Release/v11.1.0 (#1504)

* feat: update database schema and properties for v11 release

* feat: refactor constants for log event data and update Elasticsearch query

* feat: refactor event handling to use Event type and update related components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance agent console UI and improve password input handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: refactor layout and styling for active directory components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance add rule component with after events section and modal styling

Signed-off-by: Manuel Abascal <[email protected]>

* feat: improve layout and styling for active directory event component

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add changelogs to hide compliance menu items and update filters visualization

* feat: filter compliance standards by ID in the HTTP response

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement search functionality for fields in condition item component

Signed-off-by: Manuel Abascal <[email protected]>

* feat: remove duplicate alert badge fields and clean up HTML structure

Signed-off-by: Manuel Abascal <[email protected]>

* feat: remove loading spinner from visualization preview tooltip

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update aggregation field mappings in filters visualization

* feat: comment out documentation alert in logstash filter create component

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add changelog to disable correlation rules with regex

* feat: update placement attribute to support multiple positions in alert action select component

Signed-off-by: Manuel Abascal <[email protected]>

* feat: condition builder visibility based on fields availability

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add system owner field to alert response rules and update related logic

* feat: add systemOwner filter to playbooks component

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add system owner field to alert response rules and update related logic

* feat: enhance playbook component with improved layout and functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance playbook component with improved layout and functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance playbook component with improved layout and functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add system owner field to alert response rules and update related logic

* feat: enhance playbook component with improved layout and functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update agent handling strategy description for clarity and context

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update agent handling strategy description for clarity and context

Signed-off-by: Manuel Abascal <[email protected]>

* fix: change PostgreSQL logger level from WARN to ERROR

* feat: update log handling and display logic for improved clarity and consistency

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update log filter selection to improve user experience

Signed-off-by: Manuel Abascal <[email protected]>

* fix: handle potential null value in audits length check

Signed-off-by: Manuel Abascal <[email protected]>

* fix: update filterBySelect method to accept a generic field type

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update workflows and send to new cm in gcp

* feat: include script to compile installer

* fix: resolve workflow errors and improve cross-platform compatibility

* fix problem with agent SIGN KEY

* feat: implement service to automatically assign asset groups to alerts

* feat: add asset group fields to alert constants and configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat(agent/syslog): add RFC 5424 octet counting framing support and improve message handling

* fix: always update pending versions

* improve v11 changelog

* feat: enhance playbook UI and loading behavior, add new alert fields

Signed-off-by: Manuel Abascal <[email protected]>

* feat(oauth2): implement corporate authentication with OAuth2 support

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement service to automatically assign asset groups to alerts

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* feat: add CrowdStrike plugin core implementation

* feat: add gRPC configuration management for CrowdStrike

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* feat(identity-provider): add OAuth2/OpenID Connect provider management

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: update version info handling and clean up community module display

Signed-off-by: Manuel Abascal <[email protected]>

* Update frontend/src/app/shared/components/auth/login/login.component.ts

Co-authored-by: Copilot <[email protected]>

* Update frontend/src/app/shared/components/auth/login-providers/login-providers.component.ts

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/config/SecurityConfiguration.java

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/service/idp_provider/IdentityProviderService.java

Co-authored-by: Copilot <[email protected]>

* Update frontend/src/app/app-management/identity-provider/shared/components/provider-form/provider-form.component.ts

Co-authored-by: Copilot <[email protected]>

* feat(oauth2): enhance corporate authentication with additional fields and event handling

* refactor: simplify request structure and improve provider toggle logic

Signed-off-by: Manuel Abascal <[email protected]>

* feat(oauth2): implement enterprise version handling for identity providers

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary view menu and associated authorities to database

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: remove deprecated standalone plugin architecture

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: implement adversary alerts graph and service for data retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance timezone handling by dynamically generating timezone list

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance timezone handling by dynamically generating timezone list

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary management module with routing and view components

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add adversary view menu and associated authorities to database

* feat: implement adversary alerts graph and service for data retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* fix[bitdefender-plugin]: make StartServer blocking and remove retry loop

* update macos guide

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance adversary alerts graph layout and styling for improved visualization

Signed-off-by: Manuel Abascal <[email protected]>

* feat: implement adversary alerts management with new DTOs and service

* fix: adjust TFA expiration time to use configurable constant

* feat: conditionally render module card based on module name

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add application version info retrieval functionality

* feat: add application version info retrieval functionality

Signed-off-by: Manuel Abascal <[email protected]>

* feat: compliance report view component

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(saml): implement SAML authentication support with identity provider configuration

* feat(saml): implement SAML authentication support with identity provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add application version info retrieval functionality

* fix: remove conditional rendering for AS_400 module and filter out in module retrieval

Signed-off-by: Manuel Abascal <[email protected]>

* feat(saml): enhance SAML authentication success handler to include role-based authorities

* feat(o365-plugin): add multi-cloud environment support for Microsoft Cloud (Commercial, GCC, GCC High, DoD)

* feat: add exception handling for MethodArgumentNotValidException and update UtmModuleConfigValidator logic

* fix(o365-plugin): Remove invalid field check and add multi-cloud support

- Implement cloud-aware connection checking per authority
- Use correct endpoints and scopes for each cloud environment

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(o365-plugin): add Office 365 cloud environment configuration options

* Update backend/src/main/resources/config/liquibase/changelog/20251125001_add_environment_o365_integration.xml

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/domain/application_modules/factory/impl/ModuleO365.java

Co-authored-by: Copilot <[email protected]>

* Update backend/src/main/java/com/park/utmstack/domain/application_modules/UtmModuleGroupConfiguration.java

Co-authored-by: Copilot <[email protected]>

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* fix: update file permissions from 777 to 755 for security improvements

* feat(azure plugin): enhance Azure cloud detection and connection validation

* feat(o365_validation-modules-config): add Management API validation and multi-cloud endpoint support

* feat(header): integrate version info display and update logic

Signed-off-by: Manuel Abascal <[email protected]>

* refactor: rename UtmStackConnectionService to ModuleConfigurationValidationService and enhance validation logic

* feat(exception-handling): add ApiException class and global exception handler

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat(int-generic-group-config): improve searchable option based on config options length

Signed-off-by: Manuel Abascal <[email protected]>

* feat(int-generic-group-config): improve searchable option based on config options length

Signed-off-by: Manuel Abascal <[email protected]>

* fix(modules-config): disable CROWDSTRIKE module not implemented in backend.

* refactor(plugins): standardize logging with catcher

* feat(saml): update identity provider configuration to include metadata URL and remove deprecated fields

* style(dashboard): adjust padding and layout for improved UI consistency

Signed-off-by: Manuel Abascal <[email protected]>

* fix: optimize cloud detection logic in connection string parsing

* feat(elastic-filter-time): enhance time filter functionality and update UI interactions

Signed-off-by: Manuel Abascal <[email protected]>

* feat(azure): extract individual records from Azure Event Hub logs

Parse Azure logs with 'records' array structure and send each record
as a separate log entry for better indexing and security analysis.
Maintains backward compatibility for logs without records array.

* fix(modules-config): remove gin default logger middleware to eliminate non-standardized HTTP logs while maintaining catcher logging standard and panic protection.

* refactor(azure-filter): deleted 'Expand log.records' data to improve parsing

* refactor(gcp-filter): deleted 'Expand jsonPayload.structuredRdata' data to improve parsing

* update the version of the Azure and GCP filters

* feat(saml): update identity provider configuration to include metadata URL and remove deprecated fields

* feat(provider): add SAML 2.0 support with metadata URL and service provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* feat(saml): enhance identity provider creation with multipart form data and encryption for private key

* feat(provider): add SAML 2.0 support with metadata URL and service provider configuration

