DETAILED ACTION
This action is in response to arguments filed 7/21/2022. Claims 1-20 are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 9 and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3, 5-7, 9-11 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over SI et al (US 2016/0205108) in view of Exton et al (US 2013/0246630).
With respect to claim 1 SI teaches a computer-implemented method comprising: 
receiving, at an authorization entity and from a client device, a communication of an access request for the client device to access a service provided by a service provider, the communication including a call-back address associated with the service provider (see SI paragraph 0028 i.e. At 202, client 50 sends an SAML assertion authorization request to identity provider 51 and in response is issued a valid SAML assertion with a digital signature at 203); 
communicating the request to an intermediary service to determine whether the client device has authorization to access the service provided by the service provider (see SI paragraph 0029 i.e. At 204, client 50 sends the SAML assertion to authorization server 52 to request an access token); 
receiving confirmation from the intermediary service that the client device has authorization to access the service provided by the service provider; in response to receiving the confirmation, communicating the authorization to the client device (see SI paragraph 0030 i.e. At 205, authorization server 52 validates the SAML assertion and client metadata, and then issues the client a valid access token at 206); 
SI does not teach providing the call-back address to the intermediary service for use in an instance where a change in the authorization occurs
Exton teaches providing the call-back address to the intermediary service for use in an instance where a change in the authorization occurs (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). At step 704, a test is performed to determine whether a web session is to be terminated. Typically, step 704 tests for receipt of a logoff request, which may occur directly (via an explicit request) or indirectly (such as when a browser is closed during an existing session). If the result of the test at step 704 is negative, the routine cycles and waits. If, however, the result of the test at step 704 indicates that a web session is to be terminated, the routine continues at step 706 to examine the data store. At step 708, a test is performed to determine whether a sign-off cookie has been located. If so, the routine continues to generate a request to the sign-off resource identified by the URL. Thus, at step 712, a request containing the cookie is sent to that URL, thereby cleaning-up the session, and the cookie is removed from the cookies in the data store).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

	
With respect to claim 3 SI teaches the computer-implemented method of claim 1, but does not disclose further comprising: providing the call-back address to the intermediary service by sending a message that includes the call-back address to the intermediary service. 
Exton teaches further comprising: providing the call-back address to the intermediary service by sending a message that includes the call-back address to the intermediary service (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource sent to and stored at an intermediary service as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

With respect to claim 5 SI teaches the computer-implemented method of claim 3, wherein the message is encoded as a SAML statement signed by the authorization entity (see SI paragraph 0028 i.e. in response is issued a valid SAML assertion with a digital signature at 203).

With respect to claim 6 SI teaches the computer-implemented method of claim 3, but does not disclose wherein the message also includes the access request for the client device to access the service.
 Exton teaches wherein the message also includes the access request for the client device to access the service (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource sent to and stored at an intermediary service as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.
 
With respect to claim 7 SI teaches the computer-implemented method of claim 1, but does not disclose wherein the call- back address is a call-back universal resource locator (URL) associated with the service provider.
 Exton teaches wherein the call- back address is a call-back universal resource locator (URL) associated with the service provider (See Exton paragraph 0049-0050 i.e. a cookie (such as an HTTP session cookie) is extended to include an identifier of a sign-off resource that may be used to clean-up a web session. Typically, the identifier is a Uniform Resource Locator (URL) or other data string that is placed within a cookie that also includes a session identifier (a session ID) uniquely associated with the web session. As is well-known, an HTTP cookie typically comprises a set of name-value pairs. According to this disclosure, one of these name-value pairs comprises a name (e.g., "signoffCookie") and a value, which is typically the URL of the sign-off resource).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

