DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The claims 1-20 are presented for examination.

Information Disclosure Statement
Documents listed in the IDS submitted on 12/21/2021 and 7/19/2022 were considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 7, 9, 15 and 17 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-2, 6, 9-10, 14, 17-18 and 20 of copending Application No. 17485273.  Although the claims at issue are not identical, they are not patentably distinct from each other because: claims 1-2, 6, 9-10, 14, 17-18 and 20 of U.S. Application No. 17485273 contain(s) every element of claim 1, 7, 9, 15 and 17 of the instant application and thus anticipate the claim(s) of the instant application. Claims of the instant application therefore are not patently distinct from the earlier patent claims and as such are unpatentable over obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
“Claim 12 and Claim 13 are generic to the species of invention covered by claim 3 of the patent. Thus, the generic invention is "anticipated" by the species of the patented invention. Cf., Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 USPQ 773 (Fed. Cir. 1985) (holding that an earlier species disclosure in the prior art defeats any generic claim) 4.  This court's predecessor has held that, without a terminal disclaimer, the species claims preclude issuance of the generic application. In re Van Ornum, 686 F.2d 937, 944, 214 USPQ 761, 767 (CCPA 1982).  Accordingly, absent a terminal disclaimer, claims 12 and 13 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).  
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 3-5, 7-9, 11-13, 15-17 and 19-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Abdul et al. (U.S. Publication No. 2020/0358755 A1).
With respect to claim 1, Abdul discloses a method, comprising: by a device including an input component and logged into an account, wherein the account is associated with an account alias (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [an input component and logged into an account, wherein the account is associated with an account alias]. In response to receiving the user credentials [wherein the account is associated with an account alias], embodiments create a primary SSO session by the SSO service. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session linked to the primary SSO and set an encrypted session cookie containing the alias SSO session and returning an authorization code including the alias SSO session to the second device, where the second device returns the authorization code with a second token that is signed using a second private key of the second device. Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device, ¶ 4). 
Abdul also discloses obtaining, based on an input detected by the input component, a definition of a set of services (i.e., One embodiment is a system that implements a number of microservices in a stateless middle tier environment to provide cloud-based multi-tenant identity and access management services. In one embodiment, each requested identity management service is broken into real-time and near-real-time tasks [obtaining, based on an input detected by the input component]. The real-time tasks are handled by a microservice in the middle tier, while the near-real-time tasks are offloaded to a message queue. Embodiments implement access tokens that are consumed by a routing tier and a middle tier to enforce a security model for accessing the microservices [a definition of a set of services], ¶ 18.  A service is a software functionality or a set of software functionalities (such as the retrieval of specified information or the execution of a set of operations) that can be reused by different clients for different purposes, together with the policies that control its usage (e.g., based on the identity of the client requesting the service). In one embodiment, a service is a mechanism to enable access to one or more capabilities, where the access is provided using a prescribed interface and is exercised consistent with constraints and policies as specified by the service description, ¶ 26). 
Abdul further discloses providing a request for a service-specific alias for the account, the request including one or more identifiers corresponding to the set of services (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [account alias]. In response to receiving the user credentials, embodiments create a primary SSO session by the SSO service. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session [providing a request for a service-specific alias for the account] linked to the primary SSO and set an encrypted session cookie containing the alias SSO session and returning an authorization code [the request including one or more identifiers corresponding to the set of services] including the alias SSO session to the second device, where the second device returns the authorization code with a second token that is signed using a second private key of the second device. Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device, ¶ 4.  Since the user has already signed in from device A, IDCS SSO finds the existing user session, and creates an alias user session linked to the primary/existing user session (e.g., parent/child user sessions). The alias user session is stored in IDCS session data store with the user session status as “In Process”. IDCS creates and sets an encrypted session cookie with the session ID of the alias user session in device B's browser component and returns the OAuth authorization code. The IDCS generated authorization code also has an association to this alias user session [the request including one or more identifiers corresponding to the set of services], ¶ 212).
