DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.

Claim Objections
Claims --1, 6, 7, 8, 9, 12, 17, 18, 19, and 20 are objected to because of the following informalities:  
Claim 1 is directed to a method in the preamble however there are no active steps being recited in the body of the claim.  For example, “a resource provider computer system receiving policy from an identity provider system” should read “receiving, by the resource provider computer system, a policy from an identity provider computer system”.  Similar issue also exists in claim 12.
“a resource provider computer system” in line 3 of claim 1 should read “the resource provider computer system”.
“policy” in line 3 of claim 1 should read “the policy”.
“an identity provider system” in lines 3-4 of claim 1 should read “an identity provider computer system”.
“evaluating” in last line of claim 1 should read “the evaluating”.
computer system”.
“receiving policy” in line 1 of claim 7 should read “the receiving the policy”.
“an identity provider system” in lines 1-2 of claim 7, line 2 of claim 9, line 2 of claim 12 should read “the identity provider computer system”.
“the resource provider” in last line of claim 9, line 2 of claim 18 should read “the resource provider computer system”.
“a resource provider” in line 3 of claim 12 should read “the resource provider computer system”.
“a intranet” in lines 3-4 of claim 14 should read “an intranet”.
“the resource provider system” in last line of claim 18 should read “the resource provider computer system”.
“providing an access token” in line 1 of claim 19 should read “the providing the access token”.
“an access token” in line 2 of claim 19 should read “the access token”.
“providing” in line 7 of claim 19 should read “the providing”.
“an identity provider” in line 2 of claim 20 should read “an identity provider computer system”.
“the identity provider system” in line 5 of claim 20 should read “the identity provider computer system”.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 8 recites “the access token” in at least line 2 however it’s unclear whether this refers to “an access token” in line 2 of claim 8 or “an access token” in line 7 of claim 1.  For examination purposes, “the access token” in at least line 2 of claim 8 has been interpreted as referring to an access token” in line 2 of claim 8.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 8-9, 12, and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Tock (US 8185642).

Claim 1,  Tock discloses A method of implementing policy at a resource provider computer system, the method comprising: 
a resource provider computer system (e.g. fig. 1, col. 4, ll. 21-67: combination of at least network device 130 and server 140) receiving policy from an identity provider system, (e.g. fig. 1, col. 5, ll. 11-17, 40-43, col. 10, ll. 17-21, 25-33, col. 11, ll. 6-14: receiving authorization information and authorization mechanisms from policy server 150 that can be used to determine if a source device and/or subsequent packet are authorized with respect to a communication session involving a destination device such as server 140) the policy being related to an entity that authenticates using the identity provider computer system; (e.g. fig. 1, col. 3, ll. 52-col. 4, ll. 7, col. 5, ll. 5-21, col. 9, ll. 11-26: policy server 150 may require that client 110 establish its identity with policy server 150 by providing identification information such as a user name, password, and/or responses to questions/prompts to policy server 150)
the resource provider computer system receiving a request for resources from the entity and an access token from the entity, (e.g.  col. 8, ll. 5-7, col. 9, ll. 2-9, 63-64: receiving subsequent packet 330 and a token from client 110) the access token having been obtained by the entity from the identity provider computer system as a result of the entity authenticating with the identity provider computer system; (e.g. fig. 1, col. 3, ll. 52-col. 4, ll. 7, col. 5, ll. 5-21, col. 9, ll. 11-26: client 110 obtains a token from policy server 150 after establishing its identity with policy server 150 by providing identification information such as a user name, password, and/or responses to questions/prompts to policy server 150)
the resource provider computer system evaluating the request with respect to the policy; and (e.g. col. 5, ll. 40-43, col. 9, ll. 4-9, col. 10, ll. 4-21, 25-33, col. 11, ll. 6-14: determining if the subsequent packet 330 is authorized based on the authorization information and authorization mechanisms received from policy server 150)
the resource provider computer system responding to the request based on evaluating the request with respect to the policy. (e.g. col. 8, ll. 23-34, col. 10, ll. 35-45, col. 10, ll. 63-col. 11, ll. 5, col. 11, ll. 9-14: dropping the subsequent packet 330 if it is determined to be unauthorized and passing the subsequent packet 330 to server 140 which allows access thereto by client 110 if the subsequent packet 330 is determined to be authorized)

Claim 8,  Tock discloses The method of claim 1, further comprising: receiving an access token from the entity, (e.g.  col. 8, ll. 5-7, col. 9, ll. 63-64) the access token having been obtained from the identity provider computer system, (e.g. fig. 1, col. 5, ll. 5-21, col. 9, ll. 11-26) and wherein the access token comprises an indicator indicating that the identity provider computer system has policy to be implemented by the resource provider computer system for the entity; as a result of the indicator in the access token, the resource provider computer system requesting the policy; and wherein receiving the policy is performed as a result of the resource provider computer system requesting the policy. (e.g. col. 5, ll. 40-43, col. 9, ll. 4-9, col. 10, ll. 4-21, 25-33, col. 11, ll. 6-14: read request to read the stored authorization information and authorization mechanisms from its memory)

Claim 9,  Tock discloses The method of claim 1, wherein the resource provider computer system receiving policy from an identity provider system is performed based on consent being provided for the entity for the resource provider to receive the policy. (e.g. col. 5, ll. 5-21, 40-43, col. 9, ll. 14-21, col. 11, ll. 9-14)
Claim 12, this claim is rejected for similar reasons as in claim 1.

