What is the name of the domain?
What is the issue you’re encountering
After authentication flow completes, and policies are evaluated and logged to allow the request, the callback url gets an Access Denied callback
What steps have you taken to resolve the issue?
This broke overnight, the behavior is that all SaaS applications that had a previously working Policy just stopped working. The audit logs show ALLOWED still on all requests, but CF now calls back those applications with a ?error=access_denied&error_description=Access%20denied . We can currently only operate with a Bypass All policy, that seems to be intact.