UNIVERSAL LOGOUT AND SINGLE LOGOUT TECHNIQUES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION The IDS filed 1/2/2025 was received and considered. Claims 1-20 are pending. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-9, 11-17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2010/0071056 A1 to Cheng et al. (Cheng), in view of “Formal Security Analysis of the Shibboleth Web Single Sign On System Using a Comprehensive Model of the Web” by Sommer. Regarding claim 1, Cheng discloses a method, comprising: receiving a request (user request to logout, ¶40) to terminate a plurality of sessions between a user of an identity management system (user of identity provider and federation manager, ¶38) and a respective plurality of applications that are accessible via the identity management system (service providers reliant on the identity provider and federation manager, ¶38), an endpoint (user device) associated with a tenant of the identity management system (user is a client of the service provider and the identity provider; service provider is a client of the identity provider), communicating via a respective plurality of APIs (multi-federation protocol manager communicates with other identity providers and service providers to initiate logout with corresponding service providers using SLO service provider interfaces, ¶43, ¶59); transmitting, via the respective plurality of APIs, a respective plurality of API calls to terminate the plurality of sessions between the user and the respective plurality of applications in accordance with a universal logout (ULO) operation or a single logout (SLO) operation (multi-federation protocol manager invokes a logout for each identity provider, ¶43, which performs a single logout with each corresponding service provider, ¶45); and outputting metadata associated with a result of the ULO operation or the SLO operation (multi-federation protocol manager receives status from the identity provider, ¶¶46-47). Cheng lacks the request comprising information associated with the user, information associated with the plurality of sessions, or both, lacks receiving, via the endpoint associated with a tenant of the identity management system, a set of application programming interface (API) credentials that are usable to communicate with the respective plurality of applications via a respective plurality of APIs, and lacks the respective plurality of API calls including the set of API credentials, the information associated with the user, the information associated with the plurality of sessions, or any combination thereof and lacks outputting, to an observability log maintained by the identity management system, metadata associated with a result of the ULO operation or the SLO operation. However, Sommer, in an analogous art (single logout, p. 14, ¶2, using SAML, p. 13), teaches that it was known for an IdP to send logout requests to service providers and to forward logout responses to the IdP (p. 28, §4.3, ¶1) and report successful logout at the SP to a user (p. 31, ¶4; see also Fig. 5.2), including the request (logout request) comprising information associated with the user (logout request identifies subject of the request, p. 52, §B.1.9), information associated with the plurality of sessions (logout request identifies session_idx, p. 52, §B.1.9), or both, receiving, via an endpoint associated with a tenant of the identity management system, a set of application programming interface (API) credentials that are usable to communicate with the respective plurality of applications via a respective plurality of APIs (logout requests are signed with shared keys and thus shared keys are received for creation and verification of the logout requests at the service provider interface, p. 52, §B.1.9; see also p. 86, Lemma 20 for discussion of credential usage in Logout Requests), the respective plurality of API calls including the set of API credentials, the information associated with the user, the information associated with the plurality of sessions, or any combination thereof (logout requests are signed with shared keys and thus shared keys are received for creation and verification of the logout requests, p. 52, §B.1.9; logout requests further include subject, session_idx, p. 52, §B.1.9) and outputting, to an observability log maintained by the identity management system, metadata associated with a result of the ULO operation or the SLO operation (Logout Response messages comprising the status of the SLO operation, p. 52, §B.1.10; see also p. 68, “script_slo_result” outputting the result of the SLO run and p. 69, writing “logoutSummary(Q,b,i)” to the browser). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cheng such that (1) the request comprises information associated with the user, information associated with the plurality of sessions, or both, (2) to include receiving, via an endpoint associated with a tenant of the identity management system, a set of application programming interface (API) credentials that are usable to communicate with the respective plurality of applications via a respective plurality of APIs, and the respective plurality of API calls including the set of API credentials, the information associated with the user, the information associated with the plurality of sessions, or any combination thereof and (3) to include outputting, to an observability log maintained by the identity management system, metadata associated with a result of the ULO operation or the SLO operation. Regarding claim 9, the claim is similar in scope to claim 1 and is therefore rejected using a similar rationale (note that Cheng discloses at least one memory storing code (¶62) and one or more processors coupled with the at least one memory and individually or collectively operable to execute the code (processor(s) 402, ¶62) to cause the apparatus to perform the steps (¶62). Regarding claim 17, the claim is similar in