DETAILED ACTION
Claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
 	The specification is objected to due to multiple paragraphs including citations such as “(Collectively, block 202, line 314)” without indicating which figures, the block and line number annotations correspond to. Please correct to “(Collectively, Fig.2, block 202, and Fig.3, line 314)”.
	The specification [0059] cites “OAUTH/OPIC” but it is unclear what OPIC corresponds to. Please correct to “OAUTH/OIDC” as cited in [0006] of the specification.

Claim Rejections - 35 USC § 112(b)
 	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claim 19 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. This claim recites the term “OAUTH/OPIC”, however it is not clear what OPIC is. For the purpose of examination, this term is interpreted as “OAUTH/OIDC”.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Abdul et al (US Pub.No.2018/0337914) in view of Parmar et al (US Pub.No.2015/0188922).

Re Claim 1. Abdul discloses a system, comprising: at least one processor; and a memory that stores one or more programs that are configured to be executed by the one or more processors, the one or more programs including instructions that: transmit a first request to authenticate a client application, to access an on-premise application, the first request sent to an identity provider of a cloud computing service (i.e. In one embodiment, IDCS may be used for a user to log in. For example, a client application 602 may use one of the supported authentication flows to request a login for a user.) [Abdul, para.0104], (i.e.  The embodiment uses OpenID Connect semantics for applications to request user authentication against IDCS. The embodiment uses lightweight HTTP cookie-based user session tracking to track user's active sessions at IDCS without statefull server-side session support. The embodiment uses JWT-based identity tokens for applications to use in mapping an authenticated identity back to their own local session. The embodiment supports integration with federated identity management systems, and exposes SAML IDP support for enterprise deployments to request user authentication against IDCS……………………Applications requiring SSO integration with a cloud system may be located in enterprise data centers, in remote partner data centers, or even operated by a customer on-premise) [Abdul, para.0156-0157] the first request made through a cloud-based network authentication protocol [Abdul, para.0038], the on-premise application subject to a legacy network authentication protocol, the cloud-based network authentication protocol incompatible with the legacy network authentication protocol (i.e. Cloud Cache is provided in IDCS to support communication with applications that are LDAP based (e.g., email servers, calendar servers, some business applications, etc.) since IDCS does not communicate according to LDAP while such applications are configured to communicate only based on LDAP. Typically, cloud directories are exposed via REST APIs and do not communicate according to the LDAP protocol. Generally, managing LDAP connections across corporate firewalls requires special configurations that are difficult to set up and manage) [Abdul, para.0181-0183]; in response to the first request, obtain a security token including a security ticket of the legacy network authentication protocol, the security ticket generated by the identity provider of the cloud computing service, the security token associated with the cloud-based network authentication protocol (i.e. SSO microservice 1008 provides login ceremony 1018,…………… Authentication manager 1024 issues authentication tokens upon successful authentication. HTTP cookie manager 1026 saves the authentication token in an SSO cookie) [Abdul, para.0162, Fig.10, Note: the authentication token of Abdul is being mapped to security ticket and the SSO cookie of Abdul is being mapped to the security token]; 
 	Abdul does not explicitly disclose whereas Parmar does: transmit an authentication request using the legacy network authentication protocol to the on-premise application (i.e. may use Lightweight Directory Access Protocol (LDAP) or other approaches to communicate with the on-premise authenticator …………….at block 705 when a download request or access request for a document stored in an on-premised storage system is received…………. This may include sending the on-premised token to the on-premised authenticator) [Parmar, para.0050-0052], 
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Abdul with Parmar in order to provide better protection to the sensitive information [Parmar, para.0050].
Abdul further discloses: the authentication request including the security ticket; (i.e. After verifying that the TGT is valid and that the user is permitted to access the requested service, the TGS issues the ticket and session keys to the client. The client then sends the ticket to a service server (“SS”) along with its service request) [Abdul, para.0202], and obtain access to the on-premise application (i.e. Browser 1102 then reaches client 1106 and receives a corresponding response from client 1106. From this point on, browser 1102 can access the application (i.e., client 1106) seamlessly for as long as the application's local cookie is valid) [Abdul, para.0175].

Re Claim 8. This claim recites features similar to those recited in claim 1 and therefore they are rejected in a similar manner. The feature “the legacy authentication protocol differs from the cloud-based authentication protocol” is interpreted in the same manner as “the cloud-based network authentication protocol incompatible with the legacy network authentication protocol” recited in claim 1.

