in step 4, it says "Identity Broker calls …. using IAM credentials" — what credentials? where did they come from? What should have been pre-setup in order for this to happen?
It uses whatever IAM User you have created for it, configured for programmatic authentication. That Identity Broker application is running outside of AWS, and as it is making the inital API call of the larger process, cannot be assigned an IAM Role.
For more details, and for an overvew of other federation options, check out Providing Access to Externally Authenticated Users (Identity Federation).