Thankyou for using AWS MWAA.
With the details provided, MWAA going over ALB/custom DNS record will be redirected for SSO authentication and then to the VPC endpoint. So, in your case the redirection behaviour is working as expected. Because currently MWAA does not support webserver aliases although custom DNS/ALB is setup successfully.
To give some context here, Web UI in Managed Airflow (MWAA) is designed to be accessed using SSO authentication via IAM user/role. This is because the SSO tends to redirect to the webserver URL defined in the environment rather than the referrer custom domain. So, after login, it goes back to default web-server domain. However, you can bypass the SSO authentication page and access Web UI directly using MWAA web-token feature, please see below
Basically, the web-token feature allows you to authenticate access externally by using IAM credentials to generate web token(which are valid for 60 seconds) which can be inserted into the URL of your Airflow UI URL.
VPC - Public/Private Subnets - Unable to access from internetasked 3 years ago
Change Elastic Beanstalk ALB from internal to public internet-facing?Accepted Answerasked 2 months ago
AWS Lambda invocation of internal ALB getting timed outasked a month ago
MWAA UI Private Webserver can't be accessed through internal ALBasked 4 months ago
Is it possible to use an internal ALB as an EventBridge Rule API Destination?Accepted Answerasked 6 months ago
Timeout after login in Private MWAA behind ALB with Custom Domainasked 3 months ago
How to set up a custom domain/url for a public MWAA environment?asked 4 months ago
MWAA stuck in a loop while Creating Environmentasked 2 years ago
Private MWAA with custom domain - connection timeoutasked a year ago
Public ALB - NAT Gatewayasked 3 years ago