Find a way to use CILogon auth on ingresses

Currently, users can set annotations to restrict an Ingress to specific IP addresses (haproxy.org/whitelist) or HTTP Basic Users (haproxy.org/auth-secret).

It would be great to be able to restrict it to specific CILogon users, for example hpc.nyu.edu/nyu-users: "rr2369 rp2585"). However I am not sure how this could be accomplished.