MFA via One Time Passcode (OTP) on for web access

I’ve been working UCS trying to lock down my web URLs using an MFA solution like Google Authenticator.
https://code.google.com/archive/p/google-authenticator-apache-module/wikis/GoogleAuthenticatorApacheModule.wiki

Does anyone have some config examples and details that they could share? I want to restrict user logins at these directories to require an MFA:
/webapp
/univention/management

I was getting a lot of brute force attempts on my z-push and webapp so I enabled client-side certificate requirements. This stops the attacks at the reverse-proxy but the need for certificates on the webmail portion pretty much defeats the purpose of having webmail

I want to move towards an authenticator app instead.

I want to also require MFA on my “ucs-sso” URLs. This should enable MFA for services that use SAML like meets
https://ucs-sso.somedomain.com/simplesamlphp/module.php/core/loginuserpass.php

I’ve found solutions like this:

The ways to go about implementing it are a bit unclear.

Looking for some details docs and hopefully some lessons learned from someone who has done it.