Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 13 recite the limitation "the client system" in lines 5-6 .  There is insufficient antecedent basis for this limitation in the claim.  Claims 2-12 and 14-20 are rejected based on their dependency to claims 1 and 13.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-10 and 12-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Taraz, US 2007/0124803.

Regarding claim 1, Taraz discloses a computer-implemented method executed by a service provider, the computer-implemented method comprising: 
receiving, from a client device, an access request for one or more services of the service provider (Fig. 1 and paragraph 0018: a computer 12 may attempt to connect to a network 14 to obtain access to network services 16, network resources 18, and other network users 20 commonly accessible on the network 14); 
requesting authentication of the access request by an identity provider using a custom access policy of the client system (0022: the network also may include a policy server 32…to allow the compliance server to rate partial compliance with a particular configuration definition so that the compliance server may generate a compliance score associated with the connecting computer.), the custom access policy describing a plurality of access levels including at least a limited access level and a full access level (0028: The result of this comparison will govern whether the user is granted no network access, alternate network access, limited network access, network access with traffic monitoring, full/unrestricted network access, or another level of network access.); 
receiving, from the identity provider, an authentication response for the access request, the authentication response determined using one or more device signals of the client device (0023-0024: The network administrator may set many different types of policies that may be used to check the configuration of a computer attempting to connect to the network.); 
determining, by the client system, an access level of the plurality of access levels for the client device using the authentication response; and 
determining whether to provide the client device access to the one or more services in accordance with the determined access level (0028: Once a compliance score and authorization level have been determined, a network access decision is made for the computer, based on the compliance score and authorization level (88). The policy server may base the network access decision on the score by determining whether the attaching device meets or exceeds the minimum standard level for one or more of the categories that were used to generate the compliance score. ).Regarding claim 2, Taraz discloses the computer-implemented method of claim 1, wherein the one or more device signals are a subset of device signals of the client device available to the identity provider, and the custom access policy specifies the one or more device signals (0026: he compliance score is a composite compliance score, the policy server may control the compliance server to dictate the facets to be measured, how measurement of each of the facets should be performed, and how different categories within each facet should be weighted. By obtaining a score from the compliance server, indicating the compliance level of the computing device in one or more categories, it is possible to determine in a more granular fashion which computing devices should be allowed access to the network and what type of access they should be provided.).Regarding claim 3, Taraz discloses the computer-implemented method of claim 1, wherein the authentication response includes a device trust score for the client device determined by the identity provider using the one or more device signals (0026: compliance score).Regarding claim 4, Taraz discloses the computer-implemented method of claim 3, wherein determining the access level of the plurality of access levels comprises: comparing, by the client system, the device trust score to a plurality of access level score thresholds corresponding to respective access levels of the plurality of access levels; and determining the access level for the client device based on the device trust score being below the access level score threshold corresponding to the access level (0033 and 0035: The levels for each category may be set at different values, or thresholds, depending on the user authorization level as well to enable the network administrator to require different types of users to be compliant in different ways in order to obtain particular types of network access.).Regarding claim 5, Taraz discloses the computer-implemented method of claim 3, wherein the device trust score is determined by the identity provider using a machine learning device trust score model that takes the one or more device signals as input (0045: state machine and 0041: Capturing the user's actions in attempting to obtain unauthorized access to a network may enable the network administrator to learn the identity of the user or otherwise enable the network administrator to increase the security features of the network. ).Regarding claim 6, Taraz discloses the computer-implemented method of claim 3, wherein the custom access policy includes one or more custom weights corresponding to the one or more device signals, and the identity provider uses the one or more weights to determine the device trust score.Regarding claim 7, Taraz discloses the computer-implemented method of claim 1, wherein the authentication of the access request includes context information for the client device, and wherein determining the access level of the plurality of access levels comprises: determining the access level for the client device based on the context information (abstract, the score may be weighted in connection with the user privileges associated with the user as determined during the authentication process, to enable users with greater network access privileges to access the network in situations where other users may not be able to access the network.).Regarding claim 8, Taraz discloses the computer-implemented method of claim 1, wherein the custom access policy is provided to the identify provider by an administrator of the client system via an interface associated with the identity provider (Fig. 2 and 0027: The policy server interfaces with the compliance server to push the rule definitions onto the network (82). The compliance server creates an hierarchy of rules, and uses the rules to compute a compliance level of an attaching device in one or more categories and passes the value back to the policy server (84). An LDAP/RADIUS server, alone or in connection with an AAA server, authenticates a user associated with the computer and determines an authorization level of the user (86).).Regarding claim 9, Taraz discloses the computer-implemented method of claim 1, wherein the determined access level is the limited access level, and further comprising: providing the client device access to a subset of services of the client system corresponding to the limited access level (0031: FIG. 2, a computer may be provided with limited network access (94).).Regarding claim 10, Taraz discloses the computer-implemented method of claim 1, wherein the determined access level is the full access level, and further comprising: providing the client device access to all services of the client system (0038: to determine if the computer has achieved sufficient compliance in the categories defined by the first compliance matrix. If it has, full network access or another network access level appropriate for the administrator will be provided (110).).Regarding claim 12, Taraz discloses the computer-implemented method of claim 1, wherein the one or more device signals include one or more of a location of the client device, an Internet Protocol (IP) address of the client device, a version of anti-malware software installed on the client device, an operating system version of the client device, an identity provider management status of the client device, an authentication credential type of the client device, a hardware attestation type of the client device, or a multi-factor enrollment (MFA) status of the client device (0011:  compliance level may have multiple categories or facets, that may be determined individually or collectively, to determine a score for the computing device.  0023: The policies may also specify the particular software and/or hardware configurations that are acceptable, which are not, and may specify how compliance should be rated when a computer exhibits partial compliance to a specified configuration.).As per claims 13-19, this is a non-transitory computer readable medium version of the claimed method discussed above in claims 1-10 and 12 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Regarding claim 20, Taraz discloses the computer-readable storage medium of claim 13, wherein the custom access policy is provided to the identify provider by an administrator of the client system via an interface associated with the identity provider (0027: FIG. 3, the network administrator defines rules, and passes the rules to the policy server (80). The policy server interfaces with the compliance server to push the rule definitions onto the network (82).).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Taraz as applied to claim 1 above, and further in view of Gassner al. US 11,256,661.

Regarding claim 11, Taraz lacks or does not expressly disclose wherein the authentication response is represented using the Security Assertion Markup Language (SAML).  However, Gassner discloses
wherein the authentication response is represented using the Security Assertion Markup Language (SAML) (fig. 9 and At 913, the service provider may receive the SAML Authentication Response and grant access to services as needed.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Taraz with Gassner to include SAML in order to use widely used protocols and an identity assertion in the form of a token, as taught by Gassner, Fig 6, 610. 



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2012/0216244 to Kumar et al, teaches an attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. 
US 2020/0412540 to Sabath et al, teaches a trusted platform module component that can generate a digital identity token that is bound to a computer application process. The computer executable components can also comprise a key authenticity component that can compare the digital identity token to a security key to retrieve a security credential.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/TESHOME HAILU/Primary Examiner, Art Unit 2434