DETAILED ACTION
This is a final Office action in response to amendments received on 7/27/2022.  Claims 1-2, 5, 8-9 and 12 were amended.  Claims 15-20 were cancelled.  New claims 21-26 were added.  Claims 1-14 and 21-26 are pending and examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments, filed 7/27/2022, amending claims 1 and 8 to specify that the enterprise server receives the second authentication token are sufficient to overcome the objection to the aforementioned claims for ambiguity regarding whether the computing device or enterprise server was performing the claimed steps.  Accordingly, the objection to claims 1 and 8, as filed in the Non-Final Rejection, is withdrawn.
Applicant’s amendments, filed 7/27/2022, to claims 5 and 12 making the claims dependent upon claims in which “a token store” is introduced and thereby providing antecedent basis are sufficient to overcome the objection the aforementioned claims by providing proper claim dependency.  Accordingly, the objections to claims 5 and 12 are withdrawn.
Applicant’s arguments regarding the rejection of claims 1-14 and 21-26 under 103 have been considered, but are found unpersuasive because they are directed to new claim amendments which required a new ground of rejection.
The remaining arguments fail to comply with 37 C.F.R. 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  
Applicant’s remaining arguments filed 7/27/2022, with respect to the rejection of claims 1-14 and 21-26 under 35 USC § 103 have been fully considered but are moot because newly added limitations to the claims disclose “token configured to enable access to a first set of resources in an enterprise system managed by the identity provider;” require a new ground of rejection necessitated by amendments.

Election/Restrictions
Applicant’s acknowledgement of the restriction without traverse is acknowledged.  Accordingly, the restriction is made FINAL.  