Abdul also discloses wherein the service-specific alias is separate from the account alias and configured to allow or deny communications to one or more devices associated with the account via the set of services (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [account alias]. In response to receiving the user credentials, embodiments create a primary SSO session by the SSO service. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session linked to the primary SSO [the service-specific alias] and set an encrypted session cookie containing the alias SSO session and returning an authorization code including the alias SSO session to the second device, …Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device [configured to allow or deny communications to one or more devices associated with the account via the set of services], ¶ 4.  One embodiment provides interoperability and leverages investments in identity management (“IDM”) functionality in the cloud and on-premise. The embodiment provides automated identity synchronization from on-premise Lightweight Directory Access Protocol (“LDAP”) data to cloud data and vice versa. The embodiment provides a SCIM identity bus between the cloud and the enterprise, and allows for different options for hybrid cloud deployments (e.g., identity federation and/or synchronization, SSO agents, user provisioning connectors, etc.), ¶ 34.  In this embodiment, SCIM identity bus 234 is used to synchronize data in IDCS 202 with data in on-premise LDAP Cloud Cache 402. Further, a “Cloud Gate” 502 running on a web server/proxy (e.g., NGINX, Apache, etc.) may be used by applications 505 to obtain user web SSO and REST API security from IDCS 202. Cloud Gate 502 is a component that secures access to multi-tenant IDCS microservices by ensuring that client applications provide valid access tokens, and/or users successfully authenticate in order to establish SSO sessions [wherein the service-specific alias is separate from the account alias], ¶ 51.  maintain an identity store to track user accounts, ownership, access, and permissions that have been authorized, ¶ 54.  One embodiment provides user provisioning and certification. Generally, the fundamental function of an IAM solution is to enable and support the entire user provisioning life cycle. This includes providing users with the application access appropriate for their identity and role within the organization, certifying that they have the correct ongoing access permissions (e.g., as their role or the tasks or applications used within their role change over time), and promptly de-provisioning them as their departure from the organization may require [configured to allow or deny communications to one or more devices associated with the account via the set of services], ¶ 64.  The authentication interaction initiated via the Open ID Connect protocol is delegated to a trusted SSO service that implements the user login/logout ceremonies for local and federated logins [wherein the service-specific alias is separate from the account alias]. Further details of this functionality are disclosed below with reference to FIGS. 10 and 11. In one embodiment, Open ID Connect functionality is implemented according to, for example, OpenID Foundation standards, ¶ 79.  During programmatic access by REST API clients 708, Cloud Gate 702 may act as an OAuth2 resource server/filter 720 for an application's protected REST APIs 714. It checks for the presence of a request with an authorization header and an access token. When client 708 (e.g., mobile, web apps, JavaScript, etc.) presents an access token (issued by IDCS) to use with a protected REST API 714, Cloud Gate 702 validates the access token before allowing access to the API [configured to allow or deny communications to one or more devices associated with the account via the set of services], ¶ 123.  Cloud Gate 1104 further uses the access token received in a request to obtain “userinfo” from OAuth2 microservice 1110 or the SCIM microservice. The access token is sufficient to access the “userinfo” resource for the attributes allowed by the “profile” scope. It is also sufficient to access “/me” resources via the SCIM microservice. In one embodiment, by default, the received access token is only good for user profile attributes that are allowed under the “profile” scope. Access to other profile attributes is authorized based on additional (optional) scopes submitted in the AZ grant login request issued by Cloud Gate 1104 [configured to allow or deny communications to one or more devices associated with the account via the set of services], ¶ 175.  In one embodiment, services provided by IDCS may be used in an LDAP based application to, for example, authenticate a user of the applications (i.e., an identity service) or enforce a security policy for the application (i.e., a security service) [configured to allow or deny communications to one or more devices associated with the account via the set of services]. In one embodiment, the interface with IDCS is through a firewall and based on HTTP (e.g., REST). Typically, corporate firewalls do not allow access to internal LDAP communication even if the communication implements Secure Sockets Layer (“SSL”), and do not allow a TCP port to be exposed through the firewall. However, Cloud Cache translates between LDAP and HTTP to allow LDAP based applications reach services provided by IDCS, and the firewall will be open for HTTP, ¶ 182). 
Abdul further discloses after providing the request, receiving the service-specific alias (i.e., The Open ID Connect platform service implements standard Open ID Connect Login/Logout flows. Interactive web-based and native applications leverage standard browser-based Open ID Connect flow to request user authentication, receiving standard identity tokens that are JavaScript Object Notation (“JSON”) Web Tokens (“JWTs”) conveying the user's authenticated identity [after providing the request, receiving the service-specific alias]. Internally, the runtime authentication model is stateless, maintaining the user's authentication/session state in the form of a host HTTP cookie (including the JWT identity token). The authentication interaction initiated via the Open ID Connect protocol is delegated to a trusted SSO service that implements the user login/logout ceremonies for local and federated logins [after providing the request, receiving the service-specific alias]. Further details of this functionality are disclosed below with reference to FIGS. 10 and 11. In one embodiment, Open ID Connect functionality is implemented according to, for example, OpenID Foundation standards, ¶ 79). 