Claim 19, this claim is rejected for similar reasons as in claim 8.

Claim 20, this claim is rejected for similar reasons as in claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 2-3 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Tock (US 8185642) in view of Lepp (US 20180316562).

Claim 2,  Tock discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Lepp discloses wherein the policy comprises location based restrictions. (e.g. ¶30).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Lepp into the invention of Tock for the purpose of controlling access of resources by devices from specific locations (Lepp, ¶30). 

Claim 3,  Tock-Lepp discloses The method of claim 2, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet but prevents access when the entity attempts to access the particular set of resources from a network external to the intranet. (Lepp, e.g. ¶30).  Same motivation as in claim 2 would apply.

Claim 13, this claim is rejected for similar reasons as in claim 2.

Claim 14, this claim is rejected for similar reasons as in claim 3.

Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Tock (US 8185642) in view of Lepp (US 20180316562) in view of Mankovskii (US 20160112397) and further in view of Vo (US 10686600).

Claim 4,  Tock-Lepp discloses The method of claim 2, wherein the location based restrictions specify that the resource provider computer system should allow access to a particular set of resources when the entity attempts to access the particular set of resources from an intranet (Lepp, e.g. ¶30) and does not appear to explicitly disclose but Mankovskii discloses with an access token obtained using with a first level of authentication but requires using an access token obtained with a different second level of authentication to allow access to the particular set of resources when the entity attempts to access the particular set of resources from a network external to the intranet. (e.g. ¶27, 33, 45-47)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Mankovskii into the invention of Tock-Lepp for the purpose of making access control for protected resources more secure (Mankovskii, ¶26).
Tock-Lepp-Mankovskii does not appear to explicitly disclose but Vo discloses requiring a token obtained using an access token (e.g. col. 6, ll. 3-12, 25-43, 48-51, col. 7, ll. 6-15).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vo into the invention of Tock-Lepp-Mankovskii for the purpose of increasing the security of the system (Vo, col. 6, ll. 31-34).

Claim 15, this claim is rejected for similar reasons as in claim 4.

Claims 5-6 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Tock (US 8185642) in view of Vo (US 10686600).

Claim 5,  Tock discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vo discloses wherein the policy comprises requirements with respect to behavioral pattern policy indicating requirements to be enforced when an entity attempting to access resources at the resource provider computer system exhibits behavioral patterns that exceed a threshold variation from previous behavioral patterns. (e.g. col. 6, ll. 3-12, 25-43)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vo into the invention of Tock for the purpose of increasing the security of the system (Vo, col. 6, ll. 31-34).

Claim 6,  Tock-Vo discloses The method of claim 5, wherein the policy requires a token obtained from the identity provider using a different level of authentication to access resources when the behavioral patterns exceed the threshold variation from previous behavioral patterns than when the behavioral patterns do not exceed the threshold variation from previous behavioral patterns. (Vo, e.g. col. 6, ll. 3-12, 25-43, 48-51, col. 7, ll. 6-15).  Same motivation as in claim 5 would apply.

Claim 16, this claim is rejected for similar reasons as in claim 5.

Claim 17, this claim is rejected for similar reasons as in claim 6.

Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Tock (US 8185642) in view of Bhat (US 20050021978).

Claim 7,  Tock discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Bhat discloses wherein receiving policy from an identity provider system is performed as a result of the resource provider computer system subscribing to the identity provider computer system for events. (e.g. ¶73-77)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Bhat into the invention of Tock for the purpose of enabling a web server to receive notification identifying policy decisions affected by a policy change, resources affected by the policy change and a new policy decision based on the policy change (Bhat, ¶76).

Claim 18, this claim is rejected for similar reasons as in claim 7.

Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Tock (US 8185642) in view of Aung (US 9641522).

Claim 10,  Tock discloses The method of claim 9, wherein consent is provided for a group of entities including the entity. (e.g. col. 5, ll. 5-21, 40-43, col. 9, ll. 14-21, col. 11, ll. 9-14)
Tock does not appear to explicitly disclose but Aung discloses provided by an administrator (e.g. col. 4, ll. 4-10).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Aung into the invention of Tock for the purpose of enabling administrators to generate policies for individual users or groups of users that govern their access to the various applications or services provided by the computing resource service provider system (Aung, col. 4, ll. 4-10).

Claim 11,  Tock discloses The method of claim 9, (see above) and does not appear to explicitly disclose but Aung discloses wherein consent is provided by the entity consenting to a first-party application for a third-party application. (e.g. col. 4, ll. 10-16).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Aung into the invention of Tock for the purpose of enabling individual users to select one or more policies and access the computing resource service provider system according to the selected one or more policies (Aung, col. 4, ll. 10-16).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 10812266 discloses methods for managing security tokens based on security violations and devices thereof.

US 9038158 discloses systems and methods for enforcing geolocation-based policies.

US 5881131 discloses in the case of Web sites maintained for internal use of one organization, access will only be allowed from other computers within that organization's local network.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436