Application policy configure denied case

[zottelchin]

Describe the bug If an Application has a policy to restrict access for only a subset of users, an authorized user only gets an Access denied message and no way home (other then closing the tab). Since the SAML login doesn't call a flow (or I was too stupid to find it), there is no way to add an stage to explain the user why this application is not for his use and add an link back to the authentik-home.

To Reproduce

1. Add/Edit an application and restrict the access to only some users or groups
2. Login with an user not specified in the policy
3. See an Access denied Page.

Expected behavior I would expect (since the user is authenticated, but not authorized) that there would be a "go Home"-Button to get to the Overview of my allowed Applications. I would also like to configure a deny message for the policy, to inform the user about the background for the denial.

Screenshots Here i would expect a custom message and an button to go back home.

I would expect an field for configuring the deny-message here in the selection for the failure result. Or in the settings for the SAML-Provider, as there are options for the authentication and authorization flow. Or as an third option were i would look, is the authorization flow, but my understanding so far is, that the policy is executed before the flow is started.

Version and Deployment (please complete the following information):

• authentik version: 2023.10.7
• Deployment: docker-compose

If there are any questions regarding the bug or my issue description, don't hesitate to ask :)