With respect to claim 3, Abdul discloses detecting, by the device, a disconnection of a proximity-based connection between the device and a second device (i.e., Accordingly, embodiments extend the security controls provisioned in the on-premise environment into the cloud environment. For example, if a person leaves a company, embodiments ensure that their accounts are disabled both on-premise and in the cloud [detecting, by the device, a disconnection of a proximity-based connection between the device and a second device], ¶ 21.  For example, an employee moving from engineering to sales can get near instantaneous access to the sales cloud and lose access to the developer cloud. When this change is reflected in on-premise AD 204, cloud application access change is accomplished in near-real-time. Similarly, access to cloud applications managed in IDCS 208 is revoked for users leaving the company [detecting, by the device, a disconnection of a proximity-based connection between the device and a second device], ¶ 44). 
Abdul further discloses wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account responsive to detecting the disconnection of the proximity-based connection (i.e., Embodiments provide SSO session synchronization across multiple devices owned by the same user by enrolling the devices in a Circle of Trust (“CoT”) device group associated with the user and managed in IDCS, where only devices in proximity of each other may request and complete enrollment in the CoT device group. In one embodiment, proximity is determined through peer-to-peer (“P2P”) communication via, for example, Bluetooth Low Energy advertisements (“BTLE”), Near Field Communication (“NFC”), or W-Fi Direct protocols [responsive to detecting the disconnection of the proximity-based connection]. In one embodiment, the P2P communication is used for enrollment of a device in the CoT device group to prove that the user is in possession of the device that he/she is enrolling, and the user provides consent to enroll the new device via one of the already enrolled devices. Embodiments enroll the new device's public key in the CoT device group managed in IDCS [wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account]. In one embodiment, the user authenticates with the IDCS authorization infrastructure using an app on the enrolling device (the device that is not yet enrolled in the CoT device group), and a second factor authentication is performed using an out-of-band mechanism through P2P communication between the enrolling device and an already enrolled device [responsive to detecting the disconnection of the proximity-based connection], ¶ 201.  In one embodiment, the SSO session synchronization includes logging off user sessions on all user devices enrolled in the CoT device group when one session on one user device in the CoT device group is logged off [wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account responsive to detecting the disconnection of the proximity-based connection], ¶ 240.  As disclosed, some embodiments perform session synchronization using, for example, Bluetooth or NFC communications, for sharing the same SSO session across multiple devices when the devices are in a vicinity of each other. For example, in one embodiment, the first device encrypts the SSO session/token using the second device's public key it obtained from the user's CoT device group and sends the encrypted SSO session to the second device. The second device decrypts the encrypted SSO session using the second private key stored in the second device and re-uses the SSO session/token. In one embodiment, when one session is logged off, all other sessions are logged off [wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account]. Unlike known systems that use a central server, embodiments use device to device communication for device enrollment in the CoT device group used during session synchronization, ¶ 242). 

