I don't think this is an issue of not having a robust script (in fact, I rolled my own which is less than a hundred lines; and that includes some very specific stuff that I just put in there for teh lulz), but for integrating it better into the Client application itself (since others do so, and many servers support it as standard feature).
Plus, it requires changing the CAP request, which is pretty much the first thing that goes out, and requires on LOGON or perhaps on PARSELINE to do so.

SASL authentication should be as "easy" as

  • Ask for the servers capabilities to see if they even support it (CAP LS, before USER/NICK)
    • In case the server does not support CAP, ignore
    • In case the CAP LS response includes SASL, continue with authentication by requesting it (CAP REQ :sasl, optionally including other capabilities such as multi-prefix)
    • In case it doesn't, end the capabilities dance (CAP END)
  • Once the server acknowleges the sasl request (CAP ACK), start the authentication with a given/preferred method (AUTHENTICATE)
  • The server should then accept the authentication by replying with a +, not sure what it returns otherwise
  • After that, send the encrypted payload (AUTHENTICATE). Note that this should be chunked to 400 characters, for (hopefully) obvious reasons.
  • If we're still here, end the capabilities dance (CAP END)

Used to have some documentation somewhere, but I can't find it atm...so here's a log of my script:
Code:
-> irc.domain.tld CAP LS
-> irc.domain.tld USER bhaal 0 * :BhaaL
-> irc.domain.tld NICK BhaaL
<- :irc.domain.tld NOTICE * :*** Looking up your hostname...
<- :irc.domain.tld NOTICE * :*** Found your hostname
<- :irc.domain.tld CAP * LS :userhost-in-names multi-prefix away-notify account-notify sasl tls
-> irc.domain.tld CAP REQ :multi-prefix sasl
<- PING :D59F9447
-> irc.domain.tld PONG :D59F9447
<- :irc.domain.tld CAP BhaaL ACK :multi-prefix sasl 
-> irc.domain.tld AUTHENTICATE PLAIN
<- AUTHENTICATE +
-> irc.domain.tld AUTHENTICATE <auth digest/hash/whatever>
<- :irc.domain.tld 900 BhaaL BhaaL!bhaal@home.tld BhaaL :You are now logged in as BhaaL.
<- :irc.domain.tld 903 BhaaL :SASL authentication successful
-> irc.domain.tld CAP END
<- :irc.domain.tld 001 BhaaL :Welcome to the IRC Network BhaaL!bhaal@home.tld
<- :irc.domain.tld 002 BhaaL :Your host is irc.domain.tld, running version UnrealIRCd-4.0.6

My script just overrides on LOGIN, then raw CAP and raw AUTHENTICATE to do the job (plus some numerics for fun)