From b582c82c6fec5648c7f708e7d14eed414e061a94 Mon Sep 17 00:00:00 2001
From: chan <b24028@hanmaceng.co.kr>
Date: Thu, 2 Apr 2026 16:07:33 +0900
Subject: [PATCH] feat: implement multi-identifier architecture (Issue #496)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Database: Add user_login_ids table for 1:N identifier mapping and remove legacy login_id column
- Kratos: Update identity schema to use custom_login_ids array instead of a single id trait
- Backend: Implement syncCustomLoginIDs to collect isLoginId fields across tenant schemas
- Backend: Add backtracking logic to auto-assign session tenant based on used login identifier
- Backend: Add 409 Conflict exception handling for Create/Update operations
- AdminFront: Refactor UserDetailPage to a tabbed grid layout (Info, Tenants, Security)
- AdminFront: Show '로그인 ID' badge on tenant schema fields used for authentication
- UserFront: Remove legacy optional 'Login ID' input from signup flow
- Tests: Add multi-identifier repository tests and update handler tests
---
 .../tenants/routes/TenantSchemaPage.tsx       |   27 +-
 .../src/features/users/UserCreatePage.tsx     |   27 +-
 .../src/features/users/UserDetailPage.tsx     | 1089 ++++++-----------
 .../src/features/users/UserListPage.tsx       |    8 -
 adminfront/src/lib/adminApi.ts                |   14 +
 backend/cmd/server/main.go                    |    3 +-
 backend/internal/bootstrap/bootstrap.go       |    1 +
 backend/internal/domain/auth_models.go        |    1 +
 backend/internal/domain/idp_models.go         |   11 +-
 backend/internal/domain/user.go               |   15 +-
 backend/internal/handler/auth_handler.go      |  241 ++--
 .../handler/auth_handler_async_test.go        |   26 +-
 backend/internal/handler/dev_handler.go       |    3 +-
 .../internal/handler/tenant_handler_test.go   |   16 +
 backend/internal/handler/user_handler.go      |  429 ++++---
 backend/internal/handler/user_handler_test.go |  125 +-
 .../internal/repository/user_repository.go    |   48 +
 .../repository/user_repository_test.go        |   50 +
 backend/internal/service/descope_service.go   |   11 +-
 backend/internal/service/ory_service.go       |   28 +-
 .../internal/service/user_group_service.go    |    3 -
 backend/internal/utils/audit.go               |   17 +
 docker/ory/kratos/identity.schema.json        |   17 +-
 .../lib/core/services/auth_proxy_service.dart |    4 +-
 .../auth/presentation/signup_screen.dart      |  100 +-
 25 files changed, 1154 insertions(+), 1160 deletions(-)
 create mode 100644 backend/internal/utils/audit.go

diff --git a/adminfront/src/features/tenants/routes/TenantSchemaPage.tsx b/adminfront/src/features/tenants/routes/TenantSchemaPage.tsx
index 17ff2bdf..07e53e9a 100644
--- a/adminfront/src/features/tenants/routes/TenantSchemaPage.tsx
+++ b/adminfront/src/features/tenants/routes/TenantSchemaPage.tsx
@@ -97,7 +97,6 @@ export function TenantSchemaPage() {
 
   useEffect(() => {
     const rawSchema = tenantQuery.data?.config?.userSchema;
-    const loginIdField = tenantQuery.data?.config?.loginIdField;
 
     if (Array.isArray(rawSchema)) {
       setFields(
@@ -118,7 +117,7 @@ export function TenantSchemaPage() {
           validation:
             typeof field?.validation === "string" ? field.validation : "",
           unsigned: Boolean(field?.unsigned),
-          isLoginId: field?.key === loginIdField,
+          isLoginId: Boolean(field?.isLoginId),
         })),
       );
     }
@@ -126,13 +125,13 @@ export function TenantSchemaPage() {
 
   const updateMutation = useMutation({
     mutationFn: (newFields: SchemaField[]) => {
-      const loginIdField = newFields.find((f) => f.isLoginId)?.key || "";
+      // Remove legacy loginIdField, keep isLoginId natively in userSchema
+      const newConfig = { ...tenantQuery.data?.config };
+      delete newConfig.loginIdField;
+      newConfig.userSchema = newFields;
+
       return updateTenant(tenantId, {
-        config: {
-          ...tenantQuery.data?.config,
-          userSchema: newFields,
-          loginIdField: loginIdField,
-        },
+        config: newConfig,
       });
     },
     onSuccess: () => {
@@ -344,14 +343,10 @@ export function TenantSchemaPage() {
                   <label className="flex items-center gap-2 cursor-pointer">
                     <input
                       type="checkbox"
-                      checked={field.isLoginId}
-                      onChange={(e) => {
-                        const newFields = fields.map((f, i) => ({
-                          ...f,
-                          isLoginId: i === index ? e.target.checked : false,
-                        }));
-                        setFields(newFields);
-                      }}
+                      checked={field.isLoginId || false}
+                      onChange={(e) =>
+                        updateField(index, { isLoginId: e.target.checked })
+                      }
                       className="w-4 h-4 rounded border-gray-300 text-primary focus:ring-primary"
                     />
                     <span className="text-sm font-medium text-blue-600">
diff --git a/adminfront/src/features/users/UserCreatePage.tsx b/adminfront/src/features/users/UserCreatePage.tsx
index 4b77d6a9..d22be5d7 100644
--- a/adminfront/src/features/users/UserCreatePage.tsx
+++ b/adminfront/src/features/users/UserCreatePage.tsx
@@ -31,6 +31,7 @@ type UserSchemaField = {
   required?: boolean;
   adminOnly?: boolean;
   validation?: string;
+  isLoginId?: boolean;
 };
 
 type UserFormValues = UserCreateRequest & { metadata: Record<string, unknown> };
@@ -65,7 +66,6 @@ function UserCreatePage() {
   } = useForm<UserFormValues>({
     defaultValues: {
       email: "",
-      loginId: "",
       password: "",
       name: "",
       phone: "",
@@ -274,26 +274,6 @@ function UserCreatePage() {
               )}
             </div>
 
-            <div className="space-y-2">
-              <Label htmlFor="loginId">
-                {t("ui.admin.users.create.form.login_id", "로그인 ID (선택)")}
-              </Label>
-              <Input
-                id="loginId"
-                placeholder={t(
-                  "ui.admin.users.create.form.login_id_placeholder",
-                  "사번 또는 아이디",
-                )}
-                {...register("loginId")}
-              />
-              <p className="text-[10px] text-muted-foreground">
-                {t(
-                  "msg.admin.users.create.form.login_id_help",
-                  "이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.",
-                )}
-              </p>
-            </div>
-
             <div className="space-y-2">
               <div className="flex items-center justify-between">
                 <Label htmlFor="password">
@@ -470,6 +450,11 @@ function UserCreatePage() {
                             Admin Only
                           </span>
                         )}
+                        {field.isLoginId && (
+                          <span className="ml-2 text-[10px] bg-green-500/10 text-green-600 px-1.5 py-0.5 rounded uppercase font-bold">
+                            {t("ui.admin.users.create.form.is_login_id", "로그인 ID")}
+                          </span>
+                        )}
                       </Label>
 
                       <Input
diff --git a/adminfront/src/features/users/UserDetailPage.tsx b/adminfront/src/features/users/UserDetailPage.tsx
index f53aa1ac..678c5ac8 100644
--- a/adminfront/src/features/users/UserDetailPage.tsx
+++ b/adminfront/src/features/users/UserDetailPage.tsx
@@ -7,13 +7,14 @@ import {
   Copy,
   Eye,
   EyeOff,
+  History,
   Key,
   Loader2,
   Mail,
   RefreshCw,
   Save,
+  Shield,
   Trash2,
-  UserCheck,
   Users,
 } from "lucide-react";
 import * as React from "react";
@@ -22,7 +23,7 @@ import {
   type UseFormRegister,
   useForm,
 } from "react-hook-form";
-import { Link, useNavigate, useParams } from "react-router-dom";
+import { useNavigate, useParams } from "react-router-dom";
 import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
 import {
@@ -42,7 +43,6 @@ import {
 } from "../../components/ui/tabs";
 import { toast } from "../../components/ui/use-toast";
 import {
-  type UserSummary,
   type UserUpdateRequest,
   deleteUser,
   fetchPasswordPolicy,
@@ -50,6 +50,7 @@ import {
   fetchTenants,
   fetchUser,
   updateUser,
+  fetchUserRpHistory,
 } from "../../lib/adminApi";
 import type { PasswordPolicyResponse } from "../../lib/adminApi";
 import { t } from "../../lib/i18n";
@@ -62,6 +63,7 @@ type UserSchemaField = {
   required?: boolean;
   adminOnly?: boolean;
   validation?: string;
+  isLoginId?: boolean;
 };
 
 type UserFormValues = Omit<UserUpdateRequest, "metadata"> & {
@@ -72,45 +74,6 @@ type PasswordResetMode = "generated" | "manual";
 
 const PASSWORD_RESET_MIN_LENGTH = 12;
 