With respect to claim 4, Abdul discloses sending the service-specific alias from the device to a remote device to allow the remote device to provide communications to the one or more devices associated with the account via the set of services (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [sending the service-specific alias from the device to a remote device to allow the remote device to provide communications to the one or more devices associated with the account via the set of services]. In response to receiving the user credentials, embodiments create a primary SSO session by the SSO service [sending the service-specific alias from the device to a remote device to allow the remote device to provide communications to the one or more devices associated with the account via the set of services]. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session linked to the primary SSO and set an encrypted session cookie containing the alias SSO session and returning an authorization code including the alias SSO session to the second device, where the second device returns the authorization code with a second token that is signed using a second private key of the second device. Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device, ¶ 4.  For example, a client that belongs to “tenant 1” may execute a request to get a token for “tenant 2” specifying a user in “tenant 3.” As another example, a user living in “tenant 1” may need to perform an action in an application owned by “tenant 2”. Thus, the user needs to go to the resource namespace of “tenant 2” and request a token for themselves. Accordingly, delegation of authority is accomplished by identifying “who” can do “what” to “whom.” As yet another example, a first user working for a first organization (“tenant 1”) may allow a second user working for a second organization (“tenant 2”) to have access to a document hosted by a third organization (“tenant 3”) [to allow the remote device to provide communications to the one or more devices associated with the account via the set of services], ¶ 132). 

With respect to claim 5, Abdul discloses wherein the set of services includes one or more of a messaging service, a file transfer service, a video conferencing service, or a gaming service (i.e., In order to do so, the microservice uses a messaging API 616 to queue the message in queue 628 which is a store, ¶ 96.  If the CoT device group of the user already includes one or more enrolled devices, IDCS generates a request ID for this enrollment request, retrieves the device push notification ID for all enrolled devices, and sends push notifications to all the enrolled devices using a push notification channel such as Apple Push Notification Service (“APNS”) for iOS devices or Firebase Cloud Messaging (“FCM”) for Android devices [messaging service]. The generated request ID along with other device characteristics of the enrolling device are passed in the push notification payload. IDCS also returns the request ID back to the enrolling device in the HTTPS response, ¶ 203). 