Objections
Claims 1-2, 8-9 and 21-22 are objected to for the following reasons: it is unclear whether the request to refresh the first authentication token in claims 2 and 9 is a typo.  Figure 8B discloses sending a request to fresh the second authentication token and then in 8D, it is this refreshed second authentication token that is sent to the third party system in order to grant the user devices access to the resources.  In addition, claims 1, 8 and 21 disclose providing access to the second set of resources in the third- party system in response to receiving the first authentication token, so it unclear in claims 2 and 9 when access to the second set of resources in the third-party system is provided again in response to receiving the refreshed authentication token if this access is provided AFTER the steps disclosed in the parent claim, or at the same time or later at some subsequent occasion.  In summary, it is unclear how the steps in claims 2/9 relate to the steps in the parent claim (do they come before, after, same time) and it is unclear if the refreshed authentication token is meant to be the second authentication token.  Appropriate clarification/correction is required.
Claims 1, 8 and 21 are further objected to for the following reasons: it is unclear from the new amendments if the first authentication token is meant to enable access to both the first and second set of resources, or if the first authentication token is meant to enable access to the first set of resources and the second authorization token is meant to enable access to the second set of resources.  Further clarification/correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 21-26 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter because the system does not constitute any physical device and merely recites software per se.
Claim 21 recites “[a] computer-readable medium storing instructions.”  The Specification discloses that a nonvolatile storage device may be one example of a computer-readable medium, but does not explicitly limit the computer-readable medium to the non-volatile storage device.  Instead, the Specification goes on to say that “any suitable computer readable storage media may be used” (para. [0031]).  Pending claims are interpreted as broadly as their claims reasonably allow.  See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989).  The broadest reasonable interpretation of a claim drawn to a recording medium (also called computer-readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of recording medium, particularly when the specification is silent (See MPEP 2111.01).  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.s.C. §1 01 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2.
A claim drawn to such a recording medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the claim. Cf Animals - Patentability, 1077 Off. Gaz. Pat. Office 24 (April 21, 1987).  
Claims 22-26 stand rejected because they are dependent upon claim 21 and fail to remedy the deficiencies of the parent claim from which they depend.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   
Claims 1-3, 7-10, 14, 21-23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Hardt (US 2018/0316657) in view of Bodi (US 2013/0036455) and Matsugashita (US 2017/0171201).  
   Regarding claim 1, Hardt discloses the limitations of claim 1 substantially as follows:
	A method comprising: 
	receiving, by a computing device, a first authentication token from an identity provider, the first authentication token configured to enable access to a first set of resources managed by[[of]] the identity provider (paras. [0016], [0020], [0029], [0033], [0041], [0047], [0068]: receive by a computer of a service provider an initial access token and nonce from an identity provider, wherein processing of the initial access token and nonce enables access to the identity provider’s tenant-specific information (i.e. first set of resources managed by/transmitted from the identity provider));
	providing, by the computing device, a second authentication token to an enterprise server, the second authentication token configured to assert identities of users within an computing environment hosted by the enterprise server (paras. [0017], [0035], [0041]-[0042], [0053]: sending to computer of the service provider the refresh and access tokens to be used for identifying authorized users in future subsequent communications with the enterprise server and identity provider, and subsequently sending exchanging the nonce again with the identity provider); and
	providing, by the computing device, to the enterprise server in response to receipt of the second authentication token so that the enterprise server enables access to a third-party system (paras. [0029], [0033], [0035], [0066], [0068]: receiving by a computer of the enterprise system in response to receiving the fresh and access tokens (i.e. in response to receipt of the second authentication token) access to third-party services and an OAuth endpoint based on establishing a federated handshake between the enterprise server and the identity provider using the identity provider’s tenant-specific information)
Hardt does not explicitly disclose the remaining limitations of claim 1 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider;
	providing, by the computing device, the first authentication token to the enterprise server in response to receipt, by the enterprise server, of the second authentication token
	token enables access to a second set of resources in third-party system
However, in the same field of endeavor, Bodi discloses the remaining limitations of claim 1 as follows:
	providing, by the computing device, the first authentication token to the enterprise server in response to receipt, by the enterprise server, of the second authentication token (paras. [0080], [0083], [0088], [0091] Fig. 6: providing, by the requesting service on the user’s computer, based on having received the second access token T.sub.C, a third access request to the service provider, where the third access request received by the service provider comprises the first access token T.sub.U (i.e. first authentication token));
Bodi and Hardt are combinable because both are from the same field of endeavor of exchanging tokens using the OAuth protocol.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Bodi’s method of sending the first authentication token and second authentication token to the service provider after having received the second authentication token with the system of Hardt in order to strengthen the security of the system by enabling verification of both the first and second authentication tokens prior to granting access to the requested resources.
Neither Hardt or Bodi disclose the remaining limitations of claim 1 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider;
	token enables access to a second set of resources in third-party system
However, in the same set of endeavor, Matsugashita discloses the remaining limitations of claim 1 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider (paras. [0033], [0085], [0092]-[0094], [0131]-[0132], [0159], Figs. 6, 9: submission of token enables access to API/Services of the resource server in the LAN system (i.e. enterprise system) to which access is managed by the authorization server (i.e. identity provider));
	token enables access to a second set of resources in third-party system (paras. [0090], [0121]-[0122]: receiving token enables access to data (i.e. second set of resources) stored on the access token provider (i.e. third party system).
Matsugashi is combinable with Hardt and Bodi because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s token enabling access to a first set of resources in the enterprise system with the system of Hardt and Bodi in order to increase the security of the system by ensuring that resources of the enterprise system are only accessed when authorized by a valid token.