-function buildPasswordPolicyDescription(policy?: PasswordPolicyResponse) {
-  const minLength = policy?.minLength ?? PASSWORD_RESET_MIN_LENGTH;
-  const minTypes = policy?.minCharacterTypes ?? 0;
-  const requiresLower = policy?.lowercase ?? true;
-  const requiresUpper = policy?.uppercase ?? false;
-  const requiresNumber = policy?.number ?? true;
-  const requiresSymbol = policy?.nonAlphanumeric ?? true;
-
-  const parts = [
-    t("msg.userfront.signup.policy.min_length", "최소 {{count}}자 이상", {
-      count: String(minLength),
-    }),
-  ];
-
-  if (minTypes > 0) {
-    parts.push(
-      t(
-        "msg.userfront.signup.policy.min_types",
-        "영문 대/소문자/숫자/특수문자 중 {{count}}가지 이상",
-        { count: String(minTypes) },
-      ),
-    );
-  }
-  if (requiresLower) {
-    parts.push(t("msg.userfront.signup.policy.lowercase", "소문자"));
-  }
-  if (requiresUpper) {
-    parts.push(t("msg.userfront.signup.policy.uppercase", "대문자"));
-  }
-  if (requiresNumber) {
-    parts.push(t("msg.userfront.signup.policy.number", "숫자"));
-  }
-  if (requiresSymbol) {
-    parts.push(t("msg.userfront.signup.policy.symbol", "특수문자"));
-  }
-
-  return parts.join(", ");
-}
-
 function validateManualPassword(
   password: string,
   policy?: PasswordPolicyResponse,
@@ -192,32 +155,37 @@ function TenantMetadataFields({
   if (schema.length === 0) return null;
 
   return (
-    <div className="rounded-lg border border-border bg-card overflow-hidden">
-      <div className="bg-muted/50 px-4 py-2 border-b border-border flex items-center justify-between">
+    <div className="rounded-xl border border-border bg-card overflow-hidden shadow-sm">
+      <div className="bg-muted/30 px-5 py-3 border-b border-border flex items-center justify-between">
         <div className="flex items-center gap-2">
-          <Building2 size={14} className="text-primary" />
-          <span className="text-xs font-bold uppercase tracking-tight">
+          <Building2 size={16} className="text-primary" />
+          <span className="text-sm font-bold uppercase tracking-tight">
             {tenant.name}
           </span>
         </div>
-        <span className="text-[10px] font-mono opacity-50">{tenant.slug}</span>
+        <span className="text-[10px] font-mono opacity-50 bg-background px-2 py-0.5 rounded border">{tenant.slug}</span>
       </div>
-      <div className="p-4 grid gap-4 md:grid-cols-2">
+      <div className="p-6 grid gap-6 md:grid-cols-2">
         {schema.map((field) => (
           <div key={field.key} className="space-y-2">
             <Label
               htmlFor={`metadata.${tenant.id}.${field.key}`}
-              className="text-xs"
+              className="text-xs font-semibold text-muted-foreground flex items-center gap-1"
             >
               {field.label}
               {field.required && (
-                <span className="ml-1 text-destructive">*</span>
+                <span className="text-destructive">*</span>
               )}
               {field.adminOnly && (
                 <span className="ml-2 text-[9px] bg-blue-500/10 text-blue-500 px-1.5 py-0.5 rounded uppercase font-bold">
                   Admin Only
                 </span>
               )}
+              {field.isLoginId && (
+                <span className="ml-2 text-[9px] bg-green-500/10 text-green-600 px-1.5 py-0.5 rounded uppercase font-bold">
+                  {t("ui.admin.users.detail.form.is_login_id", "로그인 ID")}
+                </span>
+              )}
             </Label>
             <Input
               id={`metadata.${tenant.id}.${field.key}`}
@@ -231,7 +199,7 @@ function TenantMetadataFields({
                       : "text"
               }
               className={
-                field.type === "boolean" ? "w-auto h-auto" : "h-8 text-sm"
+                field.type === "boolean" ? "w-5 h-5" : "h-10 text-sm"
               }
               {...register(`metadata.${tenant.id}.${field.key}` as const, {
                 required: field.required
@@ -257,7 +225,7 @@ function TenantMetadataFields({
                 Record<string, { message?: string }>
               >
             )?.[tenant.id]?.[field.key] && (
-              <p className="text-[10px] text-destructive">
+              <p className="text-[10px] text-destructive font-medium">
                 {
                   (
                     errors.metadata as unknown as Record<
@@ -296,6 +264,8 @@ function UserDetailPage() {
     string | null
   >(null);
 
+  const [activeTab, setActiveTab] = React.useState("info");
+
   const { data: profile } = useQuery({
     queryKey: ["me"],
     queryFn: fetchMe,
@@ -316,7 +286,14 @@ function UserDetailPage() {
     queryFn: () => fetchTenants(100, 0),
   });
   const tenants = tenantsData?.items ?? [];
-  const { data: passwordPolicy, isLoading: isPasswordPolicyLoading } = useQuery(
+
+  const rpHistoryQuery = useQuery({
+    queryKey: ["user-rp-history", userId],
+    queryFn: () => fetchUserRpHistory(userId),
+    enabled: !!userId,
+  });
+
+  const { data: passwordPolicy } = useQuery(
     {
       queryKey: ["password-policy"],
       queryFn: fetchPasswordPolicy,
@@ -327,11 +304,9 @@ function UserDetailPage() {
     register,
     handleSubmit,
     reset,
-    watch,
     formState: { errors },
   } = useForm<UserFormValues>({
     defaultValues: {
-      loginId: "",
       name: "",
       phone: "",
       role: "user",
@@ -348,7 +323,7 @@ function UserDetailPage() {
     profile?.role === "super_admin" || profile?.role === "tenant_admin";
   const isSelf = Boolean(profile?.id && user?.id && profile.id === user.id);
 
-  const resetPasswordMutation = useMutation({
+  const resetMutation = useMutation({
     mutationFn: (newPass: string) => updateUser(userId, { password: newPass }),
     onSuccess: (_, newPass) => {
       setGeneratedPassword(newPass);
@@ -370,9 +345,7 @@ function UserDetailPage() {
   });
 
   const handleOpenPasswordReset = () => {
-    if (isSelf) {
-      return;
-    }
+    if (isSelf) return;
     setIsPasswordResetOpen(true);
     setGeneratedPassword(null);
     setPasswordResetMode("generated");
@@ -385,59 +358,34 @@ function UserDetailPage() {
   const handleClosePasswordReset = () => {
     setIsPasswordResetOpen(false);
     setGeneratedPassword(null);
-    setPasswordResetMode("generated");
-    setManualPassword("");
-    setManualPasswordConfirm("");
-    setIsManualPasswordVisible(false);
     setPasswordResetError(null);
   };
 
-  const confirmPasswordReset = () => {
-    if (isSelf) {
-      return;
-    }
+  const handleExecutePasswordReset = () => {
+    if (isSelf) return;
 
     let newPass = manualPassword;
 
     if (passwordResetMode === "manual") {
-      const validationError = validateManualPassword(
-        manualPassword,
-        passwordPolicy,
-      );
-      if (validationError) {
-        setPasswordResetError(validationError);
+      const vErr = validateManualPassword(manualPassword, passwordPolicy);
+      if (vErr) {
+        setPasswordResetError(vErr);
         return;
       }
       if (manualPassword !== manualPasswordConfirm) {
-        setPasswordResetError(
-          t(
-            "msg.userfront.reset.error.mismatch",
-            "비밀번호가 일치하지 않습니다.",
-          ),
-        );
+        setPasswordResetError(t("msg.userfront.reset.error.mismatch", "비밀번호가 일치하지 않습니다."));
         return;
       }
     } else {
       newPass = generateSecurePassword();
     }
 
-    setPasswordResetError(null);
-    resetPasswordMutation.mutate(newPass);
-  };
-
-  const handleCopyPassword = () => {
-    if (generatedPassword) {
-      navigator.clipboard.writeText(generatedPassword);
-      toast.success(
-        t("msg.common.copied_to_clipboard", "클립보드에 복사되었습니다."),
-      );
-    }
+    resetMutation.mutate(newPass);
   };
 
