Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 11/16/2022. Claims 1, 16 and 20 are independents. Claims 1, 16 and 20 are amended. Claims 1-20 are currently pending.

Response To Argument
Applicant’s arguments with respect to the independent claims have been considered and the examiner agrees that the amended claim language is not found in the previous references used in the prior art rejection. However, the examiner believes the new steps of publishing an identity management container in a repository, a user downloading the container and the subsequent installation of the container are not new or novel aspects in the process of performing a native authentication to access a resource. Therefore a new ground of rejection is provided below.

Claim Rejections-35 U.S.C §103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4, 6-12 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Leafe et al. (US 20120233668 A1), hereinafter Leafe, in view of MOHAMAD ABDUL et al. (US 20180337914 A1), hereinafter D1, further in view Feijoo (US 20190058706 A1), additionally in view of Merkel (Docker: Lightweight Linux Containers for Consistent Development and Deployment, Linux J., vol. 2014, no. 239, Mar. 2014).

	Regarding claims 1, 16 and 20, Leafe teaches a system for native authentication to access a resource, comprising:
	an identity management container application processor configured to receive a user input request from a user for accessing a resource, configured to allow an authenticated user to access the resource, and configured to communicate with an identity management agent processor using Internet-related APIs for authenticating the user (para. 0254, using API for authentication; controlling access to resources; para. 0139, 0141 and 0147, communicating with LDAP store/server, Active Directory or OpenLDAP);
	a set of Internet-related APIs (para. 0245 0254, 0261 and 0262, using RESTful API) for the identity management container application processor to communicate with the identity management agent processor (para. 0139, 0141 and 0147, accessing LDAP store/server, Active Directory or OpenLDAP; 0049, 0195 and 0199, using container service); and 
wherein one or more of the processors is a hardware processor (para. 0118, hardware processor);
	Leafe does not explicitly disclose the identity management agent processor resident on an enterprise's network system, wherein the identity management agent processor is configured to communicate with one or more enterprise on-premise systems, to communicate with an active directory domain controller resident on the enterprise's network system, and to communicate with the identity management container application processor. However, in an analogous art, D1 teaches the identity management agent processor resident on an enterprise's network system (para. 0020, 0035 and 0042-0046, identity management (“IDM”)functionality in the cloud and on-premise), wherein the identity management agent processor is configured to communicate with one or more enterprise on-premise systems, to communicate with an active directory domain controller resident on the enterprise's network system, and to communicate with the identity management container application processor (para. 0040, 0167 and 0206, password is managed in an active directory (“AD”)/LDAP server (e.g., AD 204 of FIG. 2), an IDCS agent Identity Bridge (e.g., ID Bridge 230 of FIG. 2) deployed on-premise generates the Kerberos principal key and sends it to IDCS; that is system is in communication with active directory (“AD”)/LDAP server).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe and D1 because it would enhance controlling user accessing resources (D1 para. 0028).
The combination of Leafe and D1 does not explicitly disclose wherein the identity management container application processor is configured to allow the user to log onto the resource in the cloud by using a same logon information for accessing the one or more enterprise on-premise systems. However, in an analogous art, Feijoo teaches wherein the identity management container application processor is configured to allow the user to log onto the resource in the cloud by using a same logon information for accessing the one or more enterprise on-premise systems (para. 0108, [e]nterprise server 720 may include a relying party, which may be a server responsible for providing and managing a virtual, cloud-based environment that may be accessed by one or more enterprise users via user devices 730 and 740. In an example use case, the relying party may be a server of an enterprise that an employee logs into for authentication to access the enterprise's virtual, cloud-based environment (e.g., a virtual desktop, a virtual application, a virtual mobile app, or other virtual service(s)); para. 0110, Enterprise identity provider server 710 may issue a first authentication token to an authenticated user as a result of successfully completing an authentication procedure (e.g., logging in) in enterprise network 770. In one example, user devices 730 and 740 may log into a virtualized, cloud-based environment using their existing authentication credentials, which may be a username and password, biometric measurement (e.g., fingerprint scan, retina scan, facial recognition, voice recognition, etc.), entering an access code provided to a specified user device (e.g., the user's smartphone may receive a message containing a code to enter into a portal provided by the relying party), or any other authentication means for access to enterprise network 770. In response to the successful logging in of user devices 730 and 740, enterprise identity provider server 710 may issue a first authentication token for the authenticated user and forward the first authentication token to enterpriser server 720, which in turn may enable user devices 730 and 740 to have SSO access to the services and resources in the virtualized, cloud-based environment within enterprise network 770. In this fashion, enterprise identity provider server 710 may provision enterprise server 720 with the first authentication token. As an example, enterprise server 720 may store the first authentication token in key store 714 and may retrieve a previously stored second authentication token from key store 714 to enable user devices 730 and 740 to have access to the services and resources in the virtualized, cloud-based environment of an enterprise system within enterprise network 770).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1 and Feijoo because for convenience, cloud-based identity provider server can use enterprise identity provider server authentication result for user to access cloud-based environment (Feijoo para. 0109).
The combination of Leafe, D1 and Feijoo does not explicitly disclose the steps of "publishing an identity management container to the cloud" and downloading said identity management container" with the "identity management container starting without requiring installation when downloaded by said user". However, in an analogous art, Merkel teaches the steps of "publishing an identity management container to the cloud" (pp.82-83, [o]ne of Docker's killer features is the ability to find, download and start container images that were created by other developers quickly. The place where images are stored is called a registry, and Docker Inc. offers a public registry also called the Central Index; [i]n addition to various base images, which you can use to create your own Docker containers, the public Docker Registry features images of ready-to-run software, including databases, content management systems, development environments, Web servers and so on. While the Docker command-line client searches the public Registry by default, it is also possible to maintain private registries. This is a great option for distributing images with proprietary code or components internally to your company. Pushing images to the registry is just as easy as downloading. It requires you to create an account, but that is free as well. Lastly, Docker Inc.'s registry has a Web-based interface for searching for, reading about, commenting on and recommending (aka “starring”) images. It is ridiculously easy to use, and I encourage you to click the link in the Resources section of this article and start exploring) and downloading said identity management container" with the "identity management container starting without requiring installation when downloaded by said user" (pp.84-85, Start by issuing the docker search mysql command, which then displays a list of images in the public Docker registry that match the keyword “mysql”. For no particular reason other than I know it works, let's download the “brice/mysql” image, which you do with the docker pull brice/mysql command. You can see that Docker downloaded not only the specified image, but also the images it was built on. With the docker images command, you list the images currently available locally, which includes the “brice/mysql” image. Launching the container with the -d option to detach from the currently running container, you now have MySQL running in a container. You can verify that with the docker ps command, which lists containers, rather than images. In the output, you also see the port on which MySQL is listening, which is the default of 3306).
Therefore, It would have been obvious to one of ordinary skill In the art before the effective filling date of the claimed invention to combine the teachings of Jackson, Chen, Buchanan and Merkel because Microservices/Pod/Docker architecture is scalable and provides tools for DevOps, system administrators and developers to make creating and working with containers as easy as possible (pp 78, 86 and 87).

