Exchange a bearer token for a SAML assertion

In our AWS world, every account is represented by a Okta Application Icon. Clicking on it uses Okta SAML to sign into the AWS console. That part I could easily emulate with the SSO Dashboard and adding auth0 as an identity provider. Users can click on the app icons, get redirected to the universal login page, sign into auth0 and then get redirected to the AWS console.

Now there is a command line tool that does the same things for scripts, applications etc. What it does is mimicking the normal login flow (with MFA etc.) to acquire a session token in Okta (and a bearer token in auth0). And in the Okta world, there is now a way to use this token to retrieve the SAML assertion that normally would be sent to the AWS signin page (see Overview | Okta Developer, which is not exactly great but it does work). That tool now takes that SAML assertion apart and performs direct AWS authentication (using sts.SetSAMLAssertion).

This is where I am stuck. There seems to be no way to actually retrieve the assertion through an API even if I hold a valid bearer token. Or is there?

For any pointers or help grateful. Right now, I need to put this project on hold.


Still grateful for any pointers. Is that not possible with auth0?