4

When managing access to multiple accounts via IAM Identity Center, the AWS Access Portal provides clickable links for each of the available Roles/PermissionSets in those accounts. However, the console always loads to the main page. Is there a way to construct a "deeplink" URL, such that a(n authorized) user who clicks it will:

  • be logged in via Identity Center(/SSO)
  • be redirected to the desired location within the console

I'm aware that it's possible to Set Relay State for a given PermissionSet, but this is insufficient as I might want a given user to be redirected to different locations from different links - that is, I want the destination to be encoded in the clicked URL, not in the PermissionSet's metadata. Creating a different PermissionSet for every possible destination is not practical.

This blog seems to describe exactly what I'm trying to achieve, but it doesn't work for me - following the instructions, I:

  • constructed a string RPID=(url-encoded string of urn:amazon:webservices)&RelayState=(url-encoded destination url)
  • URL-encoded that string
  • Appended that string (after a ?RelayState=) to my Access Portal-provided one-click sign-in

However, the resulting URL just signs me in and puts me on the main page, without any redirection.

Sadly, all the links from that article appear to be broken. I also found this page, and tried using it to generate a deeplink - again, no luck, I just got signed in to the main page.

I do note that my sign-in url does not look like the examples - they look like https://<domain>/adfs/ls/idpinitiatedsignon.aspx, whereas mine looks like https://<internal-string>.awsapps.com/start/#/saml/custom/AAA/BBB, where:

  • AAA is the url-encoded string of account-number (account-nickname)
  • BBB is the url-encoding of some base64-encoded data that refers to the master AWS account, followed by two (underscore-delimited) identifiers I can't place - one of the form ins-[alphanumerics], and the other of the form p-[alphanumerics]

Does this mean that my ADFS is differently configured than this feature expects? Is there still a way to achieve what I want?

EDIT: I've been informed by my Network Admin that we use Azure AD internally, not ADFS, which might be the reason for the different URL format.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
scubbo
  • 4,969
  • 7
  • 40
  • 71
  • I've opened a Support Case regarding this question with AWS. Initial answer just pointed me to [RelayState per PermissionSet](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtopermrelaystate.html) - I'm continuing to pursue the "redirection per URL" approach. – scubbo Mar 29 '23 at 16:29

1 Answers1

1

AWS Customer Support have confirmed that this functionality is not supported. A Feature Request is apparently already open, though I haven't yet been given a public tracking URL - I'll update this answer with it when I receive it.

EDIT: There is no public tracking URL for the Feature Request.

scubbo
  • 4,969
  • 7
  • 40
  • 71