Re Claims 2 and 9. Abdul in view of Parmar discloses the features of claims 1 and 8, Parmar further discloses: wherein the one or more programs include further instructions that: extract the security ticket from the security token; and embed the security ticket into the authentication request (i.e. When the request is received by the on-premise storage system 630, the off-premise token 610 and the on-premise token 615 may be extracted from the HTTP header of the request and sent to the respective off-premise authenticator 655 and on-premise authenticator 635 for both authentications) [Parmar, para.0050-0051], 
	The same motivation to modify with Parmar, as in claim 1, applies.

Re Claim 3. Abdul in view of Parmar discloses the features of claim 1, Abdul further discloses: wherein the on-premise application is part of a private domain directory service (i.e. One embodiment provides interoperability and leverages investments in identity management (“IDM”) functionality in the cloud and on-premise. The embodiment provides automated identity synchronization from on-premise Lightweight Directory Access Protocol (“LDAP”) data to cloud data and vice versa) [Abdul, para.0035].
 	and as recited in claim 10, in a domain outside the cloud computing service (i.e. The embodiment provides seamless user experience across all applications including on-premise and third-party applications, for example, on-premise applications 218 and various applications/services in cloud 208 such as cloud services 210, cloud applications 212, partner applications 214, and customer applications 216.)  [Abdul, para.0042, Fig.2, on-premise apps 218 reside on-premise and therefore they are outside the cloud domain].

Re Claims 4 and 11. Abdul in view of Parmar discloses the features of claims 1 and 8, Abdul further discloses: wherein the security token is a JavaScript Object Notation (JSON) web token (i.e. The embodiment uses JWT-based identity tokens for applications to use in mapping an authenticated identity back to their own local session) [Abdul, para.0156, see also para.0080].

Re Claims 5 and 12 Abdul in view of Parmar discloses the features of claims 1 and 8, Abdul further discloses: wherein the security ticket is embedded as a claim in the security token (i.e. In one embodiment, an access token includes at least a claim/statement indicating the resource tenant name at the time the request for the access token was made (e.g., the customer), a claim indicating the user tenant name, a claim indicating the name of the OAuth client making the request, and a claim indicating the client tenant name.) [Abdul, para.0144].

Re Claims 6 and 13. Abdul in view of Parmar discloses the features of claims 1 and 8, Abdul further discloses: wherein the legacy network authentication protocol is based on Kerberos (i.e. an IDCS agent Identity Bridge (e.g., ID Bridge 230 of FIG. 2) deployed on-premise generates the Kerberos principal key and sends it to IDCS) [Abdul, para.0206].

Re Claims 7 and 14. Abdul in view of Parmar discloses the features of claims 1 and 8, Abdul further discloses: wherein the cloud-based network authentication protocol is based on OpenId Connect (i.e. The embodiment uses OpenID Connect semantics for applications to request user authentication against IDCS) [Abdul, para.0156].

Re Claim 10. Abdul in view of Parmar discloses the features of claim 8, Abdul further discloses: wherein the on-premise application resides in a domain directory service (i.e. One embodiment provides interoperability and leverages investments in identity management (“IDM”) functionality in the cloud and on-premise. The embodiment provides automated identity synchronization from on-premise Lightweight Directory Access Protocol (“LDAP”) data to cloud data and vice versa) [Abdul, para.0035] outside the cloud computing service (i.e. The embodiment provides seamless user experience across all applications including on-premise and third-party applications, for example, on-premise applications 218 and various applications/services in cloud 208 such as cloud services 210, cloud applications 212, partner applications 214, and customer applications 216.)  [Abdul, para.0042, Fig.2, on-premise apps 218 reside on-premise and therefore they are outside the cloud domain].

Re Claim 15. In a manner similar to the rejection of claim 1, Abdul in view of Parmar discloses a device, comprising: at least one processor and a memory; wherein the at least one processor is configured to: receive an authentication request, at a cloud computing service, for access to an on-premise application, the authentication request associated with a cloud-based authentication protocol from a client application, the on-premise application associated with a legacy authentication protocol, the cloud-based authentication protocol differs from the legacy authentication protocol; upon successful verification of the authentication request, generate an authentication token of the cloud-based authentication protocol having an authentication ticket of the legacy authentication protocol; 
 	Abdul further discloses: and provide the authentication token to the client application (i.e. this information is then used at 1351 to ultimately return the ticket to client 1302 as an AS response) [Abdul, para.0212], to authenticate to the on-premise application through the legacy authentication protocol using the authentication ticket (i.e. the TGS issues the ticket and session keys to the client. The client then sends the ticket to a service server (“SS”) along with its service request) [Abdul, para.0202].