With respect to claim 7, Abdul discloses obtaining a limited scope for the set of services based on the input detected by the input component (i.e., For example, a client that belongs to “tenant 1” may execute a request to get a token for “tenant 2” specifying a user in “tenant 3.” As another example, a user living in “tenant 1” may need to perform an action in an application owned by “tenant 2”. Thus, the user needs to go to the resource namespace of “tenant 2” and request a token for themselves. Accordingly, delegation of authority is accomplished by identifying “who” can do “what” to “whom” [obtaining a limited scope for the set of services based on the input detected by the input component], ¶ 132.  Upon successful authentication or validation, SSO microservice 1112 redirects browser 1102 back to OAuth2 microservice 1110 with the newly created/updated SSO host HTTP cookie (e.g., the cookie that is created in the context of the host indicated by “HOSTURL”) containing the user's authentication token. OAuth2 microservice 1110 returns AZ Code (e.g., an OAuth concept) back to browser 1102 and redirects to Cloud Gate 1104. Browser 1102 sends AZ Code to Cloud Gate 1104, and Cloud Gate 1104 sends a REST POST to OAuth2 microservice 1110 to request the access token and the identity token. Both tokens are scoped to OAuth microservice 1110 (indicated by the audience token claim [obtaining a limited scope for the set of services based on the input detected by the input component], ¶ 173.  The access token is sufficient to access the “userinfo” resource for the attributes allowed by the “profile” scope [obtaining a limited scope for the set of services based on the input detected by the input component]. It is also sufficient to access “/me” resources via the SCIM microservice. In one embodiment, by default, the received access token is only good for user profile attributes that are allowed under the “profile” scope. Access to other profile attributes is authorized based on additional (optional) scopes submitted in the AZ grant login request issued by Cloud Gate 1104, ¶ 175). 
Abdul further discloses wherein the service-specific alias is a service-specific and scope-limited alias configured to allow or deny communications to the one or more devices associated with the account via the set of services and within the limited scope (i.e., Upon successful authentication or validation, SSO microservice 1112 redirects browser 1102 back to OAuth2 microservice 1110 with the newly created/updated SSO host HTTP cookie (e.g., the cookie that is created in the context of the host indicated by “HOSTURL”) containing the user's authentication token [service-specific alias]. OAuth2 microservice 1110 returns AZ Code (e.g., an OAuth concept) back to browser 1102 and redirects to Cloud Gate 1104. Browser 1102 sends AZ Code to Cloud Gate 1104, and Cloud Gate 1104 sends a REST POST to OAuth2 microservice 1110 to request the access token and the identity token. Both tokens are scoped to OAuth microservice [wherein the service-specific alias is a service-specific and scope-limited alias configured to allow or deny communications to the one or more devices associated with the account via the set of services and within the limited scope]1110 (indicated by the audience token claim). Cloud Gate 1104 receives the tokens from OAuth2 microservice 1110, ¶ 173.  Cloud Gate 1104 further uses the access token received in a request to obtain “userinfo” from OAuth2 microservice 1110 or the SCIM microservice. The access token is sufficient to access the “userinfo” resource for the attributes allowed by the “profile” scope [wherein the service-specific alias is a service-specific and scope-limited alias configured to allow or deny communications to the one or more devices associated with the account via the set of services and within the limited scope]. It is also sufficient to access “/me” resources via the SCIM microservice. In one embodiment, by default, the received access token is only good for user profile attributes that are allowed under the “profile” scope [wherein the service-specific alias is a service-specific and scope-limited alias configured to allow or deny communications to the one or more devices associated with the account via the set of services and within the limited scope]. Access to other profile attributes is authorized based on additional (optional) scopes submitted in the AZ grant login request issued by Cloud Gate 1104, ¶ 175). 

With respect to claim 8, Abdul discloses wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account (i.e., Cloud Gate 1104 further uses the access token received in a request to obtain “userinfo” from OAuth2 microservice 1110 or the SCIM microservice [wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account]. The access token is sufficient to access the “userinfo” resource for the attributes allowed by the “profile” scope, ¶ 175). 
Abdul also discloses wherein the account alias is configured to allow contact with the one or more devices associated with the account via any service that the account alias is registered with, including at least one service that is independent of the server (i.e., Generally, an Identity Metasystem is an interoperable architecture for digital identity, allowing for employing a collection of digital identities based on multiple underlying technologies, implementations, and providers. LDAP, SAML, and OAuth are examples of different security standards that provide identity capability and can be the basis for building applications, and an Identity Metasystem may be configured to provide a unified security system over such applications [wherein the account alias is configured to allow contact with the one or more devices associated with the account via any service that the account alias is registered with]. … SAML was developed to allow one set of applications securely exchange information with another set of applications that belong to a different organization in a different security domain [wherein the account alias is configured to allow contact with the one or more devices associated with the account via any service that the account alias is registered with, including at least one service that is independent of the server]. Since there is no trust between the two applications, SAML was developed to allow for one application to authenticate another application that does not belong to the same organization. OAuth provides Open ID Connect that is a lightweight protocol for performing web based authentication, ¶ 158). 