   React.useEffect(() => {
     if (user) {
       reset({
-        loginId: user.loginId || "",
         name: user.name,
         phone: user.phone || "",
         role: user.role,
@@ -460,25 +408,10 @@ function UserDetailPage() {
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["users"] });
       queryClient.invalidateQueries({ queryKey: ["user", userId] });
-      setSuccessMsg(
-        t(
-          "msg.admin.users.detail.update_success",
-          "사용자 정보가 수정되었습니다.",
-        ),
-      );
-      toast.success(
-        t(
-          "msg.admin.users.detail.update_success",
-          "사용자 정보가 수정되었습니다.",
-        ),
-      );
-      setTimeout(() => setSuccessMsg(null), 3000);
+      toast.success(t("msg.info.saved_success", "저장되었습니다."));
     },
     onError: (err: AxiosError<{ error?: string }>) => {
-      setError(
-        err.response?.data?.error ||
-          t("msg.admin.users.detail.update_error", "수정에 실패했습니다."),
-      );
+      toast.error(err.response?.data?.error || t("err.common.unknown", "오류가 발생했습니다."));
     },
   });
 
@@ -486,23 +419,12 @@ function UserDetailPage() {
     mutationFn: () => deleteUser(userId),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["users"] });
-      toast.success(
-        t("msg.admin.users.detail.delete_success", "사용자가 삭제되었습니다."),
-      );
+      toast.success(t("msg.admin.users.detail.delete_success", "사용자가 삭제되었습니다."));
       navigate("/users");
     },
-    onError: (err: AxiosError<{ error?: string }>) => {
-      toast.error(
-        err.response?.data?.error ||
-          t("msg.admin.users.detail.delete_error", "삭제에 실패했습니다."),
-      );
-    },
   });
 
   const onSubmit = (data: UserFormValues) => {
-    setError(null);
-    setSuccessMsg(null);
-
     // Filter out undefined/null/empty strings from metadata
     const cleanMetadata = Object.fromEntries(
       Object.entries(data.metadata).map(([tenantId, fields]) => {
@@ -522,14 +444,7 @@ function UserDetailPage() {
   };
 
   const handleDelete = () => {
-    if (
-      window.confirm(
-        t(
-          "msg.admin.users.detail.delete_confirm",
-          "정말로 이 사용자를 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
-        ),
-      )
-    ) {
+    if (window.confirm(t("msg.admin.users.detail.delete_confirm", "삭제하시겠습니까?"))) {
       deleteMutation.mutate();
     }
   };
@@ -544,329 +459,223 @@ function UserDetailPage() {
 
   if (isError || !user) {
     return (
-      <div className="rounded-md bg-destructive/15 p-6 text-center">
-        <p className="text-destructive">
-          {t("msg.admin.users.detail.not_found", "사용자를 찾을 수 없습니다.")}
-        </p>
-        <Button
-          variant="outline"
-          className="mt-4"
-          onClick={() => navigate("/users")}
-        >
-          {t("ui.admin.users.detail.go_list", "목록으로 이동")}
-        </Button>
+      <div className="rounded-md bg-destructive/15 p-6 text-center mt-6">
+        <p className="text-destructive font-medium">{t("msg.admin.users.detail.not_found", "사용자를 찾을 수 없습니다.")}</p>
+        <Button variant="outline" className="mt-4" onClick={() => navigate("/users")}>{t("ui.admin.users.detail.go_list", "목록으로 이동")}</Button>
       </div>
     );
   }
 
-  // Get only tenants that the user is actually affiliated with
-  const userAffiliatedTenants =
-    user.joinedTenants || (user.tenant ? [user.tenant] : []);
+  const userAffiliatedTenants = user.joinedTenants || (user.tenant ? [user.tenant] : []);
 
   return (
     <div className="space-y-6">
+      {/* Header with back button and actions */}
       <div className="flex items-center justify-between">
-        <Button variant="ghost" onClick={() => navigate("/users")} size="sm">
+        <Button variant="ghost" onClick={() => navigate("/users")} size="sm" className="hover:bg-muted">
           <ArrowLeft className="mr-2 h-4 w-4" />
           {t("ui.admin.users.detail.back", "목록으로")}
         </Button>
-        <div className="flex gap-2">
-          {isAdmin && (
-            <Button variant="destructive" onClick={handleDelete} size="sm">
-              <Trash2 className="mr-2 h-4 w-4" />
-              {t("ui.admin.users.detail.delete", "사용자 삭제")}
-            </Button>
-          )}
+        {isAdmin && (
+          <Button variant="destructive" onClick={handleDelete} size="sm">
+            <Trash2 className="mr-2 h-4 w-4" />
+            {t("ui.admin.users.detail.delete", "사용자 삭제")}
+          </Button>
+        )}
+      </div>
+
+      {/* User Quick Summary Header */}
+      <div className="flex flex-col md:flex-row md:items-center justify-between gap-4 bg-[var(--color-panel)] border border-border rounded-2xl p-8 shadow-sm">
+        <div className="flex items-center gap-6">
+          <div className="h-20 w-20 rounded-2xl bg-primary/10 flex items-center justify-center text-primary shadow-inner">
+            <Users size={40} />
+          </div>
+          <div className="space-y-2">
+            <div className="flex items-center gap-3">
+              <h1 className="text-3xl font-extrabold tracking-tight">{user.name}</h1>
+              <Badge variant="outline" className="h-6 px-3 bg-blue-500/10 text-blue-600 border-blue-200 font-bold">
+                <Building2 size={12} className="mr-1.5" />
+                {user.tenant?.name || user.companyCode || t("ui.admin.users.detail.form.tenant_global", "시스템 전역")}
+              </Badge>
+              <Badge variant={user.status === "active" ? "default" : "secondary"} className="h-6 px-3">
+                {t(`ui.common.status.${user.status}`, user.status)}
+              </Badge>
+            </div>
+            <div className="flex flex-wrap items-center gap-4 text-muted-foreground text-sm">
+              <div className="flex items-center gap-1.5 bg-background px-2.5 py-1 rounded-full border">
+                <Mail size={14} className="text-primary/70" />
+                {user.email}
+              </div>
+              {user.phone && (
+                <div className="flex items-center gap-1.5 bg-background px-2.5 py-1 rounded-full border">
+                  <Shield size={14} className="text-primary/70" />
+                  {user.phone}
+                </div>
+              )}
+            </div>
+          </div>
+        </div>
+        <div className="flex flex-col items-start md:items-end text-[10px] text-muted-foreground gap-1.5 uppercase tracking-widest font-bold opacity-70">
+          <p>{t("ui.admin.users.detail.created_at", "가입일")}: {user.createdAt}</p>
+          <p>{t("ui.admin.users.detail.updated_at", "최근 수정")}: {user.updatedAt}</p>
         </div>
       </div>
 
-      <div className="grid gap-6 lg:grid-cols-3">
-        <div className="lg:col-span-2 space-y-6">
-          <Card>
-            <CardHeader>
-              <CardTitle>
-                {t("ui.admin.users.detail.edit_title", "사용자 정보 수정")}
-              </CardTitle>
-              <CardDescription>
-                {t(
-                  "msg.admin.users.detail.edit_subtitle",
-                  "{{email}} 계정의 정보를 수정합니다.",
-                  { email: user.email },
-                )}
-              </CardDescription>
-            </CardHeader>
-            <CardContent>
-              <form onSubmit={handleSubmit(onSubmit)} className="space-y-6">
-                {error && (
-                  <div className="rounded-md bg-destructive/15 p-3 text-sm text-destructive">
-                    {error}
-                  </div>
-                )}
-                {successMsg && (
-                  <div className="rounded-md bg-green-500/15 p-3 text-sm text-green-500">
-                    {successMsg}
-                  </div>
-                )}
+      <Tabs value={activeTab} onValueChange={setActiveTab} className="w-full space-y-6">
+        <TabsList className="bg-muted/50 p-1.5 rounded-xl inline-flex w-full md:w-auto">
+          <TabsTrigger value="info" className="px-6 py-2 rounded-lg data-[state=active]:shadow-sm">
+            <Users size={16} className="mr-2" />
+            {t("ui.admin.users.detail.tabs.info", "기본 정보")}
+          </TabsTrigger>
+          <TabsTrigger value="tenants" className="px-6 py-2 rounded-lg data-[state=active]:shadow-sm">
+            <Building2 size={16} className="mr-2" />
+            {t("ui.admin.users.detail.tabs.tenants", "테넌트 프로필")}
+          </TabsTrigger>
+          <TabsTrigger value="security" className="px-6 py-2 rounded-lg data-[state=active]:shadow-sm">
+            <Shield size={16} className="mr-2" />
+            {t("ui.admin.users.detail.tabs.security", "보안 & 활동")}
+          </TabsTrigger>
+        </TabsList>
 