Signed-off-by: Manuel Abascal <[email protected]>

* fix(totp): prevent potential error by checking subscription before unsubscribe

Signed-off-by: Manuel Abascal <[email protected]>

* style(totp): comment out unused email resend container for cleaner code

Signed-off-by: Manuel Abascal <[email protected]>

* style(utm-code-view): add word-break class to code element for better text handling

Signed-off-by: Manuel Abascal <[email protected]>

* feat(filters): add Azure and GCP filters with updated field mappings and severity handling

* refactor(ModuleSocAi): remove unused getName method for cleaner code

* fix(deployment-pipeline): update tag pattern for v10 to support semantic versioning

* chore(changelog): update release notes for UTMStack v11.0.3 with fixed issues and performance improvements

* chore(changelog): update release notes for UTMStack v11.0.3 with fixed issues and performance improvements

* feat(authentication): add SAML and OIDC support with validation for private keys and certificates

* chore(master.xml): remove outdated environment integration and filter update changelogs

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* feat(authentication): enhance SAML and OIDC support with file validation and metadata URL checks

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* feat(identity-provider): enhance provider management with file uploads and validation

Signed-off-by: Manuel Abascal <[email protected]>

* Refactor adversary alerts graph component and update no data display

Signed-off-by: Manuel Abascal <[email protected]>

* Remove redundant getName() method override in ModuleSocAi

* Update frontend/src/app/data-management/alert-management/shared/components/filters/alert-generic-filter/alert-generic-filter.component.ts

Co-authored-by: Copilot <[email protected]>

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: add SQL query support to LogExplorer via OpenSearch

* feat: enhance LogExplorer with SQL query support and custom keyword suggestions

* Update backend/src/main/java/com/park/utmstack/service/dto/elastic/SqlSearchDto.java

Co-authored-by: Copilot <[email protected]>

* feat: enhance identity provider management with role requirements and UI improvements

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update login components for improved styling and provider text

Signed-off-by: Manuel Abascal <[email protected]>

* feat: add loading screen with spinner and enhance app initialization

Signed-off-by: Manuel Abascal <[email protected]>

* feat(agents): update agent guide with Kali Linux tab and enhance installation command structure

* feat: add SAML OIDC corporate authentication configuration fields

* feat: add SAML OIDC corporate authentication support with SP entity ID and ACS URL

Signed-off-by: Manuel Abascal <[email protected]>

* feat(api-keys): implement API key management with creation, retrieval, update, and deletion functionalities

* feat: integrate app version management and enterprise feature directive

Signed-off-by: Manuel Abascal <[email protected]>

* feat: enhance SAML2 login handlers with role validation and logging

* feat: enhance SAML2 login handlers with role validation and logging

* feat: enhance SAML2 login handlers with role validation and logging

* feat: integrate app version management and enterprise feature directive

Signed-off-by: Manuel Abascal <[email protected]>

* feat: update API route for version checking to check-for-updates

Signed-off-by: Manuel Abascal <[email protected]>

* feat: remove client secret display from provider details

Signed-off-by: Manuel Abascal <[email protected]>

* fix: update application version file path and improve pagination offset calculation

* fix: update application version file path and improve pagination offset calculation

* fix: update opensearch-connector version to 1.0.4

* feat: enhance enterprise module directive to support dynamic menu names and icons

Signed-off-by: Manuel Abascal <[email protected]>

* fix: streamline loading state management in playbook service and clean up filter parameters in playbooks component

Signed-off-by: Manuel Abascal <[email protected]>

* fix[installer]: install latest version

* fix: handle version info loading error gracefully by resolving instead of rejecting

Signed-off-by: Manuel Abascal <[email protected]>

* fix: correct XML tag formatting in installation scripts for AS400 collectors

Signed-off-by: Manuel Abascal <[email protected]>

* chore: update CHANGELOG for UTMStack v11.1.0 release with new features and enhancements

Signed-off-by: Manuel Abascal <[email protected]>

---------

Signed-off-by: Manuel Abascal <[email protected]>
Co-authored-by: Manuel Abascal <[email protected]>
Co-authored-by: JocLRojas <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Elena Lopez Milan <[email protected]>
Co-authored-by: Osmany Montero <[email protected]>
Co-authored-by: Yadian Llada Lopez <[email protected]>

Author: 7 people

CHANGELOG.md

@@ -1,12 +1,8 @@
-# UTMStack 11.0.3
+# UTMStack 11.1.0
 
-This is the release notes for **UTMStack v11.0.3**, a minor update focused on bug fixes and performance improvements.
+These are the release notes for **UTMStack v11.1.0**, highlighting new features, bug fixes, and performance improvements.
 