With respect to claim 9 SI teaches a server device comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to: 
receive, at the server device and from a client device, a communication of a request for the client device to access a service provided by a service provider, the communication including a call-back address associated with the service provider (see SI paragraph 0028 i.e. At 202, client 50 sends an SAML assertion authorization request to identity provider 51 and in response is issued a valid SAML assertion with a digital signature at 203); 
determine that the client device is authorized to access the service from the service provider (see SI paragraph 0030 i.e. At 205, authorization server 52 validates the SAML assertion and client metadata, and then issues the client a valid access token at 206); 
send an authorization notification to the client device based at least in part on determining that the client device is authorized to access the service (see SI paragraph 0030 i.e. At 205, authorization server 52 validates the SAML assertion and client metadata, and then issues the client a valid access token at 206);
SI does not teach determine that a change in authorization has occurred relative to the client device accessing the service; and based at least in part on the change in authorization, utilize the call-back address to notify the service provider that the change in authorization has occurred.
Exton teaches determine that a change in authorization has occurred relative to the client device accessing the service; and based at least in part on the change in authorization, utilize the call-back address to notify the service provider that the change in authorization has occurred (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). At step 704, a test is performed to determine whether a web session is to be terminated. Typically, step 704 tests for receipt of a logoff request, which may occur directly (via an explicit request) or indirectly (such as when a browser is closed during an existing session). If the result of the test at step 704 is negative, the routine cycles and waits. If, however, the result of the test at step 704 indicates that a web session is to be terminated, the routine continues at step 706 to examine the data store. At step 708, a test is performed to determine whether a sign-off cookie has been located. If so, the routine continues to generate a request to the sign-off resource identified by the URL. Thus, at step 712, a request containing the cookie is sent to that URL, thereby cleaning-up the session, and the cookie is removed from the cookies in the data store).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

With respect to claim 10 SI teaches the server device of claim 9, but does not disclose wherein the computer-executable instructions further cause the one or more processors to: utilize the call-back address to notify the service provider that the change in authorization has occurred by providing the call-back address to an intermediary service.
Exton teaches wherein the computer-executable instructions further cause the one or more processors to: utilize the call-back address to notify the service provider that the change in authorization has occurred by providing the call-back address to an intermediary service (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). At step 704, a test is performed to determine whether a web session is to be terminated. Typically, step 704 tests for receipt of a logoff request, which may occur directly (via an explicit request) or indirectly (such as when a browser is closed during an existing session). If the result of the test at step 704 is negative, the routine cycles and waits. If, however, the result of the test at step 704 indicates that a web session is to be terminated, the routine continues at step 706 to examine the data store. At step 708, a test is performed to determine whether a sign-off cookie has been located. If so, the routine continues to generate a request to the sign-off resource identified by the URL. Thus, at step 712, a request containing the cookie is sent to that URL, thereby cleaning-up the session, and the cookie is removed from the cookies in the data store).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

With respect to claim 11 SI teaches the server device of claim 10, but does not disclose wherein the computer-executable instructions further cause the one or more processors to: provide the call-back address to the intermediary service by sending a message that includes the call-back address to the intermediary service.
Exton teaches wherein the computer-executable instructions further cause the one or more processors to: provide the call-back address to the intermediary service by sending a message that includes the call-back address to the intermediary service (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). At step 704, a test is performed to determine whether a web session is to be terminated. Typically, step 704 tests for receipt of a logoff request, which may occur directly (via an explicit request) or indirectly (such as when a browser is closed during an existing session). If the result of the test at step 704 is negative, the routine cycles and waits. If, however, the result of the test at step 704 indicates that a web session is to be terminated, the routine continues at step 706 to examine the data store. At step 708, a test is performed to determine whether a sign-off cookie has been located. If so, the routine continues to generate a request to the sign-off resource identified by the URL. Thus, at step 712, a request containing the cookie is sent to that URL, thereby cleaning-up the session, and the cookie is removed from the cookies in the data store).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify SI in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

With respect to claim 13 SI teaches the server device of claim 9, wherein the authorization notification sent to the client device includes an authorization code that is compliant with OAuth 2.0 (see SI paragraph 0026 i.e. Authorization server 52 is a server that issues access tokens to client 50 after successfully authenticating the resource owner and obtaining authorization. Authorization server 52 corresponds to the “Authorization Server” disclosed in the OAuth2 specification. Data service server 53 is a server hosting the protected resources and capable of accepting and responding to protected resource requests using access tokens. Data service server 53 corresponds to the “Resource Server” disclosed in the OAuth2 specification).

With respect to claim 14 SI teaches the server device of claim 13, wherein the computer-executable instructions further cause the one or more processors to: in response to sending the authorization code to the client device, receive a token request from the client device; and in response to receiving the token request, send an access token to the client device in compliance with OAuth 2.0 (see SI paragraph 0026 i.e. Authorization server 52 is a server that issues access tokens to client 50 after successfully authenticating the resource owner and obtaining authorization. Authorization server 52 corresponds to the “Authorization Server” disclosed in the OAuth2 specification. Data service server 53 is a server hosting the protected resources and capable of accepting and responding to protected resource requests using access tokens. Data service server 53 corresponds to the “Resource Server” disclosed in the OAuth2 specification and paragraph 0030).