scope to claim 1 and is therefore rejected using a similar rationale (note that Cheng discloses a non-transitory computer-readable medium storing code that comprises instructions executable by one or more processors toto cause the apparatus to perform the steps, ¶62). Regarding claims 3, 11 and 19, Cheng discloses wherein the user is associated with the tenant of the identity management system (user agent includes functionality to request access to each service provider, ¶18 and the user agent is a client of the identity provider that employs the identity provider for authentication, ¶35). Regarding claims 4, 12 and 20, Cheng discloses wherein at least one of the respective plurality of applications comprises a third-party application (the service provider may provide banking services, on-demand video services, ring tones for mobile telephones, gaming services, real-time alerts, and other services, ¶19). Regarding claims 5 and 13, Cheng discloses wherein the request is initiated by an administrative user associated with the tenant of the identity management system (the user agent initiates a logout with one of the service providers (step 231), ¶38). Regarding claims 6 and 14, Cheng discloses wherein the request is triggered by a risk metric exceeding a threshold for the user (logout request may be based on the expiration of a time limit to access the service provider, ¶40). Regarding claims 7 and 15, Cheng discloses wherein the SLO operation comprises logging the user out of a specific session between the user and an application or logging the user out of all sessions between the user and the application (when the user is logged off of one service provider, the user may be logged off of all service providers in the circle of trust, ¶39; the corresponding identity provider may perform a method call on the multi-federation protocol manager to perform a single logout across all identity providers within the circle of trust, ¶42; rather than sending the logout request to each of the other identity providers, the multi-federation protocol manager may only send the logout request to identity providers which have sessions with the user, ¶44). Regarding claims 8 and 16, Cheng discloses wherein at least one of the plurality of sessions is terminated using Security Assertion Markup Language (SAML) 2.0, OpenID Connect (OIDC), System for Cross-domain Identity Management (SCIM), or any combination thereof (Cheng discloses at least SAML V2, ¶50).1 Claims 2, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cheng and Sommer, as applied to claims 1, 9 and 17, in view of US 2012/0008786 A1 to Cronk et al. (Cronk). Regarding claims 2, 10 and 18, Cheng, as modified, is silent regarding wherein the request comprises an identifier of the user, an identifier of at least one session of the plurality of sessions, one or more options for the ULO operation or the SLO operation, or any combination thereof (note that Sommer teaches that messages comprise assertions, which generally comprise a NameID (subject name), p. 16)). However, Cronk, in an analogous art (single logout), teaches that a logout request comprises a field for a NameID and session index, ¶¶185-188). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Cheng such that the request (initial request) comprises an identifier of the user (NameID), an identifier of at least one session of the plurality of sessions (session index to logout), one or more options for the ULO operation or the SLO operation, or any combination thereof. One of ordinary skill in the art would have been motivated to perform such a modification to identify, at the SP, the initial logout request, as taught by Cronk. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20060218628 A1 (Hinton; Heather Maria et al.) teaches performing single logout (Fig. 9). US 20230098641 A1 (Sharma; Shobhank et al.) teaches performing single logout and establishing trust using a JSON web token (¶69). “Method and Apparatus for browser-based federated single logout in heterogeneous computing environment” (undisclosed) teaches a single logout (SLO) agent communicating with an IdP via an IdP connector and with service providers via a SP connector (p. 3). US 20150188906 A1 (MINOV; JASEN et al.) teaches performing single logout, including authenticating a single logout request (¶¶16-24). “Logout in Single Sign-on Systems” (Suoranta et al.) teaches performing single logout in Shibboleth and SAML. “The Challenge of Building SAML Single Logout” (Choudry) teaches SAML single logout (SLO). “Single Sign-On Vs. Single Logout” (Devasia) teaches performing single logout using POST, HTTP redirect and artifact bindings with cookies/credentials. US 20150350338 A1 (Barnett; Jim H. et al.) teaches performing single logout in response to a timeout (¶17) and using SAML (¶¶28-37). US 20150347209 A1 (Lyubinin; Michael J. et al.) teaches “an activity manager 420 sends a logout request (800) to a single-sign-in logout uniform resource locator (URL) for the application server 120 (1). The logout filter 618 of the application server 120 intercepts the request and determines that the request came from the activity manager 420, e.g., by validating the usernames and the identity provider cookies (2)” (¶45) US 20160259936 A1 (Mukherjee; Phalguni et al.) teaches single logout, including notifying service providers via a back channel (¶¶81-82). Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841. The examiner can normally be reached Monday - Friday, 7:00-3:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Michael Simitoski/ Primary Examiner, Art Unit 2493 February 3, 2026 1 US 20180077144 A1 (GANGAWANE; Jay Vijay et al.) also teaches industry standards (e.g., OpenID Connect, OAuth2, Security Assertion Markup Language 2 (“SAML2”), System for Cross-domain Identity Management (“SCIM”), Representational State Transfer (“REST”), etc.) for ease of integration with various applications (¶36).