-                {/* Tenant Affiliation Section (Enhanced) */}
-                <div className="rounded-lg border border-border bg-muted/30 p-4 space-y-4">
-                  <h3 className="text-sm font-semibold flex items-center gap-2">
-                    <Building2 size={16} className="text-primary" />
-                    {t(
-                      "ui.admin.users.detail.tenants_section.title",
-                      "소속 및 조직 정보",
-                    )}
-                  </h3>
-
-                  <div className="grid gap-6 md:grid-cols-2">
-                    <div className="space-y-2">
-                      <Label className="text-[10px] uppercase text-muted-foreground tracking-wider font-bold">
-                        {t(
-                          "ui.admin.users.detail.tenants_section.primary",
-                          "대표 소속 테넌트",
-                        )}
-                      </Label>
-
-                      {/* Select box to specify representative tenant from joined ones */}
-                      {userAffiliatedTenants.length > 0 ? (
-                        <div className="relative">
-                          <select
-                            className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary disabled:opacity-50"
-                            {...register("tenantSlug")}
-                            disabled={
-                              profile?.role === "tenant_admin" &&
-                              userAffiliatedTenants.length <= 1
-                            }
-                          >
-                            <option value="">
-                              {t(
-                                "ui.admin.users.detail.form.tenant_global",
-                                "시스템 전역",
-                              )}
-                            </option>
-                            {userAffiliatedTenants.map((t) => (
-                              <option key={t.id} value={t.slug}>
-                                {t.name} ({t.slug})
-                              </option>
-                            ))}
-                          </select>
-                          <BadgeCheck
-                            size={14}
-                            className="absolute right-8 top-3 text-primary pointer-events-none"
-                          />
-                        </div>
-                      ) : (
-                        <div className="flex items-center gap-2 p-2 rounded-md bg-background border border-dashed border-border text-muted-foreground italic text-xs">
-                          {t(
-                            "ui.admin.users.detail.form.tenant_global",
-                            "시스템 전역 (소속 없음)",
-                          )}
-                        </div>
-                      )}
-                      <p className="text-[10px] text-muted-foreground">
-                        * 사용자의 주된 정체성을 결정하는 대표 조직을
-                        선택합니다.
-                      </p>
-                    </div>
-
-                    {userAffiliatedTenants.length > 1 && (
-                      <div className="space-y-1">
-                        <Label className="text-[10px] uppercase text-muted-foreground tracking-wider font-bold">
-                          {t(
-                            "ui.admin.users.detail.tenants_section.additional",
-                            "전체 소속 목록",
-                          )}
-                        </Label>
-                        <div className="flex flex-wrap gap-1.5 pt-1">
-                          {userAffiliatedTenants.map((jt) => (
-                            <Link
-                              key={jt.id}
-                              to={`/tenants/${jt.id}`}
-                              className={`inline-flex items-center gap-1 px-2 py-0.5 rounded border text-[11px] transition-colors ${
-                                jt.id ===
-                                tenants.find(
-                                  (t) => t.slug === watch("tenantSlug"),
-                                )?.id
-                                  ? "bg-primary/10 border-primary/30 text-primary font-bold"
-                                  : "bg-background border-border text-muted-foreground hover:border-primary/50"
-                              }`}
-                            >
-                              <Users size={10} />
-                              {jt.name}
-                            </Link>
-                          ))}
-                        </div>
-                      </div>
-                    )}
-                  </div>
-                </div>
-
-                <div className="grid gap-4 md:grid-cols-2">
+        <form onSubmit={handleSubmit(onSubmit)}>
+          <TabsContent value="info" className="space-y-6 mt-0 animate-in fade-in slide-in-from-bottom-2">
+            <Card className="border-none shadow-sm bg-[var(--color-panel)] rounded-2xl overflow-hidden">
+              <CardHeader className="pb-4">
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <BadgeCheck size={18} className="text-primary" />
+                  {t("ui.admin.users.detail.edit_title", "프로필 정보")}
+                </CardTitle>
+                <CardDescription>{t("msg.admin.users.detail.edit_subtitle", "{{email}} 계정의 정보를 수정합니다.", { email: user.email })}</CardDescription>
+              </CardHeader>
+              <CardContent className="space-y-8 p-8">
+                <div className="grid gap-8 md:grid-cols-2">
                   <div className="space-y-2">
-                    <Label htmlFor="name">
-                      {t("ui.admin.users.detail.form.name", "이름")}
-                    </Label>
+                    <Label htmlFor="email" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.email", "이메일")}</Label>
+                    <Input id="email" value={user.email} disabled className="bg-muted/50 border-none font-medium h-11" />
+                  </div>
+                  <div className="space-y-2">
+                    <Label htmlFor="name" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.name", "이름")}</Label>
                     <Input
                       id="name"
-                      placeholder={t(
-                        "ui.admin.users.detail.form.name_placeholder",
-                        "홍길동",
-                      )}
                       {...register("name", {
-                        required: t(
-                          "msg.admin.users.detail.form.name_required",
-                          "이름은 필수입니다.",
-                        ),
+                        required: t("msg.admin.users.detail.form.name_required", "이름은 필수입니다."),
                       })}
-                    />
-                    {errors.name && (
-                      <p className="text-xs text-destructive">
-                        {errors.name.message}
-                      </p>
-                    )}
-                  </div>
-
-                  <div className="space-y-2">
-                    <Label htmlFor="phone">
-                      {t("ui.admin.users.detail.form.phone", "전화번호")}
-                    </Label>
-                    <Input
-                      id="phone"
-                      placeholder={t(
-                        "ui.admin.users.detail.form.phone_placeholder",
-                        "010-1234-5678",
-                      )}
-                      {...register("phone")}
+                      className="h-11 shadow-sm"
                     />
                   </div>
                 </div>
 
-                <div className="space-y-2">
-                  <Label htmlFor="loginId">
-                    {t("ui.admin.users.detail.form.login_id", "로그인 ID")}
-                  </Label>
-                  <Input
-                    id="loginId"
-                    placeholder={t(
-                      "ui.admin.users.detail.form.login_id_placeholder",
-                      "사번 또는 아이디",
-                    )}
-                    {...register("loginId")}
-                  />
-                </div>
-
-                <div className="grid gap-4 md:grid-cols-2">
+                <div className="grid gap-8 md:grid-cols-2 pt-6 border-t border-dashed">
                   <div className="space-y-2">
-                    <Label htmlFor="role">
-                      {t("ui.admin.users.detail.form.role", "권한")}
-                    </Label>
+                    <Label htmlFor="phone" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.phone", "연락처")}</Label>
+                    <Input id="phone" {...register("phone")} className="h-11 shadow-sm" />
+                  </div>
+                  <div className="space-y-2">
+                    <Label htmlFor="role" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.role", "권한")}</Label>
                     <select
                       id="role"
-                      className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary disabled:opacity-50"
+                      className="flex h-11 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary"
                       {...register("role")}
                     >
-                      <option value="user">
-                        {t(
-                          "ui.admin.users.detail.form.role_user",
-                          "일반 사용자",
-                        )}
-                      </option>
-                      <option value="tenant_admin">
-                        {t(
-                          "ui.admin.users.detail.form.role_tenant_admin",
-                          "테넌트 관리자",
-                        )}
-                      </option>
-                      <option value="super_admin">
-                        {t(
-                          "ui.admin.users.detail.form.role_super_admin",
-                          "시스템 관리자",
-                        )}
-                      </option>
+                      <option value="user">{t("ui.admin.users.detail.form.role_user", "사용자")}</option>
+                      <option value="rp_admin">{t("ui.admin.users.detail.form.role_rp_admin", "RP 관리자")}</option>
+                      <option value="tenant_admin">{t("ui.admin.users.detail.form.role_tenant_admin", "테넌트 관리자")}</option>
+                      <option value="super_admin">{t("ui.admin.users.detail.form.role_super_admin", "시스템 전역 관리자")}</option>
                     </select>
                   </div>
+                </div>
 
