Honor relay state on SSO Role

[ipmb]

When I have a relay state set on my role, I would expect assume -c to open a browser at that URL, but instead it goes to the console dashboard. Using -s isn't sufficient because a relay state can do deeper linking into a page within a given service.

Is there a way to use assume and end up at the relay state URL configured for the role?

[chrnorm]

Thanks for the issue @ipmb! Under the hood assume -c uses AWS STS to generate a federated console access URL, similar to this process. I'm unsure if this is compatible with the SAML Relay State parameter and will need to take a look. Out of curiosity are you aware if the AWS CLI (or other CLI tools) are able to utilise the SAML relay state?

As an alternative workaround, we could perhaps allow you to set a default console URL as part of the profile configuration:

[profile example]
granted_default_console     = https://console.aws.amazon.com/ec2/
...

[ipmb]

Thanks for the quick response @chrnorm. I've only accessed the relay state via the SSO console (https://{account}.awsapps.com/start) when you click on "Management console". Looking at the requests that page makes, it appears to be an internal API at portal.sso.us-east-1.amazonaws.com. I'm not sure if it's available in the CLI.

Having a default console URL I could put on my profile config would be a good workaround.