DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

2.	The information disclosure statement (IDS) submitted on 3/11/2022  was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.





3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2018/0012012 A1 to Stone in view of Pub.No.: US 2017/0331829 A1 to LANDER et al(hereafter referenced as Lander).
Regarding claim 1, Stone discloses “a computer-implemented method comprising: receiving, by an application, from an access management system”(key management mechanisms located on policy server [par.0020/Item 170]), “a user identity token”(120 may include the user token [par.0026]) , “the user identity token including information identifying a user and a session identifier associated with an SSO session” (user token that provides the context within the operating system that executes the application 120 , wherein the web server 130 may then use the user token associated with the operating system to control access to the requested information relating to the document [par.0120])  ; “storing, by the application, the user identity token” (token store [Fig.1/item 125]); “sending, by the application, to the access management system”(i.e. sending to the policy server [par.0020/Item 170]).
Stone does not explicitly disclose “an access token request, the access token request including the session identifier associated with the SSO session, wherein the access management system retrieves session information associated with the SSO session based on the session identifier, and determines that the SSO session is valid based on the session information; receiving, by the application, from the access management system, if the SSO session is valid, an access token that enables the application to access to a protected resource, the access token being different from the user identity token; and using, by the application, the access token to access the protected resource.”
However, Lander in an analogous art discloses “an access token request”(the SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 Lander[par.0173]) , the access token request including the session identifier associated with the SSO session” (if the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), “wherein the access management system retrieves session information associated with the SSO session based on the session identifier” (If the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony . If the user does not have a valid SSO session ( i . e . , no session cookie exists ) , the SSO microservice 1112 initiates the user login ceremony in accordance with customer ' s login preferences Lander[par.0173]) , “and determines that the SSO session is valid based on the session information; receiving, by the application, from the access management system, if the SSO session is valid” (SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), an access token that enables the application to access to a protected resource” (the SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 Lander [par.0173], “the access token being different from the user identity token; and using, by the application, the access token to access the protected resource”(i.e. identity platform [Fig.1] distinguishes tokens via API token service Lander [Fig.1/item 132]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Stones method for controlling tokens with Lander’s security tokens in a management cloud service in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Stone discloses an access management process on a policy server comprising a token, Lander discloses a token base process which a valid SSO session, and both are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “wherein the access management system determines the SSO session is valid by determining a session expiration time based on the session information, and by determining that the session expiration time has not yet been reached” (other string sequences that define control parameters associated with the state token , wherein the parameters may include an expiration date , a restriction on domain names or resources that can receive the state token , or other suitable control parameters Stone[par.0022]).
Regarding claim 3 in view of claim 1, the references combined disclose “wherein the access management system determines the SSO session is valid by determining a timeout duration based on the session information, and by determining that the SSO session has not timed out based upon the timeout duration.” (other string sequences that define control parameters associated with the state token , wherein the parameters may include an expiration date , a restriction on domain names or resources that can receive the state token , or other suitable control parameters Stone[par.0022]).
Regarding claim 4 in view of claim 1, the references combined disclose “wherein the access token request includes the user identity token.”( operation 320 may uniquely identify a user or other identity associated with the request or the communication session ( e . g . , a single - sign on identity token , a digital signature , or any other suitable token Stone[par.0033]).
Regarding claim 5 in view of claim 1, the references combined disclose “wherein the access management system determines the SSO session is valid by identifying the user associated with the SSO session based on the session information” (If the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), “and by determining that the user identified in the user identity token matches the user associated with the SSO session” (web server may inspect the validator associated with the guarded state token to verify whether an identity or session currently using the guarded state token matches the identity or session that initially created the guarded state token Stone [par.0011]).
Regarding claim 6 in view of claim 1, the references combined disclose “wherein the user identity token is a JavaScript Object Notation (JSON) Web Token” (the OpenID Connect platform service utilizes receiving standard identity tokens that are JavaScript Object Notation ( “ JSON " ) Web Tokens ( “ JWTs ” ) Lander [par.0077]).


Regarding claim 7 in view of claim 1, the references combined disclose “wherein the access token is an Open Authorization (OAuth) access token”(IDCS 118 provides a unified view 124 of a user ' s applications including federation services 130 ( e . g SAML ) , token services 132 ( e . g . , OAuth ) Lander[par.0035]).