+                <div className="grid gap-8 md:grid-cols-2 pt-6 border-t border-dashed">
                   <div className="space-y-2">
-                    <Label htmlFor="status">
-                      {t("ui.admin.users.detail.form.status", "상태")}
-                    </Label>
+                    <Label htmlFor="status" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.status", "상태")}</Label>
                     <select
                       id="status"
-                      className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary disabled:opacity-50"
+                      className="flex h-11 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary"
                       {...register("status")}
                     >
-                      <option value="active">
-                        {t("ui.admin.users.detail.form.status_active", "활성")}
-                      </option>
-                      <option value="inactive">
-                        {t(
-                          "ui.admin.users.detail.form.status_inactive",
-                          "비활성",
-                        )}
-                      </option>
+                      <option value="active">{t("ui.common.status.active", "활성")}</option>
+                      <option value="inactive">{t("ui.common.status.inactive", "비활성")}</option>
                     </select>
                   </div>
+                  <div className="space-y-2">
+                    <Label htmlFor="tenantSlug" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.tenant_slug", "대표 소속 (Tenant Slug)")}</Label>
+                    <div className="relative">
+                      <select
+                        id="tenantSlug"
+                        className="flex h-11 w-full rounded-md border border-input bg-background px-3 py-2 text-sm shadow-sm transition-colors focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-primary disabled:opacity-50"
+                        {...register("tenantSlug")}
+                        disabled={
+                          profile?.role === "tenant_admin" &&
+                          userAffiliatedTenants.length <= 1
+                        }
+                      >
+                        <option value="">
+                          {t("ui.admin.users.detail.form.tenant_global", "시스템 전역 (소속 없음)")}
+                        </option>
+                        {userAffiliatedTenants.map((t) => (
+                          <option key={t.id} value={t.slug}>
+                            {t.name} ({t.slug})
+                          </option>
+                        ))}
+                      </select>
+                      <BadgeCheck
+                        size={14}
+                        className="absolute right-3 top-[15px] text-primary pointer-events-none"
+                      />
+                    </div>
+                    <p className="text-[10px] text-muted-foreground mt-1">
+                      * {t("msg.admin.users.detail.tenant_slug_help", "사용자의 주된 정체성을 결정하는 대표 조직을 지정합니다.")}
+                    </p>
+                  </div>
                 </div>
 
-                <div className="grid gap-4 md:grid-cols-2">
+                <div className="grid gap-6 md:grid-cols-3 pt-8 border-t">
                   <div className="space-y-2">
-                    <Label htmlFor="department">
-                      {t("ui.admin.users.detail.form.department", "부서")}
-                    </Label>
-                    <Input
-                      id="department"
-                      placeholder={t(
-                        "ui.admin.users.detail.form.department_placeholder",
-                        "개발팀",
-                      )}
-                      {...register("department")}
-                    />
+                    <Label htmlFor="department" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.department", "부서/학과")}</Label>
+                    <Input id="department" {...register("department")} className="h-11 shadow-sm" />
                   </div>
                   <div className="space-y-2">
-                    <Label htmlFor="position">
-                      {t("ui.admin.users.detail.form.position", "직급")}
-                    </Label>
-                    <Input
-                      id="position"
-                      placeholder={t(
-                        "ui.admin.users.detail.form.position_placeholder",
-                        "수석",
-                      )}
-                      {...register("position")}
-                    />
+                    <Label htmlFor="position" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.position", "직급")}</Label>
+                    <Input id="position" {...register("position")} className="h-11 shadow-sm" />
+                  </div>
+                  <div className="space-y-2">
+                    <Label htmlFor="jobTitle" className="text-xs font-bold uppercase text-muted-foreground">{t("ui.admin.users.detail.form.job_title", "직무")}</Label>
+                    <Input id="jobTitle" {...register("jobTitle")} className="h-11 shadow-sm" />
                   </div>
                 </div>
+              </CardContent>
+            </Card>
 
-                <div className="space-y-2">
-                  <Label htmlFor="jobTitle">
-                    {t("ui.admin.users.detail.form.job_title", "직무")}
-                  </Label>
-                  <Input
-                    id="jobTitle"
-                    placeholder={t(
-                      "ui.admin.users.detail.form.job_title_placeholder",
-                      "백엔드 개발",
-                    )}
-                    {...register("jobTitle")}
-                  />
-                </div>
+            <div className="flex justify-end pt-4">
+              <Button type="submit" disabled={mutation.isPending} className="px-12 h-12 rounded-xl shadow-lg transition-all hover:scale-105">
+                {mutation.isPending ? <Loader2 className="mr-2 h-5 w-5 animate-spin" /> : <Save className="mr-2 h-5 w-5" />}
+                <span className="text-base font-bold">{t("ui.admin.users.detail.save", "저장하기")}</span>
+              </Button>
+            </div>
+          </TabsContent>
 
-                <div className="space-y-4">
-                  <div className="flex items-center justify-between">
-                    <Label>
-                      {t(
-                        "ui.admin.users.detail.custom_fields.multi_title",
-                        "테넌트별 프로필 관리",
-                      )}
-                    </Label>
+          <TabsContent value="tenants" className="space-y-6 mt-0 animate-in fade-in slide-in-from-bottom-2">
+            <Card className="border-none shadow-sm bg-[var(--color-panel)] rounded-2xl">
+              <CardHeader className="pb-4">
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <Building2 size={18} className="text-primary" />
+                  {t("ui.admin.users.detail.custom_fields.multi_title", "테넌트별 상세 프로필")}
+                </CardTitle>
+                <CardDescription>
+                  {t("msg.admin.users.detail.tenants_desc", "각 테넌트별로 정의된 커스텀 스키마 정보를 관리합니다.")}
+                </CardDescription>
+              </CardHeader>
+              <CardContent className="space-y-8 p-8">
+                {userAffiliatedTenants.length === 0 ? (
+                  <div className="py-16 text-center text-muted-foreground border-2 border-dashed rounded-2xl bg-muted/5">
+                    <Building2 size={48} className="mx-auto mb-4 opacity-20" />
+                    <p className="font-medium">{t("msg.admin.users.detail.no_tenants", "소속된 테넌트 정보가 없습니다.")}</p>
                   </div>
-                  <div className="grid gap-4">
+                ) : (
+                  <div className="grid gap-8">
                     {userAffiliatedTenants.map((t) => {
-                      const tDetail = tenants.find(
-                        (tenant) => tenant.id === t.id,
-                      );
-                      const schema = (tDetail?.config?.userSchema ||
-                        []) as UserSchemaField[];
+                      const tDetail = tenants.find((tenant) => tenant.id === t.id);
+                      const schema = (tDetail?.config?.userSchema || []) as UserSchemaField[];
                       return (
                         <TenantMetadataFields
                           key={t.id}
@@ -878,325 +687,187 @@ function UserDetailPage() {
                       );
                     })}
                   </div>
-                </div>
+                )}
+              </CardContent>
+            </Card>
 
-                <div className="flex justify-end pt-4">
-                  <Button type="submit" disabled={mutation.isPending}>
-                    {mutation.isPending && (
-                      <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                    )}
-                    <Save className="mr-2 h-4 w-4" />
-                    {t("ui.admin.users.detail.save", "변경사항 저장")}
-                  </Button>
-                </div>
-              </form>
-            </CardContent>
-          </Card>
+            <div className="flex justify-end pt-4">
+              <Button type="submit" disabled={mutation.isPending} className="px-12 h-12 rounded-xl shadow-lg transition-all hover:scale-105">
+                {mutation.isPending ? <Loader2 className="mr-2 h-5 w-5 animate-spin" /> : <Save className="mr-2 h-5 w-5" />}
+                <span className="text-base font-bold">{t("ui.admin.users.detail.save_tenants", "모든 테넌트 프로필 저장")}</span>
+              </Button>
+            </div>
+          </TabsContent>
+        </form>
 
