DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/09/2020 has been entered.
 
Status of Claims
The present application is being examined under the AIA  first to file provisions.
This action is in reply to the RCE filed on 12/09/2020.
Claims 1, 11, and 17 have been amended and are hereby entered.
Claims 2 and 12 have been cancelled.
Claims 1, 3-11, and 13-20 are currently pending and have been examined.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 3-11, and 13-20 rejected under 35 USC 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-7, 10-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bolla (US Patent Application Publication 20190392428), “Bolla” in view of Wood, et al. (US Patent 6691232 B1), “Wood” in view of Bar, et al. (US Patent Application Publication 20170289168), “Bar”.
As per claim 1, Bolla discloses:
A method comprising receiving a connection request from a partner device having obtained consent from a client device to connect to a first client account within a secure platform, the connection request including a demographic attribute associated with the first client account; wherein in Examiner is interpreting the user opting-in to be akin to providing consent, the authentication credential is akin to the demographic attribute, and the first account to be the digital wallet account which provides payment credentials to a service provider via a secure channel created [0018], [0039], [0054-0060] Interface 1100 displays a transaction processor website 1102 after re-routing and navigation of user A's device to transaction processor website 1102 from credit card website 1002. Transaction processor website 1102 includes a digital wallet A 1104 for an account 1106, where digital wallet A 1104 may allow the user to perform various processes, including authentication through login/logout 1108… Once navigated to the transaction processor's digital wallet platform, the user may be required to authenticate their identity/credentials with the transaction processor for the digital wallet account if the user's device is not previously authenticated. The user may enter authentication credentials or other data (e.g., a token for the digital wallet) for the user's digital wallet if required, and the transaction processor's platform may provide one or more digital wallet interfaces for the user's digital wallet… FIG. 3A is a flowchart 300a of a process to setup a secure link between service providers and utilize the link for electronic transaction processing through a digital wallet, according to an embodiment. Flowchart 300a corresponds to a process executed by the devices and servers discussed in reference to system 100 of FIG. 1…In flowchart 300a, a client device may first access a service provider's website or other online platform at step 1. The website may provide a billing portal and billing account used to process payments for electronic bills generated for a purchase of goods or services by the user, and may be a recurring bill. At step 2, the user utilizes their client device to opt-in to digital wallet pull requests on the website of the service provider, which may be performed through selection of a link or other website interface option…The secure link may correspond to a communication channel that allows secure exchange of data from the transaction processor to the service provider and is particular to the user's digital wallet and/or particular payment flow for the billing account with the service provider. Using the secure link established for the billing account, the transaction processor may pull account data to the user's digital wallet at step 6.
matching the demographic attribute to client information associated with the first client account; [0047] Additionally, transaction processor server 130 includes database 134. As previously discussed, the user and/or the merchant may establish one or more digital wallets and/or accounts with transaction processor server 130. Digital wallets and/or accounts in database 134 may include user information, such as name, address, birthdate, payment instruments/funding sources, additional user financial information, user preferences, and/or other desired user data. Users may link to their respective digital wallets and/or payment accounts through an account, user, merchant, and/or device identifier. Thus, when an identifier is transmitted to transaction processor server 130, e.g., from user device 110, one or more digital wallets and/or payment accounts belonging to the users may be found. Database 134 may also digital wallet information and unique payment flows generated for digital wallets, as well as data for the unique payment flows, such as encryption keys and virtual account numbers.
authenticating a second client account via the login page, wherein the second client account is associated with the first client account; wherein Examiner is interpreting the first account to be the account associated with the digital wallet, and the second account could be either an account associated with a payment account registered with the user, or a billing account associated with user, the accounts associated with each other by virtue of being link to the same user and used for making/receiving payments between the accounts [0012-0013], [0043], [0051], and [0054] Transaction processing application 140 may correspond to one or more processes to execute software modules and associated specialized hardware of transaction processor server 130 to provide payment and transaction processing services to merchants and users, for example though an account and/or payment instruments of the user in a digital wallet for the account, where the services may further be used to provide digital wallet processes to link the digital wallet to a payment account with service provider server 120 and provide payments for electronic bills. In this regard, transaction processing application 140 may correspond to specialized hardware and/or software to provide transaction processing and payment services through accounts, including digital wallets storing payment instruments…In order to establish an account to send and receive payments, transaction processing application 140 may receive information requesting establishment of the account. The information may include user personal, business, and/or financial information. Additionally the information may include a login, account name, password, PIN, or other account creation information. The entity establishing the account may provide a name, address, social security number, or other personal or business information necessary to establish the account and/or effectuate payments through the account.
Bolla does not expressly disclose the following, Wood, however discloses:
sending, to the partner device, an identifier and a universal resource locator link (URL-link) including a depreciating token, the identifier identifying the connection request; wherein Examiner is interpreting the session credentials/identifier (supplied as a session token) to be akin to the depreciating token, with it depreciating by expiring after a certain amount of time, col, 5 lines 49-col. 6 line 28, col. 8 lines 3-12, col. 9 lines 27-67, col. 10 lines 30-57, and col. 15 lines 37-48, col. 13 lines 49-col. 14 line 7 Login component 120, operating in conjunction with gatekeeper/entry handler component 110 and other components of the security architecture, provides a single sign-on interface for access to enterprise applications and/or resources 190… If the entity requesting access has not yet been authenticated to the trust level required for the particular access to the particular enterprise application or information resource requested, authorization component 140 may indicate that the access request is to be redirected to login component 120 so that login credentials may be obtained and authenticated to a particular trust level… A session token is passed to browser 170 in conjunction with the redirect (5) to login component 120… Gatekeeper/entry handler component 110 supplies authorization component 140 with an identifier for the requested resource (e.g., the requested URL) and an identifier for the associated session… In any case, authorization component 140 receives (3) the requested resource and session identifiers and responds (4) in accordance with the trust level requirement of the requested resource… More generally, gatekeeper/entry handler component 110 obtains and/or maintains information such as connect location (if ascertainable), temporal information such as request time/date, session start time/date, etc. (preferably in both the client entity's frame of reference and the security architecture or requested information resource's frame of reference, if location is ascertainable), and client type and/or capabilities (e.g., browser type and Java Development Kit (JDK) level)… Typically, session credentials and/or an associated session token encode an expiration time (see description, below, of FIG. 4)