With respect to claim 9, the limitations of claim 9 are similar to the limitations of claim 1 above.   The limitations of claim 9 are rejected in the analysis of claim 1 above, and the claim is rejected on that basis.
Abdul further discloses an electronic device, comprising: a memory; one or more processors (i.e., To scale vertically (or scale up/down) means to add resources to (or remove resources from) a single node in a system, typically involving the addition of CPUs or memory to a single computer. Vertical scalability allows an application to scale up to the limits of its hardware, ¶ 107.  As illustrated in FIG. 12, a distributed data grid provides data storage and management capabilities by distributing data over a number of servers (e.g., 1220a, 1220b, 1220c, and 1220d) working together. Each server of the data grid cluster may be a conventional computer system such as, for example, a “commodity x86” server hardware platform with one to two processor sockets and two to four CPU cores per processor socket. Each server (e.g., 1220a, 1220b, 1220c, and 1220d) is configured with one or more CPUs, Network Interface Cards (“NIC”), and memory, ¶ 189). 
Abdul also discloses an input component (i.e., The processor may further be coupled via bus to a display, such as a Liquid Crystal Display (“LCD”). A keyboard and a cursor control device, such as a computer mouse, may be further coupled to bus to enable a user to interface with each client or server, ¶ 195). 
Abdul further discloses wherein the account is associated with an account alias (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [wherein the account is associated with an account alias]. In response to receiving the user credentials [wherein the account is associated with an account alias], embodiments create a primary SSO session by the SSO service. In response to an attempt by the second device to create another SSO session, subsequent to the creating of the primary SSO session, embodiments create an alias SSO session linked to the primary SSO and set an encrypted session cookie containing the alias SSO session and returning an authorization code including the alias SSO session to the second device, where the second device returns the authorization code with a second token that is signed using a second private key of the second device. Embodiments verify the second token using a second public key of the second device and send user information of the user to the second device, where the second device uses the user information to automatically sign the user into the second device, ¶ 4). 

With respect to claim 11, the limitations of claim 10 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

With respect to claim 12, the limitations of claim 12 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.

With respect to claim 13, the limitations of claim 13 are rejected in the analysis of claim 5 above, and the claim is rejected on that basis.

With respect to claim 15, the limitations of claim 15 are rejected in the analysis of claim 7 above, and the claim is rejected on that basis.

With respect to claim 16, the limitations of claim 16 are rejected in the analysis of claim 8 above, and the claim is rejected on that basis.

With respect to claim 17, the limitations of claim 17 are rejected in the analysis of claim 9 above, and the claim is rejected on that basis.

With respect to claim 19, the limitations of claim 19 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

