By using AWS re:Post, you agree to the Terms of Use

SSO Permission Set: Relay State


I am trying to utilize the Relay State functionality of SSO Permission Sets to automatically redirect to the Switch Role URL of an assumed role in an external account. I copied the URL from the target account's role that I am assuming (Console>IAM>Roles) and pasted it as-is into the Relay State field for the corresponding permission set, but am receiving an Error 400 upon successful authentication. Is there another way we can achieve this automatic redirect to the assumed role in an external account? Without defining a Relay State, we are able to successfully assume the target account's role so we know it is configured appropriately.

The use-case for this is an organization that needs to assume roles into potentially hundreds of clients' accounts without the need for each support engineer to have to remember the clients' account numbers or role names.

3 Answers

The permission set relay state is for redirecting to an AWS management console URL, like https://<region><region>#. The sign-in URL is a separate service endpoint, which is likely why HTTP 400 errors are occurring. Maybe, you want to consider a purpose-built redirect page with a matrix of switch role URLs that could be integrated with AWS SSO as a cloud app. This may be more scalable in the long run as you map many roles in external accounts to many AWS SSO users.

answered a month ago

I was able to get the relay state to work with That URL should work if the permission set has IAM privileges.

answered a month ago
  • Thanks for your response, but it doesn't help with what we are trying to accomplish. This is the flow that I am looking for:

    1.) User logs into SSO Portal 2.) User clicks Management Console for specific Permission Set 3.) User is routed to the "Switch Role" interface ( 4.) Fields are already populated with target account's ID and role name to be assumed

    The "Link to switch roles in console" listed when a role is created is exactly what we need, if only it would work as a Relay State URL.


+1 on this feature. Seems the whole point to do after SSO login is to do Switch role. But currently everything is static and is a bocker to create deep link logins with AWS SSO

answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions