fix links

Author: ranbel

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx

@@ -58,7 +58,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
 
 13. Select **Next**.
 
-14. Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
+14. Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 
@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence.
 
 :::note
 

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx

@@ -54,7 +54,7 @@ If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace,
 
 13. Select **Next**.
 
-14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+14. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx

@@ -25,7 +25,7 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana Cloud

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx

@@ -29,7 +29,7 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx

@@ -32,7 +32,7 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar
    - **Token endpoint**
    - **User info endpoint**
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Salesforce

src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx

@@ -25,7 +25,7 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret** and **Client ID**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
 12. Save the application.
 
 ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow

src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx

@@ -102,7 +102,7 @@ To view all available filters, type `warp-cli target list --help`.
 
 ## Revoke a user's session
 
-To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
 
 ## Infrastructure policy selectors
 

src/content/docs/cloudflare-one/access-controls/applications/non-http/legacy-private-network-app.mdx

@@ -27,7 +27,7 @@ To create a private network application:
    If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector.
    :::
 
-6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
+6. Configure your [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo.
 
 7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
 

src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx

@@ -45,7 +45,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
 
 9.  Select **Next**.
 
-10. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+10. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 11. <Render file="access/access-block-page" product="cloudflare-one" />
 

src/content/docs/cloudflare-one/access-controls/policies/index.mdx

@@ -133,7 +133,7 @@ To require only one country and one email ending:
 
 When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
 
-Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
 
 | Selector                 | Description                                                                                                                                                                                                                               | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
 | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |