Skip to demo content

Enterprise SAML for Modern Apps

Caddy + Logto bridge OIDC↔SAML to Entra

This is a static, self-contained demo for educational purposes. It does not connect to any live systems and is not intended as a reference implementation.

Step 1 of 11: User requests protected resource
Keyboard:
Navigate Space Autoplay R Restart 123 Speed T Transcript
1

User requests protected resource

User navigates to the dashboard. Caddy intercepts and checks auth.

Confidential clients (like this Caddy setup) must validate the `state` parameter on callback to prevent CSRF attacks. Public clients (like SPAs with React/Vue) should additionally implement PKCE.

What the user sees

https://secrets.example.com/dashboard
Demo simulation — do not enter real credentials
Redirecting to login...

What's happening (HTTP)

REQUEST Browser → Caddy
GET https://secrets.example.com/dashboard
Cookie: (none)
💡 No session cookie present
INTERNAL Caddy → oauth2-proxy
forward_auth subrequest
💡 Caddy asks auth layer: is this user authenticated?
RESPONSE Caddy → Browser
302 Found
Location: https://logto.example.com/oidc/auth?
client_id=ots-app
&redirect_uri=https://secrets.example.com/oauth2/callback
&response_type=code
&scope=openid profile email
&state=random-csrf-token
💡 Not authenticated → redirect to Logto

Legend

Browser request
Server response
Server-to-server
Internal process

Protocol Stack

🔐
OTS
Application
HTTP
🛡️
Caddy
Reverse Proxy
OIDC
(via oauth2-proxy)
🔑
Logto
Service Provider
SAML
🏢
Entra
Identity Provider
← All demos
An Authentication Flow Demo v0.3.0