redirecting the client device to a login page based on the URL-link; col. 8 lines 40-47, col. 10 lines 13-35, In an exemplary configuration, authorization component 140 responds with an ALLOW, REDIRECT, or REFUSE response based on the sufficiency of a current trust level... In response to a REDIRECT response (4), gatekeeper/entry handler component 110 redirects (5) browser 170 to login component 120… A session token is passed to browser 170 in conjunction with the redirect (5) to login component 120.
in response to the authenticating, receiving a verification request including the identifier and the depreciating token; col. 13 lines 45-50, col. 16 lines 5-29, col. 18 lines 16-23 As described above, authorization component 140 may be queried using session credentials and an identifier for the requested resource to determine sufficiency of previously authenticated credentials... Assuming that at least one authentication scheme is available that, if successful, will support the required trust level, login credentials of that type are obtained (210) for the entity and authenticated (211)…The now sufficiently authorized request is proxied (204) and results are streamed back (205) to the requesting client entity. Updated or refreshed session credentials are typically supplied as a session token (e.g., a cookie) encoded with the streamed results…Signed session credentials, typically embodied as a cryptographically secured session token that may be stored as a cookie, are passed back to browser 302 with results of the requested access. 
determining a temporal value corresponding to a creation time of the depreciating token; col. 19 line 42 – col. 20 line 39, In addition, session credentials of limited temporal validity may be refreshed by periodic replacement. In the configuration of session credentials structure 420, creation time and expiration time allow the security architecture to improve resistance to replay attacks. Session credentials typically have a relatively short expiration time (e.g., 15 minutes from creation or less) and underlying login credentials will be reauthenticated prior to expiration of the session credential. Assuming that the underlying login credentials, which are stored under the public key of authentication component 130, remain valid, authentication component 130 will issue a replacement cryptographically secured session credential (e.g., as session credentials structure 420). Depending on then current trust level mappings and, in some configurations, depending on then current environment parameters, the authorization accorded by the security architecture and encoded as a trust level may differ from that encoded in the session credential replaced.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use session tokens which expire and require users to authenticate by logging in for determining whether a resource can be accessed as taught by Wood, doing so allows for sessions to be tracked and security policies to be enforced for accessing a resource improving the security [Wood, col. 6 lines 44-64].
Bolla does not expressly disclose the following, Bar, however discloses:
determining a security context based on comparing the temporal value to a plurality of predetermined values, wherein the plurality of predetermined values comprises at least three different values; and [0057], [0084] Some embodiments of contextual information extractor 284 determine contextual information related to a user interaction or activity event such as entities identified in a user activity or related to the activity… By way of example and not limitation, this may include context features such as…user device characteristics or user device identification information regarding the device on which the user carried out the activity; duration of the user activity, other user activity/activities preceding and/or following the user activity (such as sequences or types of websites visited (e.g., a financial website or a secure website that requires credentials in order to access), a sequence of online searches conducted… An authenticity confidence score (or authenticity score) may be determined in an ongoing or continuous manner, periodically, or as needed using various input user-data sensed, detected, or otherwise determined via the user device(s), as described herein… Further, in some embodiments, the authenticity score may diminish over time such as based on the freshness or recency of the user-related activity information for the current user. For instance, in an embodiment, after each interval of time (which may be a minute, several seconds, an hour, etc.) the authenticity score may be decreased. In this way, the user's legitimacy must be periodically or occasionally re-determined… As a practical consequence of such embodiments, it may be the case that a particular user, who initially has an authenticity score high enough to have access to multiple secure computing resources, may after a period of time has expired, no longer have access to some of those secure computing resources because the authenticity score has dropped below a threshold required to access those secure computing resources. For example, suppose an email service (a secure computing resource) requires that the authenticity score satisfy a first threshold and a mobile banking application (another secure computing resource) requires that the authenticity score satisfy a second threshold, which is higher than the first threshold. A legitimate user may start a user session with an authenticity score high enough to have access to both her email account and mobile banking application. But in an embodiment where after a duration of time, if the authenticity score is not re-computed, it is decreased, after a period of time has passed, the user may no longer have access to her mobile banking application, which requires the higher authenticity score to access. But the user still may have access to her email account. In some instances, after additional time passes, without re-determining the authenticity score, the user's authenticity score may drop low enough that the user no longer has access to the email account.
creating a communication connection between the second client account and the partner device within the secure platform according to the determined security context. see fig. 2 system 200, akin to the platform, [0035], [0057], [0084], [0120] An authenticity confidence score (or authenticity score) may be determined in an ongoing or continuous manner, periodically, or as needed using various input user-data sensed, detected, or otherwise determined via the user device(s), as described herein…At step 450, if the determined authentication confidence score indicates the current user is likely the legitimate user, then the current user is granted access to the secure computing resource. Alternatively, at step 460, if the determined authentication confidence score does not indicate that the current user is likely to be the legitimate user, then access to the secure computing resource is restricted. Embodiments of steps 450 and 460 control access to the secure computing resource based on the determined legitimacy of the current user. In an embodiment, access is controlled or managed by a credentials manager, such as credentials manager 270 of system 200, described in connection to FIG. 2. Thus in one embodiment, step 450 may be carried out by credentials manager 270 of system 200.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to degrade the confidence score over time such that different resources may be accessed based on the level of confidence as taught by Bar, doing so further allows for separate thresholds to be used for accessing different resources which allows the different resources to have difference authenticity score requirements [0084].


