V2 sso in server plan (#5158)

# Description of Changes

<!--
Please provide a summary of the changes, including:

- What was changed
- Why the change was made
- Any challenges encountered

Closes #(issue_number)
-->

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

app/proprietary/src/main/java/stirling/software/proprietary/security/saml2/CustomSaml2AuthenticationSuccessHandler.java

@@ -67,19 +67,19 @@ public class CustomSaml2AuthenticationSuccessHandler
 
             boolean userExists = userService.usernameExistsIgnoreCase(username);
 
-            // Check if user is eligible for SAML (grandfathered or system has paid license)
+            // Check if user is eligible for SAML (grandfathered or system has ENTERPRISE license)
             if (userExists) {
                 stirling.software.proprietary.security.model.User user =
                         userService.findByUsernameIgnoreCase(username).orElse(null);
 
-                if (user != null && !licenseSettingsService.isOAuthEligible(user)) {
-                    // User is not grandfathered and no paid license - block SAML login
+                if (user != null && !licenseSettingsService.isSamlEligible(user)) {
+                    // User is not grandfathered and no ENTERPRISE license - block SAML login
                     response.sendRedirect(
                             request.getContextPath() + "/logout?saml2RequiresLicense=true");
                     return;
                 }
-            } else if (!licenseSettingsService.isOAuthEligible(null)) {
-                // No existing user and no paid license -> block auto creation
+            } else if (!licenseSettingsService.isSamlEligible(null)) {
+                // No existing user and no ENTERPRISE license -> block auto creation
                 response.sendRedirect(
                         request.getContextPath() + "/logout?saml2RequiresLicense=true");
                 return;

app/proprietary/src/main/java/stirling/software/proprietary/service/UserLicenseSettingsService.java

@@ -331,17 +331,17 @@ public class UserLicenseSettingsService {
     }
 
     /**
-     * Checks if a user is eligible to use OAuth/SAML authentication.
+     * Checks if a user is eligible to use OAuth authentication.
      *
      * <p>A user is eligible if:
      *
      * <ul>
      *   <li>They are grandfathered for OAuth (existing user before policy change), OR
-     *   <li>The system has an ENTERPRISE license (SSO is enterprise-only)
+     *   <li>The system has a paid license (SERVER or ENTERPRISE)
      * </ul>
      *
      * @param user The user to check
-     * @return true if the user can use OAuth/SAML
+     * @return true if the user can use OAuth
      */
     public boolean isOAuthEligible(stirling.software.proprietary.security.model.User user) {
         // Grandfathered users always have OAuth access
@@ -350,10 +350,36 @@ public class UserLicenseSettingsService {
             return true;
         }
 
-        // Users can use OAuth/SAML only if system has ENTERPRISE license
-        boolean hasEnterpriseLicense = hasEnterpriseLicense();
-        log.debug("OAuth eligibility check: hasEnterpriseLicense={}", hasEnterpriseLicense);
-        return hasEnterpriseLicense;
+        // Users can use OAuth with SERVER or ENTERPRISE license
+        boolean hasPaid = hasPaidLicense();
+        log.debug("OAuth eligibility check: hasPaidLicense={}", hasPaid);
+        return hasPaid;
+    }
+
+    /**
+     * Checks if a user is eligible to use SAML authentication.
+     *
+     * <p>A user is eligible if:
+     *
+     * <ul>
+     *   <li>They are grandfathered for OAuth (existing user before policy change), OR
+     *   <li>The system has an ENTERPRISE license (SAML is enterprise-only)
+     * </ul>
+     *
+     * @param user The user to check
+     * @return true if the user can use SAML
+     */
+    public boolean isSamlEligible(stirling.software.proprietary.security.model.User user) {
+        // Grandfathered users always have SAML access
+        if (user != null && user.isOauthGrandfathered()) {
+            log.debug("User {} is grandfathered for SAML", user.getUsername());
+            return true;
+        }
+
+        // Users can use SAML only with ENTERPRISE license
+        boolean hasEnterprise = hasEnterpriseLicense();
+        log.debug("SAML eligibility check: hasEnterpriseLicense={}", hasEnterprise);
+        return hasEnterprise;
     }
 
     /**
@@ -500,8 +526,7 @@ public class UserLicenseSettingsService {
     }
 
     /**
-     * Checks if the system has an ENTERPRISE license. Used for enterprise-only features like SSO
-     * (OAuth/SAML).
+     * Checks if the system has an ENTERPRISE license. Used for enterprise-only features like SAML.
      *
      * @return true if ENTERPRISE license is active
      */