-          <Card>
-            <CardHeader>
-              <CardTitle className="text-lg flex items-center gap-2">
-                <Key size={18} />
-                {t("ui.admin.users.detail.password_title", "비밀번호 관리")}
-              </CardTitle>
-            </CardHeader>
-            <CardContent className="space-y-4">
-              <div className="flex items-center justify-between rounded-lg border bg-muted/20 px-4 py-4">
-                <div className="space-y-1">
-                  <p className="text-sm font-medium">
-                    {t(
-                      "ui.admin.users.detail.reset_password_label",
-                      "비밀번호 초기화",
-                    )}
-                  </p>
-                  <p className="text-xs text-muted-foreground">
-                    {t(
-                      "msg.admin.users.detail.reset_password_help",
-                      "사용자의 비밀번호를 강제로 재설정하고 자동 생성하거나 직접 입력한 비밀번호를 적용합니다.",
-                    )}
-                  </p>
-                </div>
-                <Button
-                  variant="outline"
-                  onClick={handleOpenPasswordReset}
-                  disabled={isSelf}
-                >
-                  <RefreshCw className="mr-2 h-4 w-4" />
-                  {t("ui.admin.users.detail.reset_password", "초기화 및 설정")}
-                </Button>
-              </div>
-
-              {isSelf && (
-                <div className="rounded-lg border px-4 py-3">
-                  <p className="text-sm text-muted-foreground">
-                    {t(
-                      "msg.admin.users.detail.self_password_reset_blocked",
-                      "본인 계정의 비밀번호는 사용자 포털(UserFront) 설정에서 변경해 주세요.",
-                    )}
-                  </p>
-                </div>
-              )}
-
-              {isPasswordResetOpen && !generatedPassword && !isSelf && (
-                <div className="space-y-4 rounded-lg border px-4 py-4">
-                  <Tabs
-                    value={passwordResetMode}
-                    onValueChange={(value) => {
-                      setPasswordResetMode(value as PasswordResetMode);
-                      setPasswordResetError(null);
-                    }}
-                  >
-                    <TabsList className="grid w-full grid-cols-2 rounded-lg bg-muted p-1">
-                      <TabsTrigger
-                        value="generated"
-                        className="bg-slate-200 font-normal text-foreground data-[state=inactive]:bg-slate-200 data-[state=active]:bg-background data-[state=active]:font-semibold data-[state=active]:text-foreground data-[state=active]:shadow-sm"
-                      >
-                        {t(
-                          "ui.admin.users.detail.password_mode_generated",
-                          "자동 생성",
-                        )}
-                      </TabsTrigger>
-                      <TabsTrigger
-                        value="manual"
-                        className="bg-slate-200 font-normal text-foreground data-[state=inactive]:bg-slate-200 data-[state=active]:bg-background data-[state=active]:font-semibold data-[state=active]:text-foreground data-[state=active]:shadow-sm"
-                      >
-                        {t(
-                          "ui.admin.users.detail.password_mode_manual",
-                          "수동 입력",
-                        )}
-                      </TabsTrigger>
-                    </TabsList>
-                    <TabsContent value="generated" className="space-y-2">
-                      <p className="text-sm text-muted-foreground">
-                        {t(
-                          "msg.admin.users.detail.password_generated_help",
-                          "보안 기준에 맞는 임시 비밀번호를 자동 생성해 즉시 적용합니다.",
-                        )}
-                      </p>
-                    </TabsContent>
-                    <TabsContent value="manual" className="space-y-4">
-                      <p className="text-sm text-muted-foreground">
-                        {isPasswordPolicyLoading
-                          ? t(
-                              "msg.userfront.signup.policy.loading",
-                              "비밀번호 정책을 불러오는 중입니다...",
-                            )
-                          : t(
-                              "msg.userfront.signup.policy.summary",
-                              "보안 정책: {{rules}}",
-                              {
-                                rules:
-                                  buildPasswordPolicyDescription(
-                                    passwordPolicy,
-                                  ),
-                              },
-                            )}
-                      </p>
-                      <div className="flex gap-2">
-                        <div className="relative flex-1">
-                          <Input
-                            id="manualPassword"
-                            type={isManualPasswordVisible ? "text" : "password"}
-                            value={manualPassword}
-                            placeholder=" "
-                            className="peer pr-12 pt-5"
-                            onChange={(event) => {
-                              setManualPassword(event.target.value);
-                              if (passwordResetError) {
-                                setPasswordResetError(null);
-                              }
-                            }}
-                          />
-                          <label
-                            htmlFor="manualPassword"
-                            className="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 bg-background px-1 text-sm text-muted-foreground transition-all peer-placeholder-shown:top-1/2 peer-placeholder-shown:text-sm peer-focus:top-0 peer-focus:translate-y-[-50%] peer-focus:text-xs peer-[&:not(:placeholder-shown)]:top-0 peer-[&:not(:placeholder-shown)]:translate-y-[-50%] peer-[&:not(:placeholder-shown)]:text-xs"
-                          >
-                            {t(
-                              "ui.userfront.reset.new_password",
-                              "새 비밀번호",
-                            )}
-                          </label>
-                          <Button
-                            type="button"
-                            variant="ghost"
-                            size="icon"
-                            className="absolute right-1 top-1/2 h-8 w-8 -translate-y-1/2"
-                            onClick={() =>
-                              setIsManualPasswordVisible((prev) => !prev)
-                            }
-                            aria-label={t(
-                              "ui.admin.users.detail.toggle_password_visibility",
-                              "비밀번호 표시 전환",
-                            )}
-                          >
-                            {isManualPasswordVisible ? (
-                              <EyeOff className="h-4 w-4" />
-                            ) : (
-                              <Eye className="h-4 w-4" />
-                            )}
-                          </Button>
-                        </div>
-                      </div>
-                      <div className="flex gap-2">
-                        <div className="relative flex-1">
-                          <Input
-                            id="manualPasswordConfirm"
-                            type={isManualPasswordVisible ? "text" : "password"}
-                            value={manualPasswordConfirm}
-                            placeholder=" "
-                            className="peer pr-12 pt-5"
-                            onChange={(event) => {
-                              setManualPasswordConfirm(event.target.value);
-                              if (passwordResetError) {
-                                setPasswordResetError(null);
-                              }
-                            }}
-                          />
-                          <label
-                            htmlFor="manualPasswordConfirm"
-                            className="pointer-events-none absolute left-3 top-1/2 -translate-y-1/2 bg-background px-1 text-sm text-muted-foreground transition-all peer-placeholder-shown:top-1/2 peer-placeholder-shown:text-sm peer-focus:top-0 peer-focus:translate-y-[-50%] peer-focus:text-xs peer-[&:not(:placeholder-shown)]:top-0 peer-[&:not(:placeholder-shown)]:translate-y-[-50%] peer-[&:not(:placeholder-shown)]:text-xs"
-                          >
-                            {t(
-                              "ui.userfront.reset.confirm_password",
-                              "새 비밀번호 확인",
-                            )}
-                          </label>
-                          <Button
-                            type="button"
-                            variant="ghost"
-                            size="icon"
-                            className="absolute right-1 top-1/2 h-8 w-8 -translate-y-1/2"
-                            onClick={() =>
-                              setIsManualPasswordVisible((prev) => !prev)
-                            }
-                            aria-label={t(
-                              "ui.admin.users.detail.toggle_password_visibility",
-                              "비밀번호 표시 전환",
-                            )}
-                          >
-                            {isManualPasswordVisible ? (
-                              <EyeOff className="h-4 w-4" />
-                            ) : (
-                              <Eye className="h-4 w-4" />
-                            )}
-                          </Button>
-                        </div>
-                      </div>
-                    </TabsContent>
-                  </Tabs>
-                  {passwordResetError && (
-                    <p className="text-sm text-destructive">
-                      {passwordResetError}
-                    </p>
-                  )}
-                  <div className="flex justify-end gap-2">
-                    <Button
-                      variant="ghost"
-                      size="sm"
-                      onClick={handleClosePasswordReset}
-                    >
-                      {t("ui.common.cancel", "취소")}
-                    </Button>
-                    <Button
-                      variant="destructive"
-                      size="sm"
-                      onClick={confirmPasswordReset}
-                      disabled={resetPasswordMutation.isPending}
-                    >
-                      {resetPasswordMutation.isPending && (
-                        <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                      )}
-                      {t(
-                        "ui.admin.users.detail.reset_password_apply",
-                        "비밀번호 적용",
-                      )}
-                    </Button>
-                  </div>
-                </div>
-              )}
-
-              {generatedPassword && (
-                <div className="p-4 border border-dashed rounded-lg bg-yellow-500/5 flex flex-wrap items-center justify-between gap-4">
+        <TabsContent value="security" className="space-y-6 mt-0 animate-in fade-in slide-in-from-bottom-2">
+          <div className="grid gap-6 lg:grid-cols-2">
+            <Card className="border-none shadow-sm bg-[var(--color-panel)] rounded-2xl h-fit">
+              <CardHeader>
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <Key size={18} className="text-primary" />
+                  {t("ui.admin.users.detail.password_title", "비밀번호 관리")}
+                </CardTitle>
+                <CardDescription>{t("msg.admin.users.detail.security_desc", "비밀번호 초기화 및 보안 설정을 관리합니다.")}</CardDescription>
+              </CardHeader>
+              <CardContent className="space-y-6">
+                <div className="flex items-center justify-between rounded-2xl border bg-muted/20 px-6 py-6 transition-all hover:bg-muted/30">
                   <div className="space-y-1">
-                    <p className="text-xs font-bold text-yellow-600 uppercase tracking-wider">
-                      {t(
-                        "ui.admin.users.detail.password_result_title",
-                        "Reset Password",
-                      )}
+                    <p className="font-bold text-sm">
+                      {t("ui.admin.users.detail.reset_password_label", "비밀번호 초기화")}
                     </p>
-                    <p className="font-mono text-lg font-bold">
-                      {generatedPassword}
+                    <p className="text-xs text-muted-foreground">
+                      {t("msg.admin.users.detail.reset_password_help", "안전한 새 비밀번호로 교체합니다.")}
                     </p>
                   </div>
-                  <Button
-                    size="sm"
-                    variant="secondary"
-                    onClick={handleCopyPassword}
-                  >
-                    <Copy className="mr-2 h-4 w-4" />
-                    {t("ui.common.copy", "복사")}
+                  <Button variant="outline" onClick={handleOpenPasswordReset} disabled={isSelf} className="h-10 rounded-xl px-5 border-primary/20 hover:border-primary/50 hover:bg-primary/5">
+                    <RefreshCw className="mr-2 h-4 w-4" />
+                    {t("ui.admin.users.detail.reset_password", "초기화 도구")}
                   </Button>
                 </div>
-              )}
-            </CardContent>
-          </Card>
-        </div>
 