As per claim 3, Bolla does not expressly disclose the following, Wood, however discloses:
wherein creating the communication connection within the secure platform comprises: establishing the communication connection between the second client account and the partner device based on the security context indicating that an age of the depreciating token is less than a predetermined value. col. 9 lines 26-67, col. 20 lines 18-24, Gatekeeper/entry handler component 110 supplies authorization component 140 with an identifier for the requested resource (e.g., the requested URL) and an identifier for the associated session… In configurations for which sensitivity to a changing environment is desired, environment information may also be supplied to authorization component 140. In an exemplary configuration, authorization component 140 responds with an ALLOW, REDIRECT, or REFUSE response based on the sufficiency of a current trust level. In some configurations, authorization component 140 dynamically calculates a current trust level based on the signed session credentials and environment information. In others, authorization component 140 may base its ALLOW, REDIRECT, or REFUSE response on a "current" trust level previously associated with the signed session credentials. Generally, an access request with sufficient current trust level is ALLOWED and forwarded (14) without further authentication… In the configuration of session credentials structure 420, creation time and expiration time allow the security architecture to improve resistance to replay attacks. Session credentials typically have a relatively short expiration time (e.g., 15 minutes from creation or less) and underlying login credentials will be reauthenticated prior to expiration of the session credential.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use session tokens which expire after a certain amount time and trust level based on environmental factors as taught by Wood, doing so allows for sessions to be tracked and security policies to be enforced for accessing a resource improving the security, and reduce the risk of replay attacks [Wood, col. 6 lines 44-64, col. 20 lines 14-20]

As per claim 4, Bolla discloses:
further comprising sending, to the client device, a notification indicating that the communication connection between the second client account and the partner device has been created. wherein the Examiner is interpreting the being able to view the electronic bill in the wallet to be akin to the being notified that the connection is created [0030] The user may request that the billing account be linked to the digital wallet generated by digital wallet application 112. After set-up of a unique payment flow for the digital wallet to provide payments for the billing account by transaction processor server 130, digital wallet application 112 may be used to access the digital wallet, view the electronic bill and/or billing account data through the digital wallet, and process payments using the unique flow.