Regarding claim 8 in view of claim 1, the references combined disclose “wherein the using the access token to access the protected resource includes providing the access token in an access request” (the SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 Lander[par.0173]
Regarding claim 9 in view of claim 1, the references combined disclose “wherein the access management system generates the access token based on the user identity token, thereby causing the access token to be linked to the SSO session” (SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173])
Regarding claim 10 in view of claim 1, the references combined disclose “wherein the access management system includes an access manager and an OAuth server, the user identity token is generated by the access manager, and the access token is generated by the OAuth server” (IDCS 118 provides a unified view 124 of a user ' s applications including federation services 130 ( e . g . , SAML ) , token services 132 ( e . g . , OAuth ) [par.0035]).
Regarding claim 11 in view of claim 1, the references combined disclose “wherein the application is a Web-based application being executed by a computer, and further comprising: using, by the application, the protected resource to provide application functionality”(webserver 130 comprising token module configuration module interconnecting with client device web browser 115 Stone[Fig.1]).
Regarding claim 12 in view of claim 1, the references combined disclose “wherein the application is a data analytics program, and further comprising: processing the protected resource to generate graphical output for display on a Web browser” (webserver 130 comprising token module configuration module interconnecting with client device web browser 115 Stone[Fig.1]).
Regarding claim 13, Stone discloses “a  computer system comprising: one or more processors; and a memory coupled to the one or more processors, the memory storing instructions that, when executed by the one or more processors, cause the one or more processors to: receive, from an access management system” (key management mechanisms located on policy server [par.0020/Item 170], “a user identity token, the user identity token including information identifying a user and a session identifier associated with an SSO session” (user token that provides the context within the operating system that executes the application 120 , wherein the web server 130 may then use the user token associated with the operating system to control access to the requested information relating to the document [par.0120]); “store the user identity token” (token store [Fig.1/item 125]); “send, to the access management system” (i.e. sending to the policy server [par.0020/Item 170]).
Stone does not explicitly disclose “an access token request, the access token request including the session identifier associated with the SSO session, wherein the access management system retrieves session information associated with the SSO session based on the session identifier, and determines that the SSO session is valid based on the session information; receive, from the access management system, if the SSO session is valid, an access token that enables access to a protected resource, the access token being different from the user identity token; and use the access token to access the protected resource” 
However, Lander in an analogous art discloses “an access token request”(the SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 Lander[par.0173]) , the access token request including the session identifier associated with the SSO session” (if the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), “wherein the access management system retrieves session information associated with the SSO session based on the session identifier” (If the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony . If the user does not have a valid SSO session ( i . e . , no session cookie exists ) , the SSO microservice 1112 initiates the user login ceremony in accordance with customer ' s login preferences Lander[par.0173]) , “and determines that the SSO session is valid based on the session information; receive, from the access management system, if the SSO session is valid” (SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), an access token that enables the application to access to a protected resource” (the SSO microservice 1112 generates an access token and sends it to Cloud Gate 1104 Lander [par.0173], “the access token being different from the user identity token; and using, by the application, the access token to access the protected resource”(i.e. identity platform [Fig.1] distinguishes tokens via API token service Lander [Fig.1/item 132]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Stones method for controlling tokens with Lander’s security tokens in a management cloud service in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Stone discloses an access management process on a policy server comprising a token, Lander discloses a token base process which a valid SSO session, and both are from the same field of endeavor.
Regarding claim 14 in view of claim 13, the references combined disclose “wherein the user identity token is received in a header of a token response or in a session cookie” (client device 125 returns a cookie or other state token , the HTTP Cookie specification lacks any built - in mechanisms to secure the information contained in the cookie or other state token to maintain the state information Stone[par.0021]).
Regarding claim 15 in view of claim 13, the references combined disclose “wherein the access management system determines the SSO session is valid by determining that a session expiration time has not yet been reached, by determining that the SSO session has not timed out based upon a timeout duration, or by determining that the user identified in the user identity token matches the user associated with the SSO session” (other string sequences that define control parameters associated with the state token , wherein the parameters may include an expiration date , a restriction on domain names or resources that can receive the state token , or other suitable control parameters Stone[par.0022]).
