Logging into Cognito using Python from outiside of AWS using a Federated Login

Ultimate aim: To be able to run a Python script on a user's desktop, outside of AWS, without the AWS CLI installed, be authenticated using a Cognito Identity pool against a back-end SAML Idp (specifically this is a federated login). Then using STS retrieve data from Amazon AWS secrets manager.

Short term goal: To be able to run a Python script on a users desktop, outside of AWS, and complete federated authentication using Cognito.

I am really stuck on this one. I have done a lot of Googling and looked at examples, but many of them are based on running Python inside of AWS (such as in Lambda, or on an EC2 instance), rather than completely outside of Amazon, or they depend on having the AWS CLI installed and have already authenticated.

I have configured a Cognito Identity pool, and I think that part is correct.

The closest too working code I have found is:

import boto3

client = boto3.client('cognito-identity','ap-southeast-2')

response = client.get_id(
    AccountId='123xxx',
    IdentityPoolId='ap-southeast-2:123xxx',
    Logins={
        'cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2:123xxx': '<JWT ID Token>'
    }
)

But I don't know how to get the "JWT ID Token".

What I am expecting to happen: When trying the authentication a web browser is opened, a redirect happens against the Idp, the user completes the login process, a redirect happens back to Amazon, and then somehow the script gets some kind of authorization which I can then use with the AWS secrets manager.