With respect to claim 20, the limitations of claim 20 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 6, 10, 14 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdul et al. (U.S. Publication No. 2020/0358755 A1) in view of Black et al. (U.S. Publication No. 2006/0140200 A1).
With respect to claim 2, Abdul discloses detecting, by the device, a proximity-based interaction with a second device, wherein providing the request for the service-specific alias comprises providing the request from the device to a server storing an identification of the account alias of the account responsive to detecting the proximity-based interaction (i.e., Embodiments provide session synchronization across multiple devices. Embodiments determine that a first device is in geographic proximity to a second device and receive, at a single sign-in (“SSO”) service, user credentials from a user in response to the user signing into the first device [detecting, by the device, a proximity-based interaction with a second device, wherein providing the request for the service-specific alias comprises providing the request], ¶ 4.  The IDCS infrastructure services support the functionality of IDCS platform services. These runtime services include an event processing service (for asynchronously processing user notifications, application subscriptions, and auditing to database); a job scheduler service (for scheduling and executing jobs, e.g., executing immediately or at a configured time long-running tasks that do not require user intervention); a cache management service; a storage management service (for integrating with a public cloud storage service); a reports service (for generating reports and dashboards); an SSO service (for managing internal user authentication and SSO) [from the device to a server storing an identification of the account alias of the account responsive to detecting the proximity-based interaction], ¶ 88.  IDCS further includes data stores which are data repositories required/generated by IDCS, including an identity store 618 (storing users, groups, etc.) [from the device to a server storing an identification of the account alias of the account responsive to detecting the proximity-based interaction], a global database 620 (storing configuration data used by IDCS to configure itself), an operational schema 622 (providing per tenant schema separation and storing customer data on a per customer basis), an audit schema 624 (storing audit data), a caching cluster 626 (storing cached objects to speed up performance), etc. All internal and external IDCS consumers integrate with the identity services over standards-based protocols. This enables use of a domain name system (“DNS”) to resolve where to route requests, and decouples consuming applications from understanding the internal implementation of identity services, ¶ 91.  embodiments provide SSO session synchronization across multiple devices owned by the same user by enrolling the devices in a Circle of Trust (“CoT”) device group associated with the user and managed in IDCS, where only devices in proximity of each other may request and complete enrollment in the CoT device group [detecting, by the device, a proximity-based interaction with a second device], ¶ 201.  In one embodiment, the P2P communication between an already enrolled device (device A) and a newly enrolling device (device B) may be performed over one of the protocols supported by both devices. This allows the enrolled device to discover and connect to the enrolling device. Protocols such as Bluetooth Low Energy (“BTLE”), Wi-Fi Peer-to-Peer (“Wi-Fi Direct”), or Near-Field Communication (“NFC”) may be used for inter-device communication to transfer the enrolling device's public key to the enrolled device, ¶ 208). 
Abdul also discloses wherein the service-specific alias is a message alias for contacting the one or more devices (i.e., Admin SCIM microservice 1116 determines successful authentication and sends a corresponding message to SSO microservice 1112 [wherein the service-specific alias is a message alias for contacting the one or more devices], ¶ 171.  At 1326 Open_ID Connect Service 1308 sends a message to the SSO service 1310 (e.g., an IDCS service as described herein, for example, with reference to IDCS microservices 614 in FIG. 6) to create a user session for the authenticated user. At 1328 SSO service 1310 returns a created “session_id” to Open ID Connect Service 1308. At 1330 Open ID Connect Service 1308 sets an encrypted session cookie and returns an authorization code to browser tab 1306 using a custom URL scheme. At 1332 browser tab 1306 returns control to the app on device 1304. At 1334 device 1304 sends the authorization code with a token verifier (e.g., /token) to Open_ID Connect Service 1308. At 1336 Open_ID Connect Service 1308 validates the authorization code and returns “id_token” and “access_token” to device 1304. At 1338 device 1304 parses “id_token” and obtains user information, and at 1340 user 1302 is successfully logged into the app on device 1304 [wherein the service-specific alias is a message alias for contacting the one or more devices], ¶ 216.  Alternative to 1522, if at 1544 a user session is available in SSO Service 1510, at 1546 Open_ID Connect Service 1508 sends a message to SSO Service 1510 to create an alias user session with status “In Progress” linked to the primary “session_id”. At 1548 SSO Service 1510 returns the created alias “session_id” to Open ID Connect Service 1508. At 1550 OpenID Connect Service 1508 sets an encrypted session cookie containing the alias “session_id” and returns authorization code browser tab 1506. At 1552 browser tab 1506 returns control to the app on device 1504. At 1554 device 1504 sends authorization code with Client JWT Assertion signed using the private key of device 1504 (e.g., /token) to OpenID Connect Service 1508. At 1556 OpenID Connect Service 1508 validates both JWT Assertion using the public key of device 1504 and the authorization code. At 1558 OpenID Connect Service 1508 sends a message to SSO Service 1510 with the alias session ID retrieved from the authorization code so that SSO Service 1510 can update the alias session status to “Valid”, ¶ 225.  In some embodiments, the app in the second device can obtain an SSO session without authentication when the user has already signed-into one of their other devices, e.g., the first device. In some embodiments, the second device may obtain the SSO session from the server as described herein with reference to FIG. 15. Alternatively, in some embodiments, the second device may obtain the SSO session using a P2P communication channel when the authenticated and to-be authenticated devices are in the vicinity of each other [wherein the service-specific alias is a message alias for contacting the one or more devices], ¶ 237).
	Abdul may not explicitly disclose associated with the account via a messaging service.
	However, Black discloses associated with the account via a messaging service (i.e., The alias service provider 180 is configured to accept communications that the telephones 110 or 115 make over the network to provide control over the communication regardless of the limitations placed upon these controls by the SPN 120 associated with the telephones 110 and 115. Such control can include, for example, control over the parameters, behavior, and identity of the communications, as described more fully below, ¶ 39.  In order to provide such communications-related services, the alias service provider 180 establishes a service contract with an owner of a telecommunications device such as the telephone 110 or with a SPN. The telephone 110 can optionally be equipped with one or more applications provided by the alias service provider 180 (such as an application 310 shown in FIG. 3A) to enable the services [messaging service]. In addition, the alias service provider 180 can provide the telephone 110 with one or more additional addresses (referred to as alias addresses), such as alias telephone numbers, that are controlled by the alias service provider 180 rather than the SPN associated with the telephone 110. This enables the alias service provider 180 to control communications related to the alias addresses, ¶ 40.  In an exemplary context, the alias service provider 180 provides the telephone 110 with one or more alias telephone numbers and an entity controlling the SPN 120 provides one or more base telephone numbers. Each of the base telephone number and the one or more alias telephone numbers can be used by the telephone 110 to access the network 100 for making and receiving communications such as inbound and outbound calls. However, inbound and outbound calls for the alias telephone numbers can be uniquely configured via the alias service provider 180, as described below. As mentioned, the addresses are not necessarily telephone numbers and the communications are not necessarily telephone calls. Other types of addresses and communications over the network are within the scope of this disclosure [associated with the account via a messaging service], ¶ 42.  When the telephone 110 receives the call, the alias service provider 180 provides a notification to the telephone (such as voice or text message) that provides an indication regarding which alias number the inbound call is associated with. As mentioned, the telephone 110 can have several alias address, so it is helpful for the subscriber to identify which alias address is receiving the call. A user may choose to turn off the profile notification message or turn on a prompt that asks the user if he/she would like to take the call. The user can also define rules that govern how the call is handled, such as to force the call to voicemail or automatically play a busy signal, etc., ¶ 58) in order to provide an alias service provider which includes equipment to enable network communication (¶ 39).
Therefore, based on Abdul in view of Black, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Black to the system of Abdul in order to provide an alias service provider which includes equipment to enable network communication.