Re Claim 16. Abdul in view of Parmar discloses the features of claim 15, Abdul further discloses: wherein the on-premise application resides in a domain outside of the cloud computing service (i.e. The embodiment provides seamless user experience across all applications including on-premise and third-party applications, for example, on-premise applications 218 and various applications/services in cloud 208 such as cloud services 210, cloud applications 212, partner applications 214, and customer applications 216.)  [Abdul, para.0042, Fig.2, depicts on-premise apps 218 residing on-premise and therefore outside the cloud].

Re Claim 17. Abdul in view of Parmar discloses the features of claim 16, Abdul further discloses: wherein the at least one processor is further configured to: configure the cloud computing service with on-premise data of the on-premise application, the on-premise data specifying the legacy authentication protocol of the on-premise application (i.e. OAuth2 microservice 1110 constructs the application context (i.e., metadata that describes the application, e.g., identity of the connecting application, client ID, configuration, what the application can do, etc.), and redirects browser 1102 to SSO microservice 1112 to log in.) [Abdul, para.0171], (i.e. an IDCS agent Identity Bridge (e.g., ID Bridge 230 of FIG. 2) deployed on-premise generates the Kerberos principal key and sends it to IDCS) [Abdul, para.0206].

Re Claim 18. Abdul in view of Parmar discloses the features of claim 16, Abdul further discloses: wherein the at least one processor is further configured to: configure the cloud computing service with a ticket granting service that generates the security ticket (i.e. a Kerberos enabled identity cloud service 1300 in accordance with one embodiment of the invention. A Kerberos client 1302 interacts with a Kerberos KDC 1304. The user begins the interaction with Kerberos services by providing proof-of-identity (e.g., username and password) to the Kerberos server (i.e., AS, not shown in FIG. 13), which forwards the information, in the form of a ticket request, to KDC 1304 at 1350. In known Kerberos systems, the KDC would determine whether to accept the user using locally stored information. If it accepts the user's identity, the KDC returns a Ticket-Granting-Ticket (“TGT”) which can be used at Ticket Granting Service (“TGS”) for obtaining a service ticket for Kerberos enabled services) [Abdul, para.0209-0211].

Re Claim 19. Abdul in view of Parmar discloses the features of claim 16, Abdul further discloses: Abdul further discloses: wherein the cloud-based authentication protocol is based on Oauth/OPIC protocol (i.e. IDCS supports standard authentication protocols, hence IDCS microservices include platform services such as OpenID Connect, OAuth, SAML2, System for Cross-domain Identity Management++ (“SCIM++”)…………. The OAuth2 platform service provides token authorization services. It provides a rich API infrastructure for creating and validating access tokens conveying user rights to make API calls. It supports a range of useful token grant types, enabling customers to securely connect clients to their services. It implements standard 2-legged and 3-legged OAuth2 token grant types. Support for OpenID Connect (“OIDC”) enables compliant applications (OIDC relaying parties (“RP”s)) to integrate with IDCS as the identity provider (OIDC OpenID provider (“OP”))) [Abdul, para.0079-0081].

Re Claim 20. Abdul in view of Parmar discloses the features of claim 16, Abdul further discloses: wherein the legacy authentication protocol is Kerberos-based (i.e. an IDCS agent Identity Bridge (e.g., ID Bridge 230 of FIG. 2) deployed on-premise generates the Kerberos principal key and sends it to IDCS) [Abdul, para.0206].

Prior art made of record however not relied upon includes:

Aupperle et al. (US Pub. No.2004/0098595) discloses methods of doing business whereby legacy host application/system access is integrated with single sign-on in a modem distributed computing environment. A security token used for signing on to the modem computing environment is leveraged, and is mapped to user credentials for the legacy host environment. These user credentials are programmatically inserted into a legacy host data stream, thereby giving the end user the look and feel of seamless access to all applications/systems, including not only modem computing applications/systems but also those residing on (or accessible through) legacy hosts.

Canning et al. (US Pub. No. 2013/0318569) discloses a resource request destined to a legacy system is receiving from a requestor with the resource request including an access token and being on behalf of a resource owner. A validation process is performed on the access token. If the access token is valid, the approach identifies the resource owner and one or more legacy access tokens used to access the legacy system. Another request is formed with the new request including the legacy access tokens. The new request is transmitted to the legacy system and a response is received back from the legacy system. The response received from the legacy system is transmitted back to the requestor.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434