As per claim 5, Bolla discloses:
receiving a task from the partner device; and wherein in the Examiner is interpreting the bill received that needs payment to be akin to the task (the task being paying the bill) [0030] The user may request that the billing account be linked to the digital wallet generated by digital wallet application 112. After set-up of a unique payment flow for the digital wallet to provide payments for the billing account by transaction processor server 130, digital wallet application 112 may be used to access the digital wallet, view the electronic bill and/or billing account data through the digital wallet, and process payments using the unique flow. Additionally, digital wallet application 112 may be used to end the communication link and delete the unique flow after completion of billing.
assigning the task to the second client account via the communication connection between the second client account and the partner device.  wherein in the Examiner is interpreting using the wallet to process the payment for the bill to be akin to assigning the task [0030] The user may request that the billing account be linked to the digital wallet generated by digital wallet application 112. After set-up of a unique payment flow for the digital wallet to provide payments for the billing account by transaction processor server 130, digital wallet application 112 may be used to access the digital wallet, view the electronic bill and/or billing account data through the digital wallet, and process payments using the unique flow. Additionally, digital wallet application 112 may be used to end the communication link and delete the unique flow after completion of billing.

As per claim 6, Bolla discloses:
further comprising performing a transaction, via the secure platform, between the second client account and the partner device in response to the assigned task.  [0030] The user may request that the billing account be linked to the digital wallet generated by digital wallet application 112. After set-up of a unique payment flow for the digital wallet to provide payments for the billing account by transaction processor server 130, digital wallet application 112 may be used to access the digital wallet, view the electronic bill and/or billing account data through the digital wallet, and process payments using the unique flow. Additionally, digital wallet application 112 may be used to end the communication link and delete the unique flow after completion of billing.

As per claim 7, Bolla does not expressly disclose the following, Wood, however discloses:
wherein the demographic attribute is a first demographic attribute, and creating the communication connection within the secure platform comprises: requesting a second demographic attribute from the partner device based on the security context indicating that an age of the depreciating token is greater than a first predetermined value; col. 2 lines 45-62, col. 3 line 34-45, col. 8 lines 55-60 col. 21 lines 28-32,  As a result, security architectures and log-on services in accordance with some embodiments of the present invention allow an enterprise to add, modify or remove authentication schemes or implementations without modification of the information resources. Some configurations employ pluggable authentication module (PAM) technology. Furthermore, security architectures and log-on services configurations in accordance with some embodiments of the present invention allow authentication to be performed in accordance changing security requirements. For example, if a particular authentication service is deemed insecure (e.g., because compromised or because of a changing threat profile), the trust-level mappings to specific authentication services can be updated and have enterprise-wide effect… In still yet another embodiment in accordance with the present invention, a method of providing sign-on in a networked information environment includes directing a request for access to a first information resource from an insufficiently authenticated client entity to a credential gathering service, associating a first trust level requirement with the access to the first information resource, selecting from plural credential types, a credential type having an associated trust level commensurate with the first trust level requirement, obtaining a credential of the selected credential type for the client entity, and authenticating the obtained credential…Additionally, particular mappings may depend environment information. Furthermore, evaluation of mapping rules may be performed in a variety of functional components such as an authorization service, a credential gathering service or a gatekeeper… Components of session state (e.g., in some configurations, principal id, session id, authenticated trust level, group ids and/or roles, creation time, expiration time, etc.) are maintained or advanced throughout the duration of a session.
requesting a third demographic attribute from the client device; col. 3 lines 10-23, In another embodiment in accordance with the present invention, a credential gathering service provides a single sign-on for sessions that potentially include access to plural information resources having differing security requirements. In particular, the credential gathering service includes an input port configured to receive an access request identifying an initiating client entity, means for associating a trust level requirement with the access request, an encoding of correspondence between trust levels and credential types, selection logic for selecting (in accordance with the encoding) a credential type corresponding to the trust level requirement, and a credential obtaining interface for requesting and receiving a credential of the selected credential type for the initiating client entity.
verifying that the second demographic attribute matches the third demographic attribute; and col. 3 lines 24-33 In still another embodiment in accordance with the present invention, a method of providing a single sign-on for plural information resources includes associating credential types with trust levels, specifying for each information resource, required ones of the trust levels for accesses thereto, obtaining at least one credential corresponding to a client entity and authenticating the client entity thereby, and permitting access to any of the information resources having a specified trust level requirement commensurate with the trust level associated with the authenticated at least one credential.
establishing the communication connection between the second client account and the partner device based on the verifying. col. 3 lines 24-33 In still another embodiment in accordance with the present invention, a method of providing a single sign-on for plural information resources includes associating credential types with trust levels, specifying for each information resource, required ones of the trust levels for accesses thereto, obtaining at least one credential corresponding to a client entity and authenticating the client entity thereby, and permitting access to any of the information resources having a specified trust level requirement commensurate with the trust level associated with the authenticated at least one credential.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use mappings for security schemes to determine the credentials required to access a resources as taught by Wood, doing so allows different resources to have different security requirements for access the resource [Wood, col. 3 lines 10-33]

As per claim 10, Bolla discloses:
wherein the demographic attributes include a name, an email address, or a telephone number associated with the client account. [0047] Digital wallets and/or accounts in database 134 may include user information, such as name, address, birthdate, payment instruments/funding sources, additional user financial information, user preferences, and/or other desired user data. Users may link to their respective digital wallets and/or payment accounts through an account, user, merchant, and/or device identifier. Thus, when an identifier is transmitted to transaction processor server 130, e.g., from user device 110, one or more digital wallets and/or payment accounts belonging to the users may be found.