With respect to claim 6, Abdul discloses wherein the service-specific alias is a temporary alias having an expiration time defined upon provisioning of the service-specific alias (i.e., During programmatic access by REST API clients 708, Cloud Gate 702 may act as an OAuth2 resource server/filter 720 for an application's protected REST APIs 714. It checks for the presence of a request with an authorization header and an access token. When client 708 (e.g., mobile, web apps, JavaScript, etc.) presents an access token (issued by IDCS) to use with a protected REST API 714, Cloud Gate 702 validates the access token before allowing access to the API (e.g., signature, expiration, ¶ 123). 
However, Black also discloses wherein the service-specific alias is a temporary alias having an expiration time initially defined upon provisioning of the service-specific alias (i.e., The alias service provider can then assign the addresses on a temporary or permanent basis to its subscribers, ¶ 52) in order to provide an alias service provider which includes equipment to enable network communication (¶ 39).
Therefore, based on Abdul in view of Black, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Black to the system of Abdul in order to provide an alias service provider which includes equipment to enable network communication.

With respect to claim 10, the limitations of claim 10 are similar to the limitations of claim 2 above.  The limitations of claim 10 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

With respect to claim 14, the limitations of claim 14 are rejected in the analysis of claim 6 above, and the claim is rejected on that basis.

With respect to claim 18, the limitations of claim 18 are rejected in the analysis of claim 2 above, and the claim is rejected on that basis.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




Jaren M. Means
/J.M.M./
Patent Examiner 
Art Unit 2447
11/28/2022

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447