Good afternoon!  Is this only impacting Catalina Macs?  What happens if you try to go to that federated domain in the browser rather than the Global Protect client?  Do you happen to have the Netskope client logs or a packet capture?  

So the issue is specific to Duo?  What was working before, what is the "federated domain" in your context, and would be good to exactly understand the changes you made.  You don't have to give the real domain, feel free to obfuscate, but knowing what worked and what you did to break it would be helpful.

At the same time, would be good to verify that our Best Practices for co-existence were followed: https://support.netskope.com/hc/en-us/articles/360023155053-Best-Practice-for-coexistence-of-Netskope-client-and-third-party-VPN-clients-on-Windows-and-Mac-endpoints

Good morning! Thanks so much for answering. Yes, this is only affecting Catalina.  If I go to the federated domain in a browser I get a 403 - forbidden. I have attached the client logs and a packet capture. 

No the issue is specific to Catalina. I had our federated domain in the client steering exception to bypass. I need to move that to the tenant level because I need to whitelist the Netskope IP's at our SasS vendors. When I did that Catalina users were not able to get to Global Protect (VPN). They just get a black Global Protect screen. I'm aware of the best practices and will be implementing split tunneling but really don't think that is my issue here. Windows and Mojave (Mac) were fine with my change.