As per claim 17, Bolla discloses:
A system comprising: [0071]
a memory; [0071]
one or more processors and/or circuits coupled to the memory and configured to: [0071] 
receive a connection request including a demographic attribute associated with a first client account; wherein in Examiner is interpreting the user opting-in to be akin to providing consent, and the authentication credential is akin to the demographic attribute, and the first account to be the digital wallet account which provides payment credentials to a service provider via a secure channel created [0018], [0039], [0054-0060] Interface 1100 displays a transaction processor website 1102 after re-routing and navigation of user A's device to transaction processor website 1102 from credit card website 1002. Transaction processor website 1102 includes a digital wallet A 1104 for an account 1106, where digital wallet A 1104 may allow the user to perform various processes, including authentication through login/logout 1108… Once navigated to the transaction processor's digital wallet platform, the user may be required to authenticate their identity/credentials with the transaction processor for the digital wallet account if the user's device is not previously authenticated. The user may enter authentication credentials or other data (e.g., a token for the digital wallet) for the user's digital wallet if required, and the transaction processor's platform may provide one or more digital wallet interfaces for the user's digital wallet… FIG. 3A is a flowchart 300a of a process to setup a secure link between service providers and utilize the link for electronic transaction processing through a digital wallet, according to an embodiment. Flowchart 300a corresponds to a process executed by the devices and servers discussed in reference to system 100 of FIG. 1…In flowchart 300a, a client device may first access a service provider's website or other online platform at step 1. The website may provide a billing portal and billing account used to process payments for electronic bills generated for a purchase of goods or services by the user, and may be a recurring bill. At step 2, the user utilizes their client device to opt-in to digital wallet pull requests on the website of the service provider, which may be performed through selection of a link or other website interface option…The secure link may correspond to a communication channel that allows secure exchange of data from the transaction processor to the service provider and is particular to the user's digital wallet and/or particular payment flow for the billing account with the service provider. Using the secure link established for the billing account, the transaction processor may pull account data to the user's digital wallet at step 6.
match the demographic attribute to client information associated with the first client account; [0047] Additionally, transaction processor server 130 includes database 134. As previously discussed, the user and/or the merchant may establish one or more digital wallets and/or accounts with transaction processor server 130. Digital wallets and/or accounts in database 134 may include user information, such as name, address, birthdate, payment instruments/funding sources, additional user financial information, user preferences, and/or other desired user data. Users may link to their respective digital wallets and/or payment accounts through an account, user, merchant, and/or device identifier. Thus, when an identifier is transmitted to transaction processor server 130, e.g., from user device 110, one or more digital wallets and/or payment accounts belonging to the users may be found. Database 134 may also digital wallet information and unique payment flows generated for digital wallets, as well as data for the unique payment flows, such as encryption keys and virtual account numbers.
the partner platform configured to embed a web application associated with the web application identifier into a partner website; [0017], [0029] The entity and the transaction processor providing the digital wallet may previously be integrated so that the entity's platform may automatically provide the link in an interface and allow navigation to the transaction processor and the user's digital wallet. In other embodiments, the user may be required to enter a navigation address, token, or snippet of code to the entity's platform in an interface field (e.g., payment information input field), which may cause the entity's platform to navigate the transaction processor and identify the user's digital wallet for generation of the unique flow…In this regard, digital wallet application 112 may correspond to specialized hardware and/or software utilized by a user of user device 110 that may be used to access a website or an application interface of transaction processor server 130 that allows user device 110 to establish an account and generate a digital wallet having financial information used to process transactions with service provider server 120 for electronic bills.
Bolla does not expressly disclose the following, Wood, however discloses:
send, to a partner platform, a connection-request identifier and a web application identifier including a depreciating token, col, 5 lines 49-col. 6 line 28, col. 7 lines 34-57,  col. 8 lines 3-12, col. 9 lines 27-67, col. 10 lines 30-57, and col. 15 lines 37-48 Login component 120, operating in conjunction with gatekeeper/entry handler component 110 and other components of the security architecture, provides a single sign-on interface for access to enterprise applications and/or resources 190… If the entity requesting access has not yet been authenticated to the trust level required for the particular access to the particular enterprise application or information resource requested, authorization component 140 may indicate that the access request is to be redirected to login component 120 so that login credentials may be obtained and authenticated to a particular trust level… A session token is passed to browser 170 in conjunction with the redirect (5) to login component 120… Gatekeeper/entry handler component 110 supplies authorization component 140 with an identifier for the requested resource (e.g., the requested URL) and an identifier for the associated session… In any case, authorization component 140 receives (3) the requested resource and session identifiers and responds (4) in accordance with the trust level requirement of the requested resource… More generally, gatekeeper/entry handler component 110 obtains and/or maintains information such as connect location (if ascertainable), temporal information such as request time/date, session start time/date, etc. (preferably in both the client entity's frame of reference and the security architecture or requested information resource's frame of reference, if location is ascertainable), and client type and/or capabilities (e.g., browser type and Java Development Kit (JDK) level)… Typically, session credentials and/or an associated session token encode an expiration time (see description, below, of FIG. 4)… Focusing then on an exemplary browser-type client entity, browser 170 requests access to one or more of enterprise applications and/or resources 190 (e.g., information resource 191) by presenting an URL to gatekeeper/entry handler component 110, which acts as a point of entry for client entities requesting access to applications and/or resources controlled by the security architecture. Gatekeeper/entry handler component 110 receives the request as a proxy for the requested resource.
