identity and access federation. In certain embodiments, the identity and access federation must include at least one identity provider before it can on-board an access provider, 0016) (Federated Identity and Access Services, Figures 1-3).

Delos Reyes et al., Mathai et al., and Grayson et al. are analogous art because they are from the same field of endeavor of service providers.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Grayson et al. in Delos Reyes et al. and Mathia et al. for the identity provider which is registered in an identity federation as claimed for purposes of enhancing the 3GPP network of Delos Reyes et al. by the federation may allow for flexibility regarding the terms and conditions that each access provider and identity provider adheres to and/or enforce, the federation may serve as a trust anchor (see Grayson et al. 0011).
Response to Remarks/Arguments
Applicant's arguments filed on July 08, 2022 have been fully considered but they are not persuasive.  In the remarks, Applicant argues that:

Claims 1, 14, and 16:
(1) Delos Reyes fails to teach, suggest, or render obvious the claimed processing which involves “facilitating an authentication of a device” for “permitting ... guest access of the device in the 3GPP-based network,” as claimed in the combination.

(2) Delos Reyes fails to teach, suggest, or render obvious the claimed processing which involves “deriving a realm name of a realm from information in the identity” which is obtained “from the message” which is received “from the device” as claimed in the combination. In contrast, Delos Reyes constructs an APN FQDN based on authentication/authorization information of the UE which is received from the HSS. As is apparent, the identity of the UE of Delos Reyes is indeed recognized by the network and therefore the UE is not obtaining guest access in such network.

(3) The Examiner may attempt to rely on Grayson as to onboarding of devices in enterprise environments (e.g., wireless networks), the combination of the references would fail since there is no teaching, suggestion, or motivation to combine the various alleged teachings to provide guest access to 3GPP-based networks as claimed; no teaching of any need or problem in providing guess access to 3GPP-based networks has even been properly advanced.
In response to remark/arguments (1)-(3), Examiner respectfully disagrees.  
Delos Reyes et al. discloses “MME 132 may be involved in a bearer activation/deactivation process (e.g., for UE 110) and may choose a SGW for UE 110 at an initial attach and at a time of intra-LTE handover. MME 132 may authenticate UE 110 (e.g., via interaction with HSS 142… and MME 132 may generate and allocate temporary identities to UEs (e.g., UE 110)” (0023).  Examiner holds that Delos Reyes et al. discloses “guest access of the device in the 3GPP-based network,” as claimed.
Delos Reyes et al. also discloses “deriving a realm name of a realm from information in the identity” (MME 132 may construct an APN FQDN based on the authentication/authorization information, and may send, a NAPTR query (e.g., that includes the APN FQDN) to DNS server 160, MME 132 may determine a PGW FQDN with a closest match to the SGW FQDN to be a primary PGW 136, and may determine PGW(s) 136 residing within a same area as SGW 134 to be backup PGW(s) 136, 0024).  Mathai et al. teaches a realm name of a realm based on information in the identity (method 1200 can include adding parameters for “[M] Destination-Realm” to track corresponding domain names for desired virtual network nodes, The format of the Destination-Realm and Host can be defined as follows: [M] Destination-Realm: mcn.mnc481.mcc311.3gppnetwork.org, allow a vMME to find vSGW information based on having the same host or realm, 0080-0088).  Therefore, Examiner maintains that combination of Delos Reyes et al. and Mathai et al. and Grayson et al. does teach and suggest this limitation. 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/           Supervisory Patent Examiner, Art Unit 2433