diff --git a/modules/exampleauth/templates/authenticate.twig b/modules/exampleauth/templates/authenticate.twig
new file mode 100644
index 0000000000000000000000000000000000000000..4a68e334cbcc465549576cf180bfd2c6998828e8
--- /dev/null
+++ b/modules/exampleauth/templates/authenticate.twig
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+    <title>exampleauth login page</title>
+  </head>
+  <body>
+    <h1>exampleauth login page</h1>
+    <p>
+      In this example you can log in with two accounts: <code>student</code> and <code>admin</code>.
+      In both cases, the password is the same as the username.
+    </p>
+    <form method="post" action="?">
+      <p>
+        Username:
+        <input type="text" name="username">
+      </p>
+      <p>
+        Password:
+        <input type="text" name="password">
+      </p>
+      <input type="hidden" name="ReturnTo" value="{{ returnTo|escape('html') }}">
+      <p><input type="submit" value="Log in"></p>
+    </form>
+{% if badUserPass == true %}
+    <p>!!! Bad username or password !!!</p>
+{% endif %}
+  </body>
+</html>
diff --git a/modules/exampleauth/www/authpage.php b/modules/exampleauth/www/authpage.php
index 7bc87a5a16ba627e1f08df434ae94993f9c20a3d..f59c707a1d086c32998f5dcbe53b70d23a6cf682 100644
--- a/modules/exampleauth/www/authpage.php
+++ b/modules/exampleauth/www/authpage.php
@@ -15,7 +15,7 @@ if (!isset($_REQUEST['ReturnTo'])) {
 
 $returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']);
 
-/*
+/**
  * The following piece of code would never be found in a real authentication page. Its
  * purpose in this example is to make this example safer in the case where the
  * administrator of the IdP leaves the exampleauth-module enabled in a production
@@ -24,19 +24,18 @@ $returnTo = \SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']);
  * What we do here is to extract the $state-array identifier, and check that it belongs to
  * the exampleauth:External process.
  */
-
 if (!preg_match('@State=(.*)@', $returnTo, $matches)) {
     die('Invalid ReturnTo URL for this example.');
 }
-\SimpleSAML\Auth\State::loadState(urldecode($matches[1]), 'exampleauth:External');
 
-/*
+/**
  * The loadState-function will not return if the second parameter does not
  * match the parameter passed to saveState, so by now we know that we arrived here
  * through the exampleauth:External authentication page.
  */
+\SimpleSAML\Auth\State::loadState(urldecode($matches[1]), 'exampleauth:External');
 
-/*
+/**
  * Our list of users.
  */
 $users = [
@@ -56,7 +55,7 @@ $users = [
     ],
 ];
 
-/*
+/**
  * Time to handle login responses.
  * Since this is a dummy example, we accept any data.
  */
@@ -85,35 +84,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     }
 }
 
-/*
+/**
  * If we get this far, we need to show the login page to the user.
  */
-?><!DOCTYPE html>
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-<title>exampleauth login page</title>
-</head>
-<body>
-<h1>exampleauth login page</h1>
-<p>
-In this example you can log in with two accounts: <code>student</code> and <code>admin</code>.
-In both cases, the password is the same as the username.
-</p>
-<?php if ($badUserPass) { ?>
-<p>Bad username or password.</p>
-<?php } ?>
-<form method="post" action="?">
-<p>
-Username:
-<input type="text" name="username">
-</p>
-<p>
-Password:
-<input type="text" name="password">
-</p>
-<input type="hidden" name="ReturnTo" value="<?php echo htmlspecialchars($returnTo); ?>">
-<p><input type="submit" value="Log in"></p>
-</form>
-</body>
-</html>
+$config = \SimpleSAML\Configuration::getInstance();
+$t = new \SimpleSAML\XHTML\Template($config, 'exampleauth:authenticate.twig');
+$t->data['badUserPass'] = $badUserPass;
+$t->data['returnTo'] = $returnTo;
+$t->show();