receive a verification request including the connection-request identifier and the depreciating token based on the web application authenticating a second client account; col. 13 lines 45-50, col. 16 lines 5-29, col. 18 lines 16-23 As described above, authorization component 140 may be queried using session credentials and an identifier for the requested resource to determine sufficiency of previously authenticated credentials... Assuming that at least one authentication scheme is available that, if successful, will support the required trust level, login credentials of that type are obtained (210) for the entity and authenticated (211)…The now sufficiently authorized request is proxied (204) and results are streamed back (205) to the requesting client entity. Updated or refreshed session credentials are typically supplied as a session token (e.g., a cookie) encoded with the streamed results…Signed session credentials, typically embodied as a cryptographically secured session token that may be stored as a cookie, are passed back to browser 302 with results of the requested access. 
determining a temporal value corresponding to a creation time of the depreciating token; col. 19 line 42 – col. 20 line 39, In addition, session credentials of limited temporal validity may be refreshed by periodic replacement. In the configuration of session credentials structure 420, creation time and expiration time allow the security architecture to improve resistance to replay attacks. Session credentials typically have a relatively short expiration time (e.g., 15 minutes from creation or less) and underlying login credentials will be reauthenticated prior to expiration of the session credential. Assuming that the underlying login credentials, which are stored under the public key of authentication component 130, remain valid, authentication component 130 will issue a replacement cryptographically secured session credential (e.g., as session credentials structure 420). Depending on then current trust level mappings and, in some configurations, depending on then current environment parameters, the authorization accorded by the security architecture and encoded as a trust level may differ from that encoded in the session credential replaced.
create a communication connection between the second client account and a partner device. col. 9 lines 50-55, col. 14 lines 7-25, Depending on the information resource to which access is requested, previously obtained and authenticated login credentials may be insufficient for the trust level requirement associated with requested access 1A. As before, authorization component 140 supplies gatekeeper/entry handler component 110 with an ALLOW, REDIRECT or REFUSE response based on the trust level accorded based on the previously obtained and authenticated login credentials and on the trust level requirement associated with requested access 1A…If, on the other hand, login credentials have already been obtained for the requesting entity and the requesting entity has been authenticated using the obtained credentials such that the required trust level has been achieved, the access will typically be allowed without the need for further login credentials and authentication… Generally, an access request with sufficient current trust level is ALLOWED and forwarded (14) without further authentication.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use session tokens which expire and require users to authenticate by logging in for determining whether a resource can be accessed as taught by Wood, doing so allows for sessions to be tracked and security policies to be enforced for accessing a resource improving the security [Wood, col. 6 lines 44-64].
Bolla does not expressly disclose the following, Bar, however discloses:
determining a security context based on comparing the temporal value to a plurality of predetermined values, wherein the plurality of predetermined values comprises at least three different values; and [0057], [0084] Some embodiments of contextual information extractor 284 determine contextual information related to a user interaction or activity event such as entities identified in a user activity or related to the activity… By way of example and not limitation, this may include context features such as…user device characteristics or user device identification information regarding the device on which the user carried out the activity; duration of the user activity, other user activity/activities preceding and/or following the user activity (such as sequences or types of websites visited (e.g., a financial website or a secure website that requires credentials in order to access), a sequence of online searches conducted… An authenticity confidence score (or authenticity score) may be determined in an ongoing or continuous manner, periodically, or as needed using various input user-data sensed, detected, or otherwise determined via the user device(s), as described herein… Further, in some embodiments, the authenticity score may diminish over time such as based on the freshness or recency of the user-related activity information for the current user. For instance, in an embodiment, after each interval of time (which may be a minute, several seconds, an hour, etc.) the authenticity score may be decreased. In this way, the user's legitimacy must be periodically or occasionally re-determined… As a practical consequence of such embodiments, it may be the case that a particular user, who initially has an authenticity score high enough to have access to multiple secure computing resources, may after a period of time has expired, no longer have access to some of those secure computing resources because the authenticity score has dropped below a threshold required to access those secure computing resources. For example, suppose an email service (a secure computing resource) requires that the authenticity score satisfy a first threshold and a mobile banking application (another secure computing resource) requires that the authenticity score satisfy a second threshold, which is higher than the first threshold. A legitimate user may start a user session with an authenticity score high enough to have access to both her email account and mobile banking application. But in an embodiment where after a duration of time, if the authenticity score is not re-computed, it is decreased, after a period of time has passed, the user may no longer have access to her mobile banking application, which requires the higher authenticity score to access. But the user still may have access to her email account. In some instances, after additional time passes, without re-determining the authenticity score, the user's authenticity score may drop low enough that the user no longer has access to the email account.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to degrade the confidence score over time such that different resources may be accessed based on the level of confidence as taught by Bar, doing so further allows for separate thresholds to be used for accessing different resources which allows the different resources to have difference authenticity score requirements [0084].

