Problem in running assume role with the AWS SSO federated account

I am working to generate an AWS console URL following Enabling Custom Identity Broker Access to the AWS Console - AWS Identity and Access Management.

I created AWS SSO and Roles successfully. Then, I create an admin IAM account with an Administrator Policy attached. In the admin IAM user, I tried:

aws sts assume-role --role-arn arn:aws:iam::123456789:role/rolename --role-session-name "AssumeRoleSession" 

The error message says:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123456789:user/admin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/rolename

The IAM user has a AdministratorAccess policy like below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

The role and IAM admin user are under the same account. The above manual page does not specify precondition. Can you see something missing? I tried to edit the Trusted Relationships, but it fails with an error:

An error occurred: Cannot perform the operation on the protected role 'AWSReservedSSO_ROLENAME' - this role is only modifiable by AWS.

In my case, I ended up creating a new policy with my required permissions, attached it to a new role, and then edited the trust policy so it narrowed down access.

If you must use the existing policy and role, you could check that the service control policies don't block what the role allows.