	Regarding claims 2 and 22, Hardt, Bodi and Matsugashita disclose the limitations of the method of claim 1 and the computer-readable medium of claim 21.
Hardt discloses the limitations of claims 2 and 22 as follows:
	further comprising: 
	initiating a refresh of the first authentication token with a federated identity service provided by a federated identity provider server to obtain a refreshed authentication token (Hardt, paras. [0029], [0041], [0068]: identity provider converts/refreshes the nonce (i.e. first authentication token)) with the federated identity service provided communications with the OAuth token endpoint to obtain a refresh token and access token); and 
	sending, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices managed by the enterprise server to access the set of resources (Hardt, paras. [0017], [0041]-[0042], [0053]: sending, via the interface, to the service provider the refresh and access tokens for future subsequent communications, wherein sending the refresh and access tokens enables the tenants/end users managed by the service provider to access using single-sign on resources designated for use by the entity/third party using the federation relationship).

	Regarding claims 3 and 23, Hardt, Bodi and Matsugashita disclose the limitations of the method of claim 1 and the computer-readable medium of claim 21.
Matsugashita discloses the limitations of claims 3 and 23 as follows:
	further comprising: 
storing, in a token store, the second authentication token and a reference associating the second authentication token with the first authentication token (paras. [0090]-[0092], [0127], Fig. 6, Table 8, storing in the table of tokens (i.e. token store) the second authorization token and a user ID and client ID (i.e. reference) associating the first authorization token with the second authorization token).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token with the system of Hardt and Bodi in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.

	Regarding claims 7 and 26, Hardt, Bodi and Matsugashita disclose the limitations of the method of claim 1 and the computer-readable medium of claim 21.
Matsugashita discloses the limitations of claims 7 and 26 as follows:
	further comprising: 
	retrieving, from a token store, the first authentication token based on a reference associating the first authentication token with the second authentication token (paras. [0090]-[0092], [0127], Fig. 6, Table 8: retrieving from the table of tokens, the second authorization token/refresh token based on a client ID, secret ID that is in common with the first authorization token for verification).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token with the system of Bodi and Hardt in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.

	Regarding claim 8, Hardt discloses the limitations substantially as follows:
An enterprise identity provider server device, comprising: 
	at least one processor; 
	a communication interface; 
	memory storing instructions that, when executed by the at least one processor, cause the server device to: 
	receive, via the communication interface, a first authentication token from an identity provider, the first authentication token configured to enable access to a first set of resources managed by[[of]] the identity provider (paras. [0016], [0020], [0029], [0033], [0041], [0047], [0068]: receive by a computer of a service provider an initial access token and nonce from an identity provider, wherein processing of the initial access token and nonce enables access to the identity provider’s tenant-specific information (i.e. first set of resources managed by/transmitted from the identity provider)); 
	provide, via the communication interface, a second authentication token to an enterprise server, the second authentication token configured to assert identities of users within an computing environment hosted by the enterprise server (paras. [0017], [0035], [0041]-[0042], [0053]: sending to computer of the service provider the refresh and access tokens to be used for identifying authorized users in future subsequent communications with the enterprise server and identity provider, and subsequently sending exchanging the nonce again with the identity provider); and 
	provide, via the communication interface, the first authentication token to the enterprise server in response to receipt of the second authentication token so that the enterprise server enables access to a third-party system (paras. [0029], [0033], [0035], [0066], [0068]: receiving by a computer of the enterprise system in response to receiving the fresh and access tokens (i.e. in response to receipt of the second authentication token) access to third-party services based on establishing a federated handshake between the enterprise server and the identity provider using the identity provider’s tenant-specific information (i.e. using the set of resources)).
Hardt does not explicitly disclose the remaining claim 8 limitations as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider;
	provide the first authentication token to the enterprise server in response to receipt, by the enterprise server, of the second authentication token 
	token enables access to a second set of resources in third-party system
However, in the same field of endeavor, Bodi discloses the remaining limitations of claim 8 as follows:
	provide the first authentication token to the enterprise server in response to receipt, by the enterprise server, of the second authentication token (paras. [0080], [0083], [0088], [0091] Fig. 6: providing, by the requesting service on the user’s computer, based on having received the second access token T.sub.C, a third access request to the service provider, where the third access request received by the service provider comprises the first access token T.sub.U (i.e. first authentication token));
Bodi and Hardt are combinable because both are from the same field of endeavor of exchanging tokens using OAuth protocol.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Bodi’s method of sending the first authentication token and second authentication token to the service provider after having received the second authentication token with the system of Hardt in order to strengthen the security of the system by enabling verification of both the first and second authentication tokens prior to granting access to the requested resources.
Neither Hardt or Bodi disclose the remaining limitations of claim 8 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider;
	token enables access to a second set of resources in third-party system
However, in the same set of endeavor, Matsugashita discloses the remaining limitations of claim 8 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by [[of]] the identity provider (paras. [0033], [0085], [0092]-[0094], [0131]-[0132], Figs. 6, 9: submission of token enables access to API/Services of the resource server in the LAN system (i.e. enterprise system) to which access is managed by the authorization server (i.e. identity provider));
	token enables access to a second set of resources in third-party system (paras. [0090], [0121]-[0122]: receiving token enables access to data (i.e. second set of resources) stored on the access token provider (i.e. third party system).
Matsugashita is combinable with Hardt and Bodi because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s token enabling access to a first set of resources in the enterprise system with the system of Hardt and Bodi in order to increase the security of the system by ensuring that resources of the enterprise system are only accessed when authorized by a valid token.

