Hello! This is my first post, glad to be here 
We are about to setup Nextcloud and I am seeking some advice on a specific authentication use case.
Our Nextcloud installation will host several users and group folders (via the app). Some of the users and group folders will contain specifically sensitive information, some not. We would like to have users of the non-sensitive category and those that do not access sensitive group folders logging in with a user name and password, while users considered sensitive should also be asked for MFA. Same for all users that want to access sensitive group folders. For the latter case, a user that has successfully signed in with the password should be redirected to authentication and asked for MFA as soon as he/she tries to access a sensitive folder. In addition to all of the above, the MFA requirement could be waived if the user logs in from a pre-defined IP range.
In addition to Nextcloud, we are considering to roll out Discourse and Zulip or Rocketchat together with an inhouse app that we have. We are therefore planning to roll out a central authentication scheme, such as SAML or Oauth2. Ideally, most of the functionality necessary for the above should be implemented centrally. I have heard that ADFS provides such multi-level authentication rules, but we are not able to use ADFS for various reasons.
Your advice would be appreciated. Obviously, I am not looking for a complete solution here in the forum, but if you could share general ideas and a few pointers on how to implement this and prior work, that would already be super-helpful.
Btw: Congrats on winning the tender in Germany!!!