-## Fixed Issues
+## Features
 
-- Fixed a bug in the SOC-AI integration that caused occasional failures when generating insights.
-- Fixed a bug when trying to enroll and authenticate by TFA.
-
-## Enhancements
-
-- SIEM configuration now adapts to the Sovereign Cloud Model implemented by the provider in each region for Azure and Microsoft 365 integrations.
+- Introduced SQL query support in LogExplorer, enabling users to execute SQL queries on OpenSearch indices directly from the user interface.
+- Added an interactive Adversary View to the Threat Management module, providing a graphical, filterable visualization of relationships between Adversaries, their generated Alerts, and associated Echoes.

backend/pom.xml

@@ -192,6 +192,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-mail</artifactId>
         </dependency>
+        <!-- SAML2 Service Provider -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-saml2-service-provider</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
@@ -278,7 +283,7 @@
         <dependency>
             <groupId>com.utmstack</groupId>
             <artifactId>opensearch-connector</artifactId>
-            <version>1.0.2</version>
+            <version>1.0.4</version>
         </dependency>
         <dependency>
             <groupId>jakarta.json</groupId>

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -140,6 +140,7 @@ public final class Constants {
     // ----------------------------------------------------------------------------------
     public static final String STATISTICS_INDEX_PATTERN = "v11-statistics-*";
     public static final String V11_API_ACCESS_LOGS = "v11-api-access-logs-*";
+    public static final String V11_ALERTS_INDEX_PATTERN = "v11-alert-*";
 
     // Logging
     public static final String TRACE_ID_KEY = "traceId";

backend/src/main/java/com/park/utmstack/config/SecurityConfiguration.java

@@ -1,21 +1,17 @@
 package com.park.utmstack.config;
 
-import com.park.utmstack.loggin.api_key.ApiKeyUsageLoggingService;
-import com.park.utmstack.loggin.filter.MdcCleanupFilter;
 import com.park.utmstack.repository.UserRepository;
 import com.park.utmstack.security.AuthoritiesConstants;
 import com.park.utmstack.security.api_key.ApiKeyConfigurer;
 import com.park.utmstack.security.api_key.ApiKeyFilter;
 import com.park.utmstack.security.internalApiKey.InternalApiKeyConfigurer;
 import com.park.utmstack.security.internalApiKey.InternalApiKeyProvider;
 import com.park.utmstack.security.jwt.JWTConfigurer;
-import com.park.utmstack.security.jwt.JWTFilter;
 import com.park.utmstack.security.jwt.TokenProvider;
-import com.park.utmstack.service.api_key.ApiKeyService;
+import com.park.utmstack.security.saml.Saml2LoginFailureHandler;
+import com.park.utmstack.security.saml.Saml2LoginSuccessHandler;
 import lombok.RequiredArgsConstructor;
-import org.apache.commons.net.util.SubnetUtils;
 import org.springframework.beans.factory.BeanInitializationException;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -35,10 +31,10 @@
 import org.springframework.web.filter.CorsFilter;
 import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
 
+
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletResponse;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
+
 
 @Configuration
 @RequiredArgsConstructor
@@ -53,6 +49,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
     private final CorsFilter corsFilter;
     private final InternalApiKeyProvider internalApiKeyProvider;
     private final ApiKeyFilter apiKeyFilter;
+    private final UserRepository userRepository;
+
 