As per Claims 11, and 13-15, claims 11, and 13-15 recite substantially similar limitations to those found in claims 1, 3, 5, and 7, respectively.  Therefor claims 11, and 13-15 are rejected under the same art and rationale as claims 1, 3, 5, and 7.  Furthermore, Bolla discloses a non-transitory computer readable storage medium [0071].
As per Claims 18-19, claims 18-19 recite substantially similar limitations to those found in claims 3, and 7 respectively.  Therefor claims 18-20 are rejected under the same art and rationale as claims 3, and 7.  Furthermore, Bolla discloses a system [0071].

Claims 8, 9, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bolla in view of Wood in view of Bar in view of Maria, et al. (US Patent Application Publication 20190372962), “Maria".

As per claim 8, Bolla does not expressly disclose the following, Wood, however discloses:
wherein creating a first connection within the secure platform comprises: rejecting the connection request based on the security context indicating that an age of the depreciating token is greater than a first predetermined value; col. 9 lines 43-55, col. 20 lines 14-29 In some configurations, authorization component 140 dynamically calculates a current trust level based on the signed session credentials and environment information. In others, authorization component 140 may base its ALLOW, REDIRECT, or REFUSE response on a "current" trust level previously associated with the signed session credentials. Generally, an access request with sufficient current trust level is ALLOWED and forwarded (14) without further authentication. An authorization request without proper parameters (e.g., without a specified information resource or without a properly secured session credential) may be REFUSED… In the configuration of session credentials structure 420, creation time and expiration time allow the security architecture to improve resistance to replay attacks. Session credentials typically have a relatively short expiration time (e.g., 15 minutes from creation or less) and underlying login credentials will be reauthenticated prior to expiration of the session credential.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use session tokens which expire after a certain amount time and trust level based on environmental factors as taught by Wood, doing so allows for sessions to be tracked 
Bolla does not expressly disclose the following, Maria, however discloses:
identifying demographic information associated with the second client account; [0038] For example, the application 125 could be a data analytics program that obtains data from a remote server and processes the data to generate graphical output for display on the Web browser 115. The application 125 may determine whether a resource can be accessed based on one or more security artifacts (e.g., an SSO cookie 152 stored in a data store 129). For example, access may be granted when the data store 129 contains a valid cookie generated by the session engine 132 in response to an earlier authentication of the user. The SSO cookie 152 may be configured based on information about the user and/or the SSO session including, for example, a user identifier (ID) such as a username, a session creation time, and a session validity period (e.g., an idle timeout duration and/or a session expiration time).
sending the demographic information to a partner platform; [0038-0040] The application 125 may be a Web based application that is executed by a computer of the computer system 120 and that is configured to access resources during an SSO session in order to provide application functionality. For example, the application 125 could be a data analytics program that obtains data from a remote server and processes the data to generate graphical output for display on the Web browser 115. The application 125 may determine whether a resource can be accessed based on one or more security artifacts (e.g., an SSO cookie 152 stored in a data store 129). For example, access may be granted when the data store 129 contains a valid cookie generated by the session engine 132 in response to an earlier authentication of the user. The SSO cookie 152 may be configured based on information about the user and/or the SSO session including, for example, a user identifier (ID) such as a username, a session creation time, and a session validity period (e.g., an idle timeout duration and/or a session expiration time)… The SSO cookie 152 may be accessible to multiple enterprise applications or other applications participating in an SSO scheme, so that once the user has been authenticated against a protected resource, the same cookie may be used for accessing protected resources associated with the other applications.
receiving, from the partner platform, a plurality of affiliated connections associated with the second client account, the plurality of affiliated connections determined using the demographic information; and [0038], [0042]-[0043] The application 125 may determine whether a resource can be accessed based on one or more security artifacts (e.g., an SSO cookie 152 stored in a data store 129)… The access manager 130 performs authentication and authorization operations in connection with access requests for resources associated with SSO applications, e.g., the application 125. The access manager 130 can perform authentication and authorization by comparing user supplied credentials to stored credential information for the user… The session engine 132 is configured to create an SSO session in response to successful authentication of the user by the access manager 130. The session engine 132 may configure the SSO session based on an access policy. For example, the access policy may specify that for a particular user or group of users the session should having a certain maximum timeout duration (e.g., a max session timeout parameter), a certain idle timeout duration, a certain application timeout duration, etc. The session information 150 is maintained by the access manager 130 and can be stored locally or on a remote data store accessible to the access manager 130.
presenting the plurality of affiliated connections to the client device. [0044-0045], [0055] When the SSO session is created, the access manager 130 may generate one or more cookies for the session (e.g., the SSO cookie 152) and send the cookie(s) to the application that is requesting access on behalf of the user… Along with setting/sending the cookies and the user identity token, the access manager 130 may provide access to the resource identified by the access request in step 210.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use an access manager to determine which resources can be accessed based on attributes associated with an SSC cookie as taught by Maria, doing so allows for the same cookie to be used for accessing different resources enabling the user to seamlessly access multiple resources by authenticating against a single resource [Maria, 0002, 0039].