With respect to claim 15 SI teaches the server device of claim 9, wherein the call-back address is a call-back universal resource locator (URL) associated with the service provider (See Exton paragraph 0049-0050 i.e. a cookie (such as an HTTP session cookie) is extended to include an identifier of a sign-off resource that may be used to clean-up a web session. Typically, the identifier is a Uniform Resource Locator (URL) or other data string that is placed within a cookie that also includes a session identifier (a session ID) uniquely associated with the web session. As is well-known, an HTTP cookie typically comprises a set of name-value pairs. According to this disclosure, one of these name-value pairs comprises a name (e.g., "signoffCookie") and a value, which is typically the URL of the sign-off resource).

Claim(s) 2, 8, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over SI et al (US 2016/0205108) in view of Exton et al (US 2013/0246630) in view of Shah et al (2018/0198786).
With respect to claim 2 SI teaches 2 the computer-implemented method of claim 1, wherein the access to the service is based at least in part on policy information related to the client device (see SI paragraph 0023 -0024 i.e. Before delivering the identity assertion to the SP, the IdP may request some information from the principal—such as a user name and password—in order to authenticate the principal. SAML specifies the assertions between the three parties, in particular, the messages that assert identity that are passed from the IdP to the SP. In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs. SAML does not specify the method of authentication at the identity provider. It may use a username and password, or other form of authentication, including multi-factor authentication. A directory service, such as Lightweight Directory Access Protocol (“LDAP”), Remote Authentication Dial In User Service (“RADIUS”) and Active Directory, which allows users to log in with a user name and password, is a typical source of authentication tokens (e.g., passwords) at an identity provider)
SI does not teach the change in the authorization is based at least on new policy information related to the client device.
Shah teaches the change in the authorization is based at least on new policy information related to the client device (see Shah paragraph 0048-0049 i.e. In yet another example, NAC device 140 may store a compliance verification module in an active directory that may be configured to perform a remote, agentless compliance verification of user device 105. In response to determining, based on the compliance verification, NAC device 140 (or policy server device 145) determines that user device 105 is compliant with current policies of private networks 115, 116, NAC device 140 may grant greater or full access to private networks 115, 116 to user device 105. For example, NAC device 140 may send a RADIUS change of authorization (CoA) message to, e.g., gateway device 130, to grant greater or full access to user device 105).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of Shah to have sent a change of authorization (CoA) message in response to a compliance verification that user device is compliant with current policies of private networks and grant greater or full access to private networks to user device (see Shah paragraph 0048-0049). Therefore one would have been motivated to have sent a change of authorization (CoA) message in response to a compliance verification.

With respect to claim 8 SI teaches the computer-implemented method of claim 1, but does not disclose wherein the change in the authorization comprises: an extension of time of the authorization of the client device to access the service provided by the service provider; an adjustment of the authorization of the client device to access an additional object or operation related to the service provided by the service provider; or a reinstatement of temporarily curtailed access to the service due to a change in posture of the client device.
Shah teaches wherein the change in the authorization comprises: an extension of time of the authorization of the client device to access the service provided by the service provider; an adjustment of the authorization of the client device to access an additional object or operation related to the service provided by the service provider; or a reinstatement of temporarily curtailed access to the service due to a change in posture of the client device (see Shah paragraph 0048-0049 i.e. In yet another example, NAC device 140 may store a compliance verification module in an active directory that may be configured to perform a remote, agentless compliance verification of user device 105. In response to determining, based on the compliance verification, NAC device 140 (or policy server device 145) determines that user device 105 is compliant with current policies of private networks 115, 116, NAC device 140 may grant greater or full access to private networks 115, 116 to user device 105. For example, NAC device 140 may send a RADIUS change of authorization (CoA) message to, e.g., gateway device 130, to grant greater or full access to user device 105).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of Shah to have sent a change of authorization (CoA) message in response to a compliance verification that user device is compliant with current policies of private networks and grant greater or full access to private networks to user device (see Shah paragraph 0048-0049). Therefore one would have been motivated to have sent a change of authorization (CoA) message in response to a compliance verification.

