MFA via One Time Passcode (OTP) on for web access

I’ve been working UCS trying to lock down my web URLs using an MFA solution like Google Authenticator.

Does anyone have some config examples and details that they could share? I want to restrict user logins at these directories to require an MFA:

I was getting a lot of brute force attempts on my z-push and webapp so I enabled client-side certificate requirements. This stops the attacks at the reverse-proxy but the need for certificates on the webmail portion pretty much defeats the purpose of having webmail

I want to move towards an authenticator app instead.

I want to also require MFA on my “ucs-sso” URLs. This should enable MFA for services that use SAML like meets

I’ve found solutions like this:

The ways to go about implementing it are a bit unclear.

Looking for some details docs and hopefully some lessons learned from someone who has done it.