Regarding claim 16 in view of claim 13, the references combined disclose “wherein the access token request includes the user identity token, the user identity token is a JavaScript Object Notation (JSON) Web Token, and the access token is an Open Authorization (OAuth) access token” (IDCS 118 provides a unified view 124 of a user ' s applications including federation services 130 ( e . g . , SAML ) , token services 132 ( e . g . , OAuth ) Lander[par.0035]).
Regarding claim 17 stone discloses “a non-transitory computer-readable storage medium storing instructions that, when executed by one or more processors of a computer system, cause the one or more processors to perform processing comprising: receiving, from an access management system, a user identity token” ( operation 320 may uniquely identify a user or other identity associated with the request or the communication session ( e . g . , a single - sign on identity token , a digital signature , or any other suitable token Stone[par.0033]) , “the user identity token including information identifying a user and a session identifier associated with an SSO session” (user token that provides the context within the operating system that executes the application 120 , wherein the web server 130 may then use the user token associated with the operating system to control access to the requested information relating to the document [par.0120]); “storing the user identity token” (token store [Fig.1/item 125]); “sending, to the access management system, an access token request” (i.e. sending to the policy server [par.0020/Item 170]).
Stone does not explicitly disclose "the access token request including the session identifier associated with the SSO session, wherein the access management system retrieves session information associated with the SSO session based on the session identifier, and determines that the SSO session is valid based on the session information; receiving, from the access management system, if the SSO session is valid, an access token that enables access to a protected resource, the access token being different from the user identity token; and using the access token to access the protected resource” 
However, Lander in an analogous art discloses “the access token request including the session identifier associated with the SSO session” (if the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), “wherein the access management system retrieves session information associated with the SSO session based on the session identifier” (If the user has a valid SSO session , SSO microservice 1112 validates the existing session without starting a login ceremony . If the user does not have a valid SSO session ( i . e . , no session cookie exists ) , the SSO microservice 1112 initiates the user login ceremony in accordance with customer ' s login preferences Lander[par.0173]) , “and determines that the SSO session is valid based on the session information” (SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), receiving, from the access management system, if the SSO session is valid” (SSO microservice 1112 validates the existing session without starting a login ceremony Lander[par.0173]), an access token that enables access to a protected resource, the access token being different from the user identity token; and using the access token to access the protected resource” (i.e. identity platform [Fig.1] distinguishes tokens via API token service Lander [Fig.1/item 132]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Stones method for controlling tokens with Lander’s security tokens in a management cloud service in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Stone discloses an access management process on a policy server comprising a token, Lander discloses a token base process which a valid SSO session, and both are from the same field of endeavor.
Regarding claim 18 in view of claim 17, the references combined disclose “wherein the access management system determines the SSO session is valid by determining a session expiration time based on the session information and determining that the session expiration time has not yet been reached, or by determining a timeout duration based on the session information and determining that the SSO session has not timed out based upon the timeout duration” (other string sequences that define control parameters associated with the state token , wherein the parameters may include an expiration date , a restriction on domain names or resources that can receive the state token , or other suitable control parameters Stone[par.0022]).
Regarding claim 19 in view of claim 17, the references combined disclose “the processing further comprising: before sending the access token request, receiving, from the user, a request to access the protected resource”(a configuration module 145 that communicates with one or more agent configuration objects 180 that reside on a policy server prior to the access token request  [par.0020]).
Regarding claim 20 in view of claim 17, the references combined disclose “the processing further comprising: receiving, from the access management system, a request for user credentials; outputting a login page on a web browser” (webserver 130 comprising token module configuration module interconnecting with client device web browser 115 Stone[Fig.1]), “the login page including one or more credential input fields; receiving, from the user, the user credentials via the login page” (webserver 130 comprising token module configuration module interconnecting with client device web browser 115 Stone[Fig.1]).; and sending, to the access management system, the user credentials, where the access management system authenticates the user based on the user credentials and creates the SSO session for the user in response to a successful authentication”(the policy server 170 or other suitable authentication server may return a single sign - on ( SSO ) authentication token to the client device 110 that encapsulates various permissions associated with the unique identity assigned to the user Stone [par.0025]).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433          

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433