	Regarding claim 9, Hardt, Bodi and Matsugashita disclose the limitations of claim 8.
Hardt discloses the limitations of claim 9 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to: 
	initiate a refresh of the first authentication token with a federated identity service provided by a federated identity provider server to obtain a refreshed authentication token (Hardt, paras. [0029], [0041], [0068]: identity provider converts/refreshes the nonce (i.e. first authentication token)) with the federated identity service provided communications with the OAuth token endpoint to obtain a refresh token and access token); and 
	send, to the enterprise server, the refreshed authentication token, wherein sending the refreshed authentication token to the enterprise server enables user devices managed by the enterprise server to access the set of resources (Hardt, paras. [0017], [0041]-[0042], [0053]: sending, via the interface, to the service provider the refresh and access tokens for future subsequent communications, wherein sending the refresh and access tokens enables the tenants/end users managed by the service provider to access using single-sign on resources designated for use by the entity/third party using the federation relationship).

	Regarding claim 10, Hardt, Bodi and Matsugashita disclose the limitations of claim 8.
Matsugashita discloses the limitations of claim 10 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to: 
	store, in a token store, the first authentication token and a reference associating the first authentication token with the second authentication token (paras. [0090]-[0092], [0127], Fig. 6, Table 8, storing in the table of tokens (i.e. token store) the second authorization token and a user ID and client ID (i.e. reference) associating the first authorization token with the second authorization token).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token with the system of Hardt and Bodi in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.

	Regarding claim 14, Hardt, Bodi and Matsugashita disclose the limitations of claim 8.
Matsugashita discloses the limitations of claim 14 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to: 
	retrieve, from a token store, the first authentication token based on a reference associating the first authentication token with the second authentication token (paras. [0090]-[0092], [0127], Fig. 6, Table 8: retrieving from the table of tokens, the second authorization token/refresh token based on a client ID, secret ID that is in common with the first authorization token for verification).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token with the system of Hardt and Bodi in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.