-        <div className="space-y-6">
-          <Card>
-            <CardHeader>
-              <CardTitle className="text-lg">
-                {t("ui.admin.users.detail.status_title", "계정 상태")}
-              </CardTitle>
-            </CardHeader>
-            <CardContent className="space-y-4">
-              <div className="flex items-center gap-4">
-                <div className="h-12 w-12 rounded-full bg-primary/10 flex items-center justify-center text-primary">
-                  <UserCheck size={24} />
-                </div>
-                <div>
-                  <div className="flex items-center gap-2">
-                    <Badge
-                      variant={
-                        user.status === "active" ? "default" : "secondary"
-                      }
-                    >
-                      {user.status === "active" ? "Active" : "Inactive"}
-                    </Badge>
-                    <Badge variant="outline">{user.role}</Badge>
+                {isSelf && (
+                  <div className="rounded-xl bg-blue-500/5 border border-blue-500/10 px-5 py-4 text-sm text-blue-600 flex items-center gap-3">
+                    <Shield size={18} className="shrink-0" />
+                    <p className="leading-relaxed">{t("msg.admin.users.detail.self_password_reset_blocked", "보안을 위해 본인 계정은 사용자 포털에서만 변경 가능합니다.")}</p>
                   </div>
-                  <p className="text-xs text-muted-foreground mt-1">
-                    {t("ui.admin.users.detail.created_at", "가입일")}:{" "}
-                    {new Date(user.createdAt).toLocaleDateString()}
-                  </p>
-                </div>
-              </div>
-            </CardContent>
-          </Card>
+                )}
 
-          <Card>
-            <CardHeader>
-              <CardTitle className="text-lg">
-                {t("ui.admin.users.detail.contact_title", "연락처 정보")}
-              </CardTitle>
-            </CardHeader>
-            <CardContent className="space-y-3">
-              <div className="flex items-center gap-2 text-sm">
-                <Mail size={14} className="text-muted-foreground" />
-                <span>{user.email}</span>
-              </div>
-              {user.phone && (
-                <div className="flex items-center gap-2 text-sm">
-                  <Badge variant="outline" className="font-normal">
-                    SMS
-                  </Badge>
-                  <span>{user.phone}</span>
-                </div>
-              )}
-            </CardContent>
-          </Card>
-        </div>
-      </div>
+                {isPasswordResetOpen && !generatedPassword && !isSelf && (
+                  <div className="mt-4 p-6 border rounded-2xl bg-card shadow-sm animate-in zoom-in-95 duration-200">
+                    <Tabs value={passwordResetMode} onValueChange={(v) => setPasswordResetMode(v as PasswordResetMode)}>
+                      <TabsList className="grid w-full grid-cols-2 mb-6 p-1 bg-gray-100 dark:bg-gray-800 rounded-lg">
+                        <TabsTrigger 
+                          value="auto" 
+                          className="rounded-md data-[state=active]:bg-white data-[state=active]:text-primary data-[state=active]:shadow-sm font-bold py-2 text-gray-500"
+                        >
+                          {t("ui.admin.users.detail.reset_auto", "자동 생성")}
+                        </TabsTrigger>
+                        <TabsTrigger 
+                          value="manual" 
+                          className="rounded-md data-[state=active]:bg-white data-[state=active]:text-primary data-[state=active]:shadow-sm font-bold py-2 text-gray-500"
+                        >
+                          {t("ui.admin.users.detail.reset_manual", "직접 입력")}
+                        </TabsTrigger>
+                      </TabsList>
+                      
+                      <TabsContent value="auto" className="space-y-4">
+                        <div className="bg-muted/50 p-4 rounded-xl text-xs text-muted-foreground leading-relaxed">
+                          {t("msg.admin.users.detail.reset_auto_desc", "해킹이 어려운 복잡한 임시 비밀번호를 시스템이 즉시 생성합니다.")}
+                        </div>
+                        <Button type="button" onClick={() => setManualPassword(generateSecurePassword())} variant="secondary" className="w-full h-11 rounded-xl font-bold">
+                          {t("ui.admin.users.detail.generate_button", "랜덤 비밀번호 생성")}
+                        </Button>
+                      </TabsContent>
+
+                      <TabsContent value="manual" className="space-y-5 pt-2">
+                        <div className="space-y-2">
+                          <Label className="text-xs font-bold uppercase">{t("ui.admin.users.detail.manual_password", "새 비밀번호")}</Label>
+                          <div className="relative">
+                            <Input
+                              type={isManualPasswordVisible ? "text" : "password"}
+                              value={manualPassword}
+                              onChange={(e) => setManualPassword(e.target.value)}
+                              className="h-11 rounded-xl shadow-sm pr-12"
+                            />
+                            <Button
+                              type="button"
+                              variant="ghost"
+                              size="icon"
+                              className="absolute right-0 top-0 h-full px-3 hover:bg-transparent text-muted-foreground"
+                              onClick={() => setIsManualPasswordVisible(!isManualPasswordVisible)}
+                            >
+                              {isManualPasswordVisible ? <EyeOff size={18} /> : <Eye size={18} />}
+                            </Button>
+                          </div>
+                        </div>
+                        <div className="space-y-2">
+                          <Label className="text-xs font-bold uppercase">{t("ui.admin.users.detail.manual_confirm", "비밀번호 확인")}</Label>
+                          <Input
+                            type="password"
+                            value={manualPasswordConfirm}
+                            onChange={(e) => setManualPasswordConfirm(e.target.value)}
+                            className="h-11 rounded-xl shadow-sm"
+                          />
+                        </div>
+                      </TabsContent>
+
+                      {passwordResetError && (
+                        <div className="flex items-center gap-2 text-xs text-destructive mt-4 p-3 bg-destructive/5 rounded-lg border border-destructive/10">
+                          <Shield size={14} />
+                          <span className="font-medium">{passwordResetError}</span>
+                        </div>
+                      )}
+
+                      <div className="flex justify-end gap-3 mt-8">
+                        <Button variant="ghost" type="button" onClick={handleClosePasswordReset} className="h-11 rounded-xl px-6 font-bold">{t("ui.common.cancel", "취소")}</Button>
+                        <Button type="button" onClick={handleExecutePasswordReset} disabled={resetMutation.isPending} className="h-11 rounded-xl px-8 font-bold shadow-md">
+                          {resetMutation.isPending && <Loader2 className="mr-2 h-4 w-4 animate-spin" />}
+                          {t("ui.admin.users.detail.reset_execute", "재설정 완료")}
+                        </Button>
+                      </div>
+                    </Tabs>
+                  </div>
+                )}
+
+                {generatedPassword && (
+                  <div className="mt-4 p-8 bg-green-500/10 border border-green-500/20 rounded-2xl space-y-6 animate-in zoom-in-95">
+                    <div className="flex items-center gap-3 text-green-700 font-extrabold text-lg">
+                      <BadgeCheck size={28} className="text-green-600" />
+                      {t("ui.admin.users.detail.password_done", "성공적으로 초기화됨")}
+                    </div>
+                    <div className="p-5 bg-white border border-green-200 rounded-2xl flex items-center justify-between shadow-sm">
+                      <code className="text-2xl font-mono tracking-widest text-primary selection:bg-primary selection:text-white">{generatedPassword}</code>
+                      <Button variant="ghost" size="sm" onClick={() => {
+                        navigator.clipboard.writeText(generatedPassword);
+                        toast.success(t("msg.common.copied", "복사되었습니다."));
+                      }} className="h-10 px-4 rounded-xl hover:bg-green-50 font-bold">
+                        <Copy size={16} className="mr-2" />
+                        {t("ui.common.copy", "복사")}
+                      </Button>
+                    </div>
+                    <Button className="w-full h-12 rounded-xl font-bold bg-green-600 hover:bg-green-700 shadow-md" type="button" onClick={handleClosePasswordReset}>{t("ui.common.close", "안전하게 도구 닫기")}</Button>
+                  </div>
+                )}
+              </CardContent>
+            </Card>
+
+            <Card className="border-none shadow-sm bg-[var(--color-panel)] rounded-2xl">
+              <CardHeader>
+                <CardTitle className="text-lg flex items-center gap-2">
+                  <History size={18} className="text-primary" />
+                  {t("ui.admin.users.detail.history_title", "서비스 이용 내역")}
+                </CardTitle>
+                <CardDescription>{t("msg.admin.users.detail.history_desc", "최근 로그인한 연동 서비스(RP) 목록입니다.")}</CardDescription>
+              </CardHeader>
+              <CardContent className="p-8 pt-2">
+                {rpHistoryQuery.isLoading ? (
+                  <div className="py-12 text-center text-muted-foreground animate-pulse">{t("msg.common.loading", "불러오는 중...")}</div>
+                ) : !rpHistoryQuery.data || rpHistoryQuery.data.length === 0 ? (
+                  <div className="py-16 text-center text-muted-foreground border-2 border-dashed rounded-2xl bg-muted/5">
+                    <History size={40} className="mx-auto mb-4 opacity-10" />
+                    <p className="text-sm font-medium">{t("msg.admin.users.detail.no_history", "아직 이용한 서비스가 없습니다.")}</p>
+                  </div>
+                ) : (
+                  <div className="grid gap-4">
+                    {rpHistoryQuery.data.map((item, i) => (
+                      <div key={i} className="flex items-center justify-between p-5 rounded-2xl border bg-card hover:border-primary/40 hover:shadow-md transition-all group">
+                        <div className="flex flex-col gap-1.5">
+                          <span className="font-extrabold text-base group-hover:text-primary transition-colors">{item.clientName || item.clientId}</span>
+                          <span className="text-[11px] text-muted-foreground font-mono bg-muted px-2 py-0.5 rounded w-fit">{item.clientId}</span>
+                        </div>
+                        <div className="text-right">
+                          <Badge variant="outline" className="text-[10px] font-bold px-2 py-1 rounded-md border-primary/20">{item.lastLoginAt}</Badge>
+                        </div>
+                      </div>
+                    ))}
+                  </div>
+                )}
+              </CardContent>
+            </Card>
+          </div>
+        </TabsContent>
+      </Tabs>
     </div>
   );
 }
diff --git a/adminfront/src/features/users/UserListPage.tsx b/adminfront/src/features/users/UserListPage.tsx
index 573f8861..dffb6349 100644
--- a/adminfront/src/features/users/UserListPage.tsx
+++ b/adminfront/src/features/users/UserListPage.tsx
@@ -430,9 +430,6 @@ function UserListPage() {
                         "NAME / EMAIL",
                       )}
                     </TableHead>
-                    <TableHead>
-                      {t("ui.admin.users.list.table.login_id", "LOGIN ID")}
-                    </TableHead>
                     <TableHead>
                       {t("ui.admin.users.list.table.role", "ROLE")}
                     </TableHead>
@@ -514,11 +511,6 @@ function UserListPage() {
                           </div>
                         </div>
                       </TableCell>
-                      <TableCell>
-                        <span className="text-sm font-mono">
-                          {user.loginId || "-"}
-                        </span>
-                      </TableCell>
                       <TableCell>
                         <Badge variant="outline">
                           {t(`ui.admin.role.${user.role}`, user.role)}
diff --git a/adminfront/src/lib/adminApi.ts b/adminfront/src/lib/adminApi.ts
index 2c011c6a..274ddfb8 100644
--- a/adminfront/src/lib/adminApi.ts
+++ b/adminfront/src/lib/adminApi.ts
@@ -549,6 +549,20 @@ export async function deleteUser(userId: string) {
   await apiClient.delete(`/v1/admin/users/${userId}`);
 }
 