     @PostConstruct
     public void init() {
@@ -110,7 +108,9 @@ public void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/api/releaseInfo").permitAll()
                 .antMatchers("/api/account/reset-password/init").permitAll()
                 .antMatchers("/api/account/reset-password/finish").permitAll()
+                .antMatchers("/api/utm-providers").permitAll()
                 .antMatchers("/api/images/all").permitAll()
+                .antMatchers("/api/info/version").permitAll()
                 .antMatchers("/api/enrollment/**").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER)
                 .antMatchers("/api/tfa/verify-code").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER, AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)
                 .antMatchers("/api/tfa/refresh").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER, AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)
@@ -126,6 +126,12 @@ public void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/management/info").permitAll()
                 .antMatchers("/management/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
                 .and()
+                .saml2Login()
+                .successHandler(new Saml2LoginSuccessHandler(tokenProvider,
+                                                              userRepository,
+                                                              saml2LoginFailureHandler()))
+                .failureHandler(new Saml2LoginFailureHandler())
+                .and()
                 .apply(securityConfigurerAdapterForJwt())
                 .and()
                 .apply(securityConfigurerAdapterForInternalApiKey())
@@ -147,4 +153,10 @@ private ApiKeyConfigurer securityConfigurerAdapterForApiKey() {
         return new ApiKeyConfigurer(apiKeyFilter);
     }
 
+
+    @Bean
+    public Saml2LoginFailureHandler saml2LoginFailureHandler() {
+        return new Saml2LoginFailureHandler();
+    }
+
 }

backend/src/main/java/com/park/utmstack/config/saml/OAuth2ClientConfig.java

@@ -0,0 +1,14 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class OAuth2ClientConfig {
+
+    @Bean
+    public SamlRelyingPartyRegistrationRepository clientRegistrationRepository(IdentityProviderConfigRepository repo) {
+        return new SamlRelyingPartyRegistrationRepository(repo);
+    }
+}

backend/src/main/java/com/park/utmstack/config/saml/ProviderChangeListener.java

@@ -0,0 +1,23 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import com.park.utmstack.util.events.ProviderChangedEvent;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.event.EventListener;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class ProviderChangeListener {
+
+    private final RelyingPartyRegistrationRepository repository;
+    private final IdentityProviderConfigRepository identityProviderConfigRepository;
+
+    @EventListener
+    public void handleProviderChanged(ProviderChangedEvent event) {
+        if (repository instanceof SamlRelyingPartyRegistrationRepository customRepo) {
+            customRepo.reloadProviders(identityProviderConfigRepository);
+        }
+    }
+}

backend/src/main/java/com/park/utmstack/config/saml/SamlRelyingPartyRegistrationRepository.java

@@ -0,0 +1,61 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.config.Constants;
+import com.park.utmstack.domain.idp_provider.IdentityProviderConfig;
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import com.park.utmstack.util.CipherUtil;
+import com.park.utmstack.util.saml.PemUtils;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class SamlRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
+
+    private final Map<String, RelyingPartyRegistration> registrations = new ConcurrentHashMap<>();
+
+    public SamlRelyingPartyRegistrationRepository(IdentityProviderConfigRepository jpaProviderRepository) {
+        loadProviders(jpaProviderRepository);
+    }
+
+    @Override
+    public RelyingPartyRegistration findByRegistrationId(String registrationId) {
+        return registrations.get(registrationId);
+    }
+
+    public void reloadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
+        registrations.clear();
+        loadProviders(jpaProviderRepository);
+    }
+
+    private void loadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
+        jpaProviderRepository.findAllByActiveTrue().forEach(entity -> {
+            RelyingPartyRegistration registration = buildRelyingPartyRegistration(entity);
+            registrations.put(entity.getProviderType().name().toLowerCase(), registration);
+        });
+    }
+
+    private RelyingPartyRegistration buildRelyingPartyRegistration(IdentityProviderConfig entity) {
+
+        PrivateKey spKey = PemUtils.parsePrivateKey(CipherUtil.decrypt(
+                entity.getSpPrivateKeyPem(),
+                System.getenv(Constants.ENV_ENCRYPTION_KEY)
+        ));
+        X509Certificate spCert = PemUtils.parseCertificate(entity.getSpCertificatePem());
+
+        return RelyingPartyRegistrations
+                .fromMetadataLocation(entity.getMetadataUrl())
+                .registrationId(entity.getName())
+                .entityId(entity.getSpEntityId())
+                .assertionConsumerServiceLocation(entity.getSpAcsUrl())
+                .signingX509Credentials(c -> c.add(Saml2X509Credential.signing(spKey, spCert)))
+                .build();
+    }
+
+}