Regarding claim 21, Hardt discloses the limitations of claim 21 substantially as follows:
	A computer-readable medium storing instructions that, when executed, cause: 
	receiving a first authentication token from an identity provider, the first authentication token configured to enable access to a first set of resources managed by the identity provider (paras. [0016], [0020], [0029], [0033], [0041], [0047], [0068]: receive by a computer of a service provider an initial access token and nonce from an identity provider, wherein processing of the initial access token and nonce enables access to the identity provider’s tenant-specific information (i.e. first set of resources managed/transmitted from the identity provider));
	providing a second authentication token to an enterprise server, the second authentication token configured to assert identities of users within an computing environment hosted by the enterprise server (paras. [0017], [0035], [0041]-[0042], [0053]: sending to computer of the service provider the refresh and access tokens to be used for identifying authorized users in future subsequent communications with the enterprise server and identity provider, and subsequently sending exchanging the nonce again with the identity provider); and
	providing to the enterprise server in response to receipt of the second authentication token so that the enterprise server enables access to a third-party system (paras. [0029], [0033], [0035], [0066], [0068]: receiving by a computer of the enterprise system in response to receiving the fresh and access tokens (i.e. in response to receipt of the second authentication token) access to third-party services based on establishing a federated handshake between the enterprise server and the identity provider using the identity provider’s tenant-specific information (i.e. using the set of resources))
Hardt does not explicitly disclose the remaining limitations of claim 21 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by the identity provider;
	providing the first authentication token to the enterprise server in response to receipt, by the enterprise server, of the second authentication token
	token enables access to a second set of resources in third-party system
However, in the same field of endeavor, Bodi discloses the remaining limitations of claim 21 as follows:
	providing the first authentication token to the enterprise server in response to receipt of the second authentication token (paras. [0080], [0083], [0088], [0091] Fig. 6: providing, by the requesting service on the user’s computer, based on having received the second access token T.sub.C, a third access request to the service provider, where the third access request received by the service provider comprises the first access token T.sub.U (i.e. first authentication token));
Bodi and Hardt are combinable because both are from the same field of endeavor of exchanging tokens using the OAuth protocol.  It would have been obvious to one of ordinary skill in the art at the time of the invention to integrate Bodi’s method of sending the first authentication token and second authentication token to the service provider after having received the second authentication token with the system of Hardt in order to strengthen the security of the system by enabling verification of both the first and second authentication tokens prior to granting access to the requested resources.
Neither Hardt or Bodi disclose the remaining limitations of claim 21 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by the identity provider;
	token enables access to a second set of resources in third-party system	
However, in the same set of endeavor, Matsugashita discloses the remaining limitations of claim 21 as follows:
	token configured to enable access to a first set of resources in an enterprise system managed by the identity provider (paras. [0033], [0085], [0092]-[0094], [0131]-[0132], Figs. 6, 9: submission of token enables access to API/Services of the resource server in the LAN system (i.e. enterprise system) to which access is managed by the authorization server (i.e. identity provider));
	token enables access to a second set of resources in third-party system (paras. [0090], [0121]-[0122]: receiving token enables access to data (i.e. second set of resources) stored on the access token provider (i.e. third party system).
Matsugashita is combinable with Hardt and Bodi because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s token enabling access to a first set of resources in the enterprise system with the system of Hardt and Bodi in order to increase the security of the system by ensuring that resources of the enterprise system are only accessed when authorized by a valid token.

Claims 4-5, 11-12 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Hardt (US 2018/0316657) in view of Bodi (US 2013/0036455) and Matsugashita (US 2017/0171201), as applied to claims 1, 8 and 21, further in view of Kariv (US 2011/0307947).
	Regarding claims 4 and 24, Hardt, Bodi and Matsugashita disclose the limitations of the method of claim 1 and the computer-readable medium of claim 21.
Neither Hardt, Bodi or Matsugashita discloses the limitations of claims 4 and 24 as follows:
	further comprising: 
	sending a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; and 
	receiving the refreshed authentication token from the federated identity provider server.
However, in the same field of endeavor, Kariv discloses the limitations of claims 4 and 24 as follows:
	further comprising: 
sending a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; and receiving the refreshed authentication token from the federated identity provider server (paras. [0022], [0031], [0033], [0041], Fig. 3: access gateway/enterprise STS sends a request to the “the entity that redirected the user” (cloud STS) (i.e. federated identity provider server) to obtain/regenerate the security token (i.e. the second authentication token), wherein the cloud STS generates a new security token (i.e. refreshed authentication token), which is sent back to the access gateway and enterprise STS).
Kariv is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Kariv’s method of sending a request to and having the federated identity provider server regenerate the token with the system of Hardt, Bodi and Matsugashita in order to “provide[] for controlling access to resources hosted in a cloud without duplicating an enterprise’s identity management and access policy infrastructure to the cloud (Kariv, para. [0021]).  