	Regarding claim 2, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the user input request for accessing the resource originates from inside an enterprise network firewall (para. 0306 and 0073, LDAP server behind a company firewall).

	Regarding claim 3, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the user input request for accessing the resource originates from outside an enterprise network firewall (FIG. 1 #102 and #114/116, user is outside proxy/gateway as firewall).

	Regarding claims 4 and 17, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claims 1 and 16, respectively, as described above. Leafe further teaches wherein the Internet-related APIs are REST APIs (para. 0245 0254, 0261 and 0262, using RESTful API).

	Regarding claim 6, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the identity management container application processor and the identity management agent processor communicate through a firewall on the enterprise's network (FIG. 1 #102 and #114/116, user is outside proxy/gateway as firewall through #112 service endpoints which includes authentication services).

	Regarding claim 7, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the enterprise's on-premise systems comprise any of: 
an executable application (para. 0008, A public cloud has an infrastructure that is available to the general public or a large industry group and is likely owned by a cloud services company. A private cloud operates for a single organization, but can be managed on-premise or off-premise);
	a mainframe;
	a router; and
	an employee asset.

	Regarding claim 8, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 7, as described above. Leafe further teaches wherein the on-premise systems further comprise existing enterprise rules and attributes from spreadsheets, human resources systems, or application programming interfaces (para. para. 0008, 0257 and 0258, processor includes rule engine used through API calls).

	Regarding claims 9 and 18, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claims 1 and 16, respectively, as described above. Leafe further teaches wherein the identity management container application processor is configured to be portable and configured to reside and execute on a cloud environment, on-premise; and on a private cloud instance (par. 0008, 0245, 0306, executed in cloud environment, can be managed on-premise and on private clouds).

