I just set up a Vouch-Proxy for this yesterday. It uses the nginx auth_request directive to authenticate users with an SSO server, and then stores the token in a domain-wide cookie, so you’re logged in across all subdomains. Works pretty well so far, you don’t even notice it when you’re logged in to your SSO provider.
But you do have to tell the proxy where you want to redirect a request somehow, either by subdomain (illegal.yourdomain.com) or port (yourdomain.com:8787) or path (yourdomain.com/illegal). I’m not sure if it works with raw IPs as hosts, but you can add additional restrictions like only allowing local client IPs.
In my special case I’m using the local Synology SSO server, and I have to spin up an additional nginx server because the built-in one doesn’t support auth_request.