	Regarding claim 5, Hardt, Bodi and Matsugashita disclose the limitations of claims 1 and 3.
Matsugashita discloses the limitations of claim 5 as follows:
	The method of claim 3, further comprising: 
updating a token store with the refreshed authentication token and a reference associating the refreshed authentication token with the second authentication token (paras. [0090]-[0092], [0127], Figs. 6, 9, Tables 5-6 & 8: update the table with the refresh token (i.e. refreshed authentication token) which is stored along with a user ID and client ID (i.e. reference) in common with /associating the refresh token with the first authorization token with the second authorization token).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.
Neither Hardt, Bodi or Matsugashita discloses the remaining limitations of claim 5 as follows:
	sending a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; 
However, in the same field of endeavor, Kariv discloses the limitations of claim 5 as follows:
sending a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token (paras. [0022], [0031], [0033], [0041], Fig. 3: access gateway/enterprise STS sends a request to the “the entity that redirected the user” (cloud STS) (i.e. federated identity provider server) to obtain/regenerate the security token (i.e. the second authentication token), wherein the cloud STS generates a new security token (i.e. refreshed authentication token)).
Kariv is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Kariv’s method of sending a request to and having the federated identity provider server regenerate the token with the system of Hardt, Bodi and Matsugashita in order to “provide[] for controlling access to resources hosted in a cloud without duplicating an enterprise’s identity management and access policy infrastructure to the cloud (Kariv, para. [0021]).  

	Regarding claim 11, Hardt, Bodi and Matsugashita disclose the limitations of claim 8.
Neither Hardt, Bodi and Matsugashita discloses the limitations of claim 11 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to: 
	send, via the communication interface, a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; and 
	receive, via the communication interface, the refreshed authentication token from the federated identity provider server.
However, in the same field of endeavor, Kariv discloses the limitations of claim 11 as follows:
	The method of claim 1, further comprising: 
sending a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; and receiving the refreshed authentication token from the federated identity provider server (paras. [0022], [0031], [0033], [0041], Fig. 3: access gateway/enterprise STS sends a request to the “the entity that redirected the user” (cloud STS) (i.e. federated identity provider server) to obtain/regenerate the security token (i.e. the second authentication token), wherein the cloud STS generates a new security token (i.e. refreshed authentication token), which is sent back to the access gateway and enterprise STS).
Kariv is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Kariv’s method of sending a request to and having the federated identity provider server regenerate the token with the system of Hardt, Bodi and Matsugashita in order to “provide[] for controlling access to resources hosted in a cloud without duplicating an enterprise’s identity management and access policy infrastructure to the cloud (Kariv, para. [0021]).  

