I asked this same question a while back, as I understand this is not possible currently when deployed in the cloud. The only option you have is to require a certificate on the complete application, that means all users need the certificate as well. I did hear that this feature is on the roadmap. I'm also very interested in when this feature will become available.