X.509 certificate based SSO and Istio - what are options?

Ladies and Gentlemen,

Have one question - what are options for SSO for Istio?

I have a requirement - X.509 certificate based SSO for a client accessing an app running in mesh behind Istio Ingress gateway, while IdP for SSO is provided by the third party and is running outside of k8s cluster.

The IdP/SSO currently works for apps running on other k8s cluster but without Istio using SAML2. Question is - how to have the same functionality for the apps running in Istio mesh.

I did some reading and came with rfc8705 and rfc7522 but neither of them are supported by envoy proxies in Instio.

Any ideas?