With respect to claim 16 SI teaches the server device of claim 9, but does not disclose wherein the change in the authorization comprises: an extension of time of the authorization of the client device to access the service provided by the service provider; an adjustment of the authorization of the client device to access an additional object or operation related to the service provided by the service provider; or a reinstatement of temporarily curtailed access to the service due to a change in posture of the client device.
Shah teaches wherein the change in the authorization comprises: an extension of time of the authorization of the client device to access the service provided by the service provider; an adjustment of the authorization of the client device to access an additional object or operation related to the service provided by the service provider; or a reinstatement of temporarily curtailed access to the service due to a change in posture of the client device (see Shah paragraph 0048-0049 i.e. In yet another example, NAC device 140 may store a compliance verification module in an active directory that may be configured to perform a remote, agentless compliance verification of user device 105. In response to determining, based on the compliance verification, NAC device 140 (or policy server device 145) determines that user device 105 is compliant with current policies of private networks 115, 116, NAC device 140 may grant greater or full access to private networks 115, 116 to user device 105. For example, NAC device 140 may send a RADIUS change of authorization (CoA) message to, e.g., gateway device 130, to grant greater or full access to user device 105).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of Shah to have sent a change of authorization (CoA) message in response to a compliance verification that user device is compliant with current policies of private networks and grant greater or full access to private networks to user device (see Shah paragraph 0048-0049). Therefore one would have been motivated to have sent a change of authorization (CoA) message in response to a compliance verification.

Claim(s) 17 is rejected under 35 U.S.C. 103 as being unpatentable over Suraparaju et al (US 2020/0213297) in view of Exton et al (US 2013/0246630). 
With respect to claim 17 Suraparaju teaches a method comprising: 
receiving at a service provider and from a client device, a request for the client device to access a service provided by the service provider (see Suraparaju paragraph 0053 i.e. In step 603, the mobile application 334 sends a request (e.g., "GET:Login") to the Service Provider Web Server (SAML-SP) 120);
returning to the client device the request with redirect instructions (see Suraparaju paragraph 0053 i.e. In step 608, the SAML-IdP 130 sends the URL redirection request (e.g., "302:SPS Custom Mobile App Redirection, Redirection Scheme: http://localhost/sps-sso-redirect/challenge=897 1 982jhjhsbjhs) to the mobile application 334, which includes an encrypted message as generated in step 609. As shown in FIG. 6A, in step 609, the SAML-IdP 130 "encrypt a pre-shared secret (that's only known to this server and agent) and sends the response to redirect the agent on the mobile device 112); 
receiving at the service provider and from the client device, an indication of a trusted authorization for the client device to access the service provided by the service provider; based at least in part on receiving the trusted authorization, granting access to the service by the client device in a user session (See Suraparaju paragraph 0055 i.e. In step 617, the mobile application receives the SAML response and sends the SAML Response, for the logged in user, to the Service Provider (SAML-SP) 120. In step 618, the SAML-SP 120 sends a success response to the mobile application 334 indicating that the logged in user has been authenticated (e.g., "200 OK :SAML Response Verified, User is Authenticated, SP’s Oauth2 access toke the native Mobile Application can use towards the user). In step 619, the user of the mobile application (i.e. Box Native Application) is treated as a "box-authenticated" user and all access to the services on the SAML-SP 120 carries the Oauth2 access token);
Suraparaju does not teach returning to the client device the request with a call-back address related to the service provider; receiving at the service provider and from a third party, a communication indicating that a change in authorization has occurred relative to the access of the service by the client device; and based at least in part on the communication from the third party indicating that the change in the authorization has occurred, adjusting the access of the client device to the service provided by the service provider in the user session.
Exton teaches returning to the client device the request with a call-back address related to the service provider (See Exton paragraph 0051 i.e. The applications typically are accessible over the Web at a given service provider domain or sub-domain. As the client 600 makes requests and authenticates with a web application 610, 612 or 614, the web application generates a cookie and provides the cookie to the client, which then stores the cookie in the cookie jar 608. The solid line(s) indicate the client receiving the cookies from the responses generated by the applications. According to this disclosure as has been described, a cookie generated by a web application has the special format of both the session ID and the sign-off resource URL); 
 receiving at the service provider and from a third party, a communication indicating that a change in authorization has occurred relative to the access of the service by the client device; and based at least in part on the communication from the third party indicating that the change in the authorization has occurred, adjusting the access of the client device to the service provided by the service provider in the user session (See Exton paragraph 0056 i.e. at step 700, a sign-off cookie including the session identifier and the sign-off resource URL is generated. Typically, the sign-off cookie is generated upon a successful authentication. Typically, the web application generates the cookie, although this function may be carried out by a process, program or thread dedicated to this function. At step 702, the cookie is saved in a data store. In the embodiment of FIG. 7, the data store is the client-side cookie jar, although this is not a limitation, as the cookie may be saved on the server, or in an intermediary such as a Web portal (as described below in my detail). At step 704, a test is performed to determine whether a web session is to be terminated. Typically, step 704 tests for receipt of a logoff request, which may occur directly (via an explicit request) or indirectly (such as when a browser is closed during an existing session). If the result of the test at step 704 is negative, the routine cycles and waits. If, however, the result of the test at step 704 indicates that a web session is to be terminated, the routine continues at step 706 to examine the data store. At step 708, a test is performed to determine whether a sign-off cookie has been located. If so, the routine continues to generate a request to the sign-off resource identified by the URL. Thus, at step 712, a request containing the cookie is sent to that URL, thereby cleaning-up the session, and the cookie is removed from the cookies in the data store).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of Exton to have used a sign-off cookie comprising both an identifier for the session (a "session ID") together with an identifier (such as a URL) for a sign-off resource as a way to provide for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism. (see Exton paragraph 0012). Therefore one would have been motivated to have used a sign-off cookie for dynamic web session clean-up.