	Regarding claim 10, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the resource is any of an application of the enterprise, an enterprise asset, or a cloud application (para. 0008, 0033 and 0250 cloud computing).

	Regarding claim 11, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 7, as described above. Leafe further teaches wherein user credentials of the user for an on-premise resource are used to enable the user to access the resource (para. 0130, 0131 and 0137, [t]he authz provider720 performs the necessary analysis to determine whether an identified user has the necessary permissions to perform a requested action).

	Regarding claims 12 and 19, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claims 11 and 16, respectively, as described above. Leafe further teaches wherein the user credentials are stored on the enterprise's on-premise systems (para. 0008, 0137 and 0138, user credentials are stored on-premise).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Leafe, D1, Feijoo and Merkel, as applied in the claims above, further in view of Vats et al. (US 20180083944 A1), hereinafter Vats.

	Regarding claim 5, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. Leafe further teaches wherein the Internet-related APIs include the following functions (Examiner claims that all the operations in this list are well-known operations of Active Directory and LDAP etc. servers, as well as evidenced in Leafe para. 0235, 0254 and 0267, authorization service is operable to store, retrieve, delete, and query stored credentials from in the storage pools 814. In one embodiment, an authorization service provides an ACL-based authorization. In a second embodiment, the authorization service provides posix-compatible authorization. In a third embodiment, the authorization service provides tree or graph-based authorization, such as would be provided with an LDAP-based authorization service).
	Before further explanation and to simplify the process, Examiner categorizes the functionalities listed in this claim as following:
	a. create – 
		to add a directory user to a directory group.
b. update – 
		to patch a password;
		to change status of a user;
		to update a single string attribute value from a specific directory user;
		…
c. read/query -
		to retrieve a directory domain;
to get a random password that meets the domain's password policy;
		to get a list of organizational units;
		to search for a particular organizational unit;
		…
	In a similar way, the rest in the list are categorized as:
	d. delete
in addition, according the above categorization, Vats teaches all the limitations in these categories (para. 0096, Administration services leverage and extend the SCIM standard to implement schema-based REST APIs for Create, Read, Update, Delete, and Query (“CRUDQ”) operations on all IDCS resources; para. 0031, 0052 and 0181, LDAP and Active Directory; para. 0249-0251 list of all objects that REST APIs function CRUDQ on the objects)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1, Feijoo, Merkel and Vats because it would a different way that is scalable for authentication using RESTAPIs (Vats para. 0049).
Further, it is noted that functions of APIs listed in the claim are only found in the nonfunctional descriptive material which are not functionally involved in the claim. Thus, this descriptive material will not distinguish the claimed invention from the prior art in terms of patentability, see In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983); In re Lowry, 32 F.3d 1579, 32 USPQ2d 1031 (Fed. Cir. 1994). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to include all or any of the listed API functions to achieve the predictable benefit of customization.

Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Leafe, D1, Feijoo and Merkel, as applied in the claims above, further in view of Jaeger (US 10326845 B1).

	Regarding claim 13, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. 
The combination of Leafe, D1, Feijoo and Merkel does not explicitly teach wherein the container is a Docker container. However, in an analogous art, Jaeger teaches wherein the container is a Docker container (col6 ln1-39, using Docker containers).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1, Feijoo, Merkel and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

	Regarding claim 14, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 1, as described above. 
Jaeger further teaches comprising a plurality of containers and a swarm management cluster load balancing processor for balancing network traffic across the plurality of containers (col6 ln1-39, using Docker containers and Docker Swarm).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1, Feijoo, Merkel and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

	Regarding claim 15, the combination of Leafe, D1, Feijoo and Merkel teaches all of the limitations of claim 7, as described above.
The combination of Leafe, D1, Feijoo and Merkel does not explicitly teach but in an analogous art, Jaeger teaches wherein the container is programmable by a user administrator of the enterprise to set enterprise rules and attributes for user provisioning (col20 ln17-21 and Table1, processes Administrator Provisions/disposes Provisions/disposes Tenant's internal and configures and configures IT (may act as infrastructural hosts and internal MSP components of the application administrator); provisioning admin user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Leafe, D1, Feijoo, Merkel and Jaeger because it would overcome challenges associated with deployment of multiple distinct applications for multiple tenants in hybrid multi-tenant clouds can be advantageously avoided through the use of Docker Swarm (Jaeger col1ln63-col2 ln3).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/SHU CHUN GAO/Examiner, Art Unit 2437 




/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437