	Regarding claim 12, Hardt, Bodi and Matsugashita disclose the limitations of claims 8 and 10.
Matsugashita discloses the limitations of claim 12 as follows:
	The enterprise identity provider server device of claim 10, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to: 
	update a token store with the refreshed authentication token and a reference associating the refreshed authentication token with the second authentication token (paras. [0090]-[0092], [0127], Figs. 6, 9, Tables 5-6 & 8: update the table with the refresh token (i.e. refreshed authentication token) which is stored along with a user ID and client ID (i.e. reference) in common with /associating the refresh token with the first authorization token with the second authorization token).
It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Matsugashita’s method of storing the second authorization token with the first authorization token in order to save time and resources by avoiding the necessity of having to look up information about each token separately by storing information about tokens together so that they can be accessed at the same time in one query.
Neither Hardt, Bodi or Matsugashita discloses the remaining limitations of claim 12 as follows:
	send, via the communication interface, a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token; and
However, in the same field of endeavor, Kariv discloses the limitations of claim 12 as follows:
send, via the communication interface, a request to a federated identity provider server to regenerate the first authentication token, wherein the federated identity provider server generates a refreshed authentication token (paras. [0022], [0031], [0033], [0041], Fig. 3: access gateway/enterprise STS sends a request to the “the entity that redirected the user” (cloud STS) (i.e. federated identity provider server) to obtain/regenerate the security token (i.e. the second authentication token), wherein the cloud STS generates a new security token (i.e. refreshed authentication token)); and
Kariv is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Kariv’s method of sending a request to and having the federated identity provider server regenerate the token with the system of Hardt, Bodi and Matsugashita in order to “provide[] for controlling access to resources hosted in a cloud without duplicating an enterprise’s identity management and access policy infrastructure to the cloud (Kariv, para. [0021]).  

Claims 6, 13 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Hardt (US 2018/0316657) in view of Bodi (US 2013/0036455) and Matsugashita (US 2017/0171201), as applied to claims 1, 8 and 21, further in view of Sondhi (US 2017/0302655).
	Regarding claims 6 and 25, Hardt, Bodi and Matsugashita disclose the limitations of the method of claim 1 and the computer-readable medium of claim 21.
Neither Hardt, Bodi or Matsugashita discloses the limitations of claims 6 and 25 as follows:
further comprising: 
	redirecting a request from the enterprise server to a federated identity service provided by a federated identity provider server.
However, in the same field of endeavor, Sondhi discloses the limitations of claims 6 and 25 as follows:
	further comprising: 
	redirecting a request from the enterprise server to a federated identity service provided by a federated identity provider server (para. [0047]: redirect the request from the resource server to the authorization services provided by authorization server (i.e. federated identity provider server)).
Sondhi is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Sondhi’s method of redirecting a request from an OAuth/enterprise server to a federated server with the system of Hardt, Bodi and Matsugashita in order to delegate authentication and authorization analyses to the identity server and therein “free[] a resource server from the responsibilities of an OAuth authorization server.” (Sondhi, para. [0015]).  

	Regarding claim 13, Hardt, Bodi and Matsugashita disclose the limitations of claim 8.
Neither Hardt, Bodi and Matsugashita discloses the limitations of claim 13 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to:
	 redirect, via the communication interface, a request from the enterprise server to a federated identity service provided by a federated identity provider server.
However, in the same field of endeavor, Sondhi discloses the limitations of claim 13 as follows:
	The enterprise identity provider server device of claim 8, wherein the memory stores additional instructions that, when executed by the at least one processor, cause the server device to:
	 redirect, via the communication interface, a request from the enterprise server to a federated identity service provided by a federated identity provider server (para. [0047]: redirect the request from the resource server to the authorization services provided by authorization server (i.e. federated identity provider server))..
Sondhi is combinable with Hardt, Bodi and Matsugashita because they are from the same field of endeavor of sending tokens to a client in order to enable the client to access resources stored remotely.  It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to integrate Sondhi’s method of redirecting a request from an OAuth/enterprise server to a federated server with the system of Hardt, Bodi and Matsugashita in order to delegate authentication and authorization analyses to the identity server and therein “free[] a resource server from the responsibilities of an OAuth authorization server.” (Sondhi, para. [0015]).  

Prior Art Considered But Not Relied Upon
Prior art considered but not relied upon includes:
1) Burch (US 2017/0223009) discloses generating a late binding token in association with an OAuth token where the user identity is incorporated into the tokens and sending the tokens to enable an access to a requested resource.  

Conclusion
For the above-stated reasons, claims 1-14 and 21-26 are rejected.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARON S LYNCH whose telephone number is (571)272-4583.  The examiner can normally be reached on 10AM-6PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHARON S LYNCH/Primary Examiner, Art Unit 2438