backend/src/main/java/com/park/utmstack/domain/idp_provider/IdentityProviderConfig.java

@@ -0,0 +1,79 @@
+package com.park.utmstack.domain.idp_provider;
+
+import com.park.utmstack.domain.idp_provider.enums.ProviderType;
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import org.hibernate.annotations.Type;
+
+import javax.persistence.*;
+import java.time.LocalDateTime;
+
+@Entity
+@Table(name = "utm_identity_provider_config")
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
+public class IdentityProviderConfig {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @EqualsAndHashCode.Include
+    private Long id;
+
+    @Column(nullable = false)
+    private String name;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false)
+    private ProviderType providerType;
+
+    /**
+     * Metadata URL of the IdP (Keycloak, Okta, Azure, etc.)
+     * Example: https://localhost:8443/realms/UTMSTACK/protocol/saml/descriptor
+     */
+    @Column(name = "metadata_url", nullable = false, length = 512)
+    private String metadataUrl;
+
+    /**
+     * Service Provider private key in PEM format
+     * Used to sign AuthnRequests and other outgoing SAML messages
+     */
+    @Type(type = "text")
+    @Column(name = "sp_private_key_pem", nullable = false, columnDefinition = "TEXT")
+    private String spPrivateKeyPem;
+
+    /**
+     * Service Provider public certificate in PEM format
+     * Shared with IdP so it can validate signed requests from the SP
+     */
+    @Type(type = "text")
+    @Column(name = "sp_certificate_pem", nullable = false, columnDefinition = "TEXT")
+    private String spCertificatePem;
+
+    @Column(name = "sp_entity_id", nullable = false, length = 512)
+    private String spEntityId;
+
+    @Column(name = "sp_acs_url", nullable = false, length = 512)
+    private String spAcsUrl;
+
+    /**
+     * Flag to enable or disable this IdP configuration
+     */
+    @Column(nullable = false)
+    private Boolean active;
+
+    /**
+     * Timestamp when the record was created
+     */
+    @Column(nullable = false)
+    private LocalDateTime createdAt;
+
+    /**
+     * Timestamp when the record was last updated
+     */
+    @Column(nullable = false)
+    private LocalDateTime updatedAt;
+}

backend/src/main/java/com/park/utmstack/domain/idp_provider/enums/ProviderType.java

@@ -0,0 +1,12 @@
+package com.park.utmstack.domain.idp_provider.enums;
+
+public enum ProviderType {
+    GOOGLE,
+    KEYCLOAK,
+    OKTA,
+    MICROSOFT;
+
+    public static ProviderType from(String value) {
+        return ProviderType.valueOf(value.toUpperCase());
+    }
+}

backend/src/main/java/com/park/utmstack/repository/idp_provider/IdentityProviderConfigRepository.java

@@ -0,0 +1,18 @@
+package com.park.utmstack.repository.idp_provider;
+
+import com.park.utmstack.domain.idp_provider.IdentityProviderConfig;
+import com.park.utmstack.domain.idp_provider.enums.ProviderType;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+@Repository
+public interface IdentityProviderConfigRepository extends JpaRepository<IdentityProviderConfig, Long>, JpaSpecificationExecutor<IdentityProviderConfig> {
+
+    Optional<IdentityProviderConfig> findByProviderTypeAndActiveTrue(ProviderType providerType);
+
+    List<IdentityProviderConfig> findAllByActiveTrue();
+}