SYSTEMS AND METHODS FOR CLOUD FEDERATED TOKEN JUST IN TIME AUTHORIZATION

§103 §DP

DETAILED ACTION Claims 5-7, 10, 14-16 were cancelled in a preliminary amendment. Claims 1-4, 8, 9, 11-13 and 17-19 have been examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Priority The current application is a Continuation of 17506954, filed 10/21/2021, now U.S. Patent No. 12,155,640. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-3, 8, 11-13, and 17 of the current application, hereinafter “625”, are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-3, 6, 8-10, and 13 of U.S. Patent No. US 12155640 B2, hereinafter “640”. Although the claims at issue are not identical, they are not patentably distinct from each other because claim 1 of “625” and claim 1 of “640” are directed to “A method for cloud federated token just in time authorization, comprising: receiving, by a cloud authentication services computer program, authenticating information for a user from an active directory federation service computer program”, as well as “querying, by the cloud authentication services computer program, a plurality of backend services to validate the authenticating information” and “communicating, by the cloud authentication services computer program, validation to the active directory federation service computer program, wherein the active directory federation service computer program is configured to generate a security token comprising one or more assertion, wherein the assertion comprises a limit on a session with the user at a cloud platform, and wherein the cloud platform is configured to receive the security token and a trusted federated endpoint executed by the cloud platform is configured to enforce the limit on the session”. Further claim 11 of “625” and claim 8 of “640” are directed to “ A system, comprising: a federation server executing a cloud authentication service computer program and an active directory federation service computer program, wherein the cloud authentication service computer program receives authenticating information for a user from the active directory federation service computer program; a plurality authentication backend services that receive a validation query from cloud authentication services computer program comprising authenticating information and validates the authenticating information”, as well as “and a cloud platform executing a trusted federated endpoint that receives an authentication token comprising a limit on a session with the user from the active directory federation service computer program and enforces the limit on the session.” Therefore, patent claims 1 and 8 of “640” are in essence a “species” of the generic invention of application claim “625”. It has been held that a generic invention is “anticipated” by a “species” within the scope of the generic invention. See In re Goodman, 29 USPQ2d 2010 (Fed. Cir. 1993). Claims 2, 3, 8, 12, 13, and 17 of “625” correlate to claims 2, 3, 6, 9, 10, and 13 of “640”, respectively. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim 1, 4, 8, 9, 11, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No. US 10841316 B2 to Innes et al., hereinafter Innes, and further in view of United States Patent Application Publication No. US 20130332982 A1 to Rao et al., hereinafter Rao. Regarding claim 1, Innes teaches a method for cloud federated token just in time authorization, comprising: communicating, by the cloud authentication services computer program, validation to the active directory federation service computer program, wherein the active directory federation service computer program is configured to generate a security token comprising one or more assertion (column 33, lines 63-67, “implement a federated full domain (e.g., Active Directory (AD) ) logon”, column 34, lines 1-30, column 39, lines 26-36, column 54, lines 45-52, “A federated identity provider may comprise a cloud directory (e.g., AZURE Active Directory) that supports alternative authentication methods, such as biometrics.”, and column 56, lines 54-61, “a user 1620 may authenticate via a cloud directory 1720, such as in response to the request to reconnect. In response to the user authenticating via the cloud directory 1720, in step 1702, the cloud directory 1720 may issue a federation token (e.g., SAML token) to the gateway server 1630, with a claim that indicates the user is outside a corporate office and/or using a device 1722 that is not managed.”), wherein the assertion comprises a limit on a session with the user at a cloud platform, and wherein the cloud platform is configured to receive the security token and a trusted federated endpoint executed by the cloud platform is configured to enforce the limit on the session (column 36, lines 59-67, “a time period of validity”, column 37, lines 1-4 and 26-29, “Time-limited certificates may be valid for minutes, hours, days, or even shorter or longer.”, and column 59, lines 15-24, “the OS may determine that the current time is within a threshold time of the expiration time”). Innes teaches the claimed invention, as cited above. However, Innes is not relied upon to teach the claim limitations pertaining to “*receiving, by a cloud authentication services computer program, authenticating information for a user from an active directory federation service computer program; querying, by the cloud authentication services computer program, a plurality of backend services to validate the authenticating information”. Rao teaches said claim limitations, as cited below. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Rao with the teachings of Innes to provide “a collection of hardware and software ("cloud infrastructure") forming a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services, etc.) that can be suitably provisioned to provide on-demand self-service, network access, resource pooling, elasticity and measured service, among other features. In one example, DVS network 14 may represent a cloud infrastructure configured to run a single instance of software architecture that hosts multiple separate zones, each of which can server a separate group of users with a specific service profile corresponding to the respective tenant's service profile” (Rao – paragraph 14). Further regarding claim 1, Rao discloses receiving, by a cloud authentication services computer program, authenticating information for a user from an active directory federation service computer program; querying, by the cloud authentication services computer program, a plurality of backend services to validate the authenticating information (paragraph 30, “current sign-on technologies, such as Microsoft Active Directory Federation Services (ADFS) used in the cloud infrastructure allow users to access their virtual desktops in a transparent single sign-on way, but create shadow accounts that are part of the backend cloud infrastructure.”, and paragraph 47, “AAA server 26 may query backend identity databases to validate user credentials 32 and send user policy 34. Typical backend databases include Microsoft Active Directory, Novell eDirectory, and Lightweight Directory Access Protocol (LDAP)”). In assessing whether a claim to a combination of prior art elements/steps would have been obvious, the question to be asked is whether the improvement of the claim is more than the predictable use of prior art elements or steps according to their established functions. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). “[T]he analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ.” Id. at 418. It is well established that in evaluating references it is proper to take into account not only the specific teachings of the references but also the inferences which one skilled in the art would reasonably be expected to draw therefrom. In re Preda, 401 F.2d 825, 826 (CCPA 1968). Regarding claim 4, Innes teaches, wherein the authenticating information comprises multifactor authentication appliance data, a user role, and/or a ticket identifier (column 21, lines 7-15, “these users may authenticate using an OTP 620 such as by using a hardware OTP system like SecureID (OTPs may be provided by different vendors also, such as Entrust or Gemalto)”). Regarding claim 8, Innes teaches wherein the limit comprises a time limit (column 36, lines 59-67, “a time period of validity”, column 37, lines 1-4 and 26-29, “Time-limited certificates may be valid for minutes, hours, days, or even shorter or longer.”, and column 59, lines 15-24, “the OS may determine that the current time is within a threshold time of the expiration time”). Regarding claim 9, Innes teaches reviewing, by the cloud authentication services computer program, a log file from the cloud platform, wherein the log file comprises an activity performed by the user during the session; and verifying, by the cloud authentication services computer program, that the activity was authorized (column 45, lines 10-17, column 48, lines 63-67, and column 49, lines 1-15). Regarding claim 11, Innes discloses a system, comprising: a federation server executing a cloud authentication service computer program and an active directory federation service computer program (column 33, lines 63-67, “implement a federated full domain (e.g., Active Directory (AD) ) logon”, column 34, lines 1-30, column 46, lines 41-44, “a system where users can easily and quickly logged on to an Active Directory user account using certificates”, and lines 61-65, “A third party IdP 1551 may send an identity confirmation token (e.g., a SAML token) to a federation server 1553. The federation server 1553 may send the token to the application store 1511, which may forward the token to a delivery controller 1513”, column 54, lines 45-52, “A federated identity provider may comprise a cloud directory (e.g., AZURE Active Directory) that supports alternative authentication methods, such as biometrics.”, and column 56, lines 54-61, “a user 1620 may authenticate via a cloud directory 1720, such as in response to the request to reconnect. In response to the user authenticating via the cloud directory 1720, in step 1702, the cloud directory 1720 may issue a federation token (e.g., SAML token) to the gateway server 1630, with a claim that indicates the user is outside a corporate office and/or using a device 1722 that is not managed.”), and a cloud platform executing a trusted federated endpoint that receives an authentication token comprising a limit on a session with the user from the active directory federation service computer program and enforces the limit on the session (column 36, lines 59-67, “a time period of validity”, column 37, lines 1-4 and 26-29, “Time-limited certificates may be valid for minutes, hours, days, or even shorter or longer.”, and column 59, lines 15-24, “the OS may determine that the current time is within a threshold time of the expiration time”). Innes discloses the claimed invention, as cited above. However, Innes is not relied upon to disclose the claim limitations pertaining to “wherein the cloud authentication service computer program receives authenticating information for a user from the active directory federation service computer program; a plurality authentication backend services that receive a validation query from cloud authentication services computer program comprising authenticating information and validates the authenticating information”. Rao discloses said claim limitations, as cited below. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Rao with the teachings of Innes to provide “a collection of hardware and software ("cloud infrastructure") forming a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services, etc.) that can be suitably provisioned to provide on-demand self-service, network access, resource pooling, elasticity and measured service, among other features. In one example, DVS network 14 may represent a cloud infrastructure configured to run a single instance of software architecture that hosts multiple separate zones, each of which can server a separate group of users with a specific service profile corresponding to the respective tenant's service profile” (Rao – paragraph 14). Further regarding claim 11, Rao discloses wherein the cloud authentication service computer program receives authenticating information for a user from the active directory federation service computer program; a plurality authentication backend services that receive a validation query from cloud authentication services computer program comprising authenticating information and validates the authenticating information (paragraph 30, “current sign-on technologies, such as Microsoft Active Directory Federation Services (ADFS) used in the cloud infrastructure allow users to access their virtual desktops in a transparent single sign-on way, but create shadow accounts that are part of the backend cloud infrastructure.”, and paragraph 47, “AAA server 26 may query backend identity databases to validate user credentials 32 and send user policy 34. Typical backend databases include Microsoft Active Directory, Novell eDirectory, and Lightweight Directory Access Protocol (LDAP)”). In assessing whether a claim to a combination of prior art elements/steps would have been obvious, the question to be asked is whether the improvement of the claim is more than the predictable use of prior art elements or steps according to their established functions. KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 418 (2007). “[T]he analysis need not seek out precise teachings directed to the specific subject matter of the challenged claim, for a court can take account of the inferences and creative steps that a person of ordinary skill in the art would employ.” Id. at 418. It is well established that in evaluating references it is proper to take into account not only the specific teachings of the references but also the inferences which one skilled in the art would reasonably be expected to draw therefrom. In re Preda, 401 F.2d 825, 826 (CCPA 1968). Regarding claim 17, Innes discloses wherein the limit comprises a time limit (column 36, lines 59-67, “a time period of validity”, column 37, lines 1-4 and 26-29, “Time-limited certificates may be valid for minutes, hours, days, or even shorter or longer.”, and column 59, lines 15-24, “the OS may determine that the current time is within a threshold time of the expiration time”). Regarding claim 18, Innes discloses wherein a log session review computer program further receives a log file comprising an activity performed by the user during the session from the cloud platform and verifies that the activity was authorized (column 45, lines 10-17, “log the user in using AD smart card authentication”, column 48, lines 63-67, and column 49, lines 1-15). Claims 2, 3, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Innes and Rao as applied to independent claims 1 and 11 above, and further in view of United States Patent Application Publication No. US 20100250497 A1 to Redlich et al., hereinafter Redlich. Innes and Rao teach the claimed invention, as cited above. However, Innes and Rao are not relied upon to teach the claim limitation pertaining to “wherein the active directory federation service computer program comprises a dynamic-link library (DLL) plugin”. Redlich teaches said claim limitation, as cited below. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Redlich with the teachings of Innes and Rao “as a solution for security in complex workflows as opposed to point solutions for files, records, or databases.” (Redlich – paragraph 836). Regarding claim 2, Redlich teaches wherein the active directory federation service computer program comprises a dynamic-link library (DLL) plugin (paragraphs 840 and 1085). The obviousness to combine for claim 2 also pertains to claim 12. Innes and Rao teach the claimed invention, as cited above. However, Innes and Rao are not relied upon to teach the claim limitation pertaining to “wherein the DLL plugin comprise a HTML form with a plurality of security questions”, Redlich teaches said claim limitation, as cited below. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Redlich with the teachings of Innes so as to “increase the necessary security levels permitted to access and generate full or partial plaintext recreation.” (Redlich – paragraph 3022). Regarding claim 3, Redlich teaches wherein the DLL plugin comprise a HTML form with a plurality of security questions (paragraph 3019, “multiple choice questions and answers”, and paragraph 3061, “challenge questions and answers”). The obviousness to combine for claim 3 also pertains to claim 13. Innes and Rao disclose the claimed invention, as cited above. However, Innes and Rao are not relied upon to disclose the claim limitation pertaining to “wherein the federation server further comprises a dynamic-link library (DLL) plugin used by the active directory federation service computer program”. Redlich discloses said claim limitation, as cited below. Regarding claim 12, Redlich discloses wherein the federation server further comprises a dynamic-link library (DLL) plugin used by the active directory federation service computer program (paragraphs 840 and 1085). Innes and Rao disclose the claimed invention, as cited above. However, Innes and Rao are not relied upon to disclose the claim limitation pertaining to “wherein the DLL plugin comprise a HTML form with a plurality of security questions”. Redlich discloses said claim limitation, as cited below. Regarding claim 13, Redlich discloses wherein the DLL plugin comprise a HTML form with a plurality of security questions (paragraph 3019, “multiple choice questions and answers”, and paragraph 3061, “challenge questions and answers”). Allowable Subject Matter Claim 19 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to authentication and authorization within a federated cloud computing environment. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JEREMIAH L AVERY/Primary Examiner, Art Unit 2431