As per claim 16, claim 16 recites substantially similar limitations to those found in claim 8.  Therefor claim 16 is rejected under the same art and rationale as claim 8.  Furthermore, Bolla discloses a non-transitory computer readable storage medium [0071].
As per claim 20, claim 20 recites substantially similar limitations to those found in claim 8.  Therefor claim 20 is rejected under the same art and rationale as claim 8.  Furthermore, Bolla discloses a system [0071].


As per claim 9, Bolla does not expressly disclose the following, Wood, however discloses:
wherein creating a first connection within the secure platform comprises: rejecting the connection request based on the security context indicating that an age of the depreciating token is greater than a first predetermined value; col. 9 lines 43-55, col. 20 lines 14-29 In some configurations, authorization component 140 dynamically calculates a current trust level based on the signed session credentials and environment information. In others, authorization component 140 may base its ALLOW, REDIRECT, or REFUSE response on a "current" trust level previously associated with the signed session credentials. Generally, an access request with sufficient current trust level is ALLOWED and forwarded (14) without further authentication. An authorization request without proper parameters (e.g., without a specified information resource or without a properly secured session credential) may be REFUSED… In the configuration of session credentials structure 420, creation time and expiration time allow the security architecture to improve resistance to replay attacks. Session credentials typically have a relatively short expiration time (e.g., 15 minutes from creation or less) and underlying login credentials will be reauthenticated prior to expiration of the session credential.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use session tokens which expire after a certain amount time and trust level based on environmental factors as taught by Wood, doing so allows for sessions to be tracked and security policies to be enforced for accessing a resource improving the security, and reduce the risk of replay attacks [Wood, col. 6 lines 44-64, col. 20 lines 14-20]
Bolla does not expressly disclose the following, Maria, however discloses:
determining a plurality of affiliated connections associated with the second client account based on the identifier, the plurality of affiliated connections including an affiliated connection between the second client account and the partner device; and [0038] The application 125 may be a Web based application that is executed by a computer of the computer system 120 and that is configured to access resources during an SSO session in order to provide application functionality. For example, the application 125 could be a data analytics program that obtains data from a remote server and processes the data to generate graphical output for display on the Web browser 115. The application 125 may determine whether a resource can be accessed based on one or more security artifacts (e.g., an SSO cookie 152 stored in a data store 129).
presenting the plurality of affiliated connections to the client device. When the SSO session is created, the access manager 130 may generate one or more cookies for the session (e.g., the SSO cookie 152) and send the cookie(s) to the application that is requesting access on behalf of the user… Along with setting/sending the cookies and the user identity token, the access manager 130 may provide access to the resource identified by the access request in step 210.
It would have been obvious to one having ordinary skill in the art at the time the invention was filed to modify Bolla with the ability to use an access manager to determine which resources can be accessed based on attributes associated with an SSC cookie as taught by Maria, doing so allows for the same cookie to be used for accessing different resources enabling the user to seamlessly access multiple resources by authenticating against a single resource [Maria, 0002, 0039].


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY S CUNNINGHAM II whose telephone number is (313)446-6564.  The examiner can normally be reached on Mon-Fri 8:30am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bennett Sigmond can be reached on (303) 297-4411.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



GREGORY S. CUNNINGHAM II
Examiner
Art Unit 3694


	
/GREGORY S CUNNINGHAM II/Examiner, Art Unit 3694