Claim(s) 18 is rejected under 35 U.S.C. 103 as being unpatentable over Suraparaju et al (US 2020/0213297) in view of Exton et al (US 2013/0246630) in view of SI et al (US 2016/0205108). 
With respect to claim 18 Suraparaju teaches the method of claim 17, but does not disclose further comprising: determining that the trusted authorization is trusted based at least in part on the trusted authorization including a signature from a trusted authorization entity.
SI teaches further comprising: determining that the trusted authorization is trusted based at least in part on the trusted authorization including a signature from a trusted authorization entity (see SI paragraph 0028 i.e. At 202, client 50 sends an SAML assertion authorization request to identity provider 51 and in response is issued a valid SAML assertion with a digital signature at 203).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of SI to have digital signed the valid SAML assertion as a way to increase trust in the SAML assertion (see SI paragraph 0028). Therefore one would have been motivated to have digital signed the valid SAML assertion.

	
Claim(s) 20 is rejected under 35 U.S.C. 103 as being unpatentable over Suraparaju et al (US 2020/0213297) in view of Exton et al (US 2013/0246630) in view of Shah et al (2018/0198786).
With respect to claim 20 Suraparaju teaches the method of claim 17, but does not disclose wherein adjusting the access of the client device to the service comprises increasing a number of objects or operations to which the client device has access within the service in the user session.
Shah teaches wherein adjusting the access of the client device to the service comprises increasing a number of objects or operations to which the client device has access within the service (see Shah paragraph 0048-0049 i.e. In yet another example, NAC device 140 may store a compliance verification module in an active directory that may be configured to perform a remote, agentless compliance verification of user device 105. In response to determining, based on the compliance verification, NAC device 140 (or policy server device 145) determines that user device 105 is compliant with current policies of private networks 115, 116, NAC device 140 may grant greater or full access to private networks 115, 116 to user device 105. For example, NAC device 140 may send a RADIUS change of authorization (CoA) message to, e.g., gateway device 130, to grant greater or full access to user device 105).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Suraparaju in view of Shah to have sent a change of authorization (CoA) message in response to a compliance verification that user device is compliant with current policies of private networks and grant greater or full access to private networks to user device (see Shah paragraph 0048-0049). Therefore one would have been motivated to have sent a change of authorization (CoA) message in response to a compliance verification.
Allowable Subject Matter
Claims 4, 12 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

With respect to claim 4 the prior art does not teach the computer-implemented method of claim 3, further comprising: signing the message that includes the call-back address before sending the message to the intermediary service such that use of the call-back address for a change in the authorization is trusted by the service provider.

With respect to claim 12 the prior art does not teach the server device of claim 11, wherein the computer-executable instructions further cause the one or more processors to: sign the message that includes the call-back address before sending the message to the intermediary service such that use of the call-back address for a change in the authorization is trusted by the service provider.

With respect to claim 17 the prior art does not the method of claim 17, further comprising: determining that the communication indicating that the change in authorization has occurred is trusted based at least in part on the communication including a signature from a trusted authorization entity.

Prior Art of Record
	Hinton et al (US 2006/0218628) titled “Method And System For Enhanced Federated Single Logout”
Divoux et al (US 2019/0245848) titled “Fast Smart Card Login” teaches 
	Innes et al (US 2018/0007059) titled “Dynamic Access Control To Network Resources Using Federated Full Domain Logon”
	Venkatanaranappa et al (US 2015/0121481) titled “APPLICATION AUTHENTICATION USING NETWORK AUTHENTICATION INFORMATION”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492