+export type UserRpHistoryItem = {
+  client_id: string;
+  client_name: string;
+  lastLoginAt: string;
+  status: string;
+};
+
+export async function fetchUserRpHistory(userId: string) {
+  const { data } = await apiClient.get<UserRpHistoryItem[]>(
+    `/v1/admin/users/${userId}/rp-history`,
+  );
+  return data;
+}
+
 export type UserProfileResponse = {
   id: string;
   email: string;
diff --git a/backend/cmd/server/main.go b/backend/cmd/server/main.go
index dc6e173a..1c5e13a9 100644
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -294,7 +294,7 @@ func main() {
 	tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
 	userGroupHandler := handler.NewUserGroupHandler(userGroupService)
 	relyingPartyHandler := handler.NewRelyingPartyHandler(relyingPartyService, kratosAdminService)
-	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo)
+	userHandler := handler.NewUserHandler(kratosAdminService, oryAdminProvider, tenantService, ketoService, ketoOutboxRepo, userRepo, userGroupRepo, auditRepo)
 	apiKeyHandler := handler.NewApiKeyHandler(db)
 
 	orgChartService := service.NewOrgChartService(tenantRepo, userGroupRepo, userRepo, ketoOutboxRepo, kratosAdminService)
@@ -669,6 +669,7 @@ func main() {
 	admin.Put("/users/bulk", requireAdmin, userHandler.BulkUpdateUsers)
 	admin.Delete("/users/bulk", requireAdmin, userHandler.BulkDeleteUsers)
 	admin.Get("/users/:id", requireAdmin, userHandler.GetUser)
+	admin.Get("/users/:id/rp-history", requireAdmin, userHandler.GetUserRpHistory)
 	admin.Put("/users/:id", requireAdmin, userHandler.UpdateUser)
 	admin.Delete("/users/:id", requireAdmin, userHandler.DeleteUser)
 
diff --git a/backend/internal/bootstrap/bootstrap.go b/backend/internal/bootstrap/bootstrap.go
index 12e93df0..e4cd6fb8 100644
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -34,6 +34,7 @@ func migrateSchemas(db *gorm.DB) error {
 		&domain.Tenant{},
 		&domain.TenantDomain{},
 		&domain.User{},
+		&domain.UserLoginID{},
 		&domain.UserGroup{},
 		&domain.ApiKey{},
 		&domain.IdentityProviderConfig{},
diff --git a/backend/internal/domain/auth_models.go b/backend/internal/domain/auth_models.go
index 002ff21a..855288e3 100644
--- a/backend/internal/domain/auth_models.go
+++ b/backend/internal/domain/auth_models.go
@@ -80,6 +80,7 @@ type UserProfileResponse struct {
 	AffiliationType        string         `json:"affiliationType"`
 	CompanyCode            string         `json:"companyCode,omitempty"`
 	TenantID               *string        `json:"tenantId,omitempty"`       // 추가
+	SessionTenantID        *string        `json:"sessionTenantId,omitempty"` // [New] 로그인에 사용된 식별자 기반 테넌트
 	RelyingPartyID         *string        `json:"relyingPartyId,omitempty"` // 추가
 	Metadata               map[string]any `json:"metadata,omitempty"`
 	Tenant                 *Tenant        `json:"tenant,omitempty"`
diff --git a/backend/internal/domain/idp_models.go b/backend/internal/domain/idp_models.go
index 6cbbe208..e22b9392 100644
--- a/backend/internal/domain/idp_models.go
+++ b/backend/internal/domain/idp_models.go
@@ -12,11 +12,12 @@ var ErrNotSupported = errors.New("idp: not supported")
 // BrokerUser is the standard user model used within Baron SSO business logic.
 // It defines the canonical set of fields that must be supported by any underlying IDP.
 type BrokerUser struct {
-	ID          string `json:"id" required:"true"`
-	Email       string `json:"email" required:"true"`
-	LoginID     string `json:"login_id"`
-	Name        string `json:"name"`
-	PhoneNumber string `json:"phone_number"`
+	ID             string   `json:"id" required:"true"`
+	Email          string   `json:"email" required:"true"`
+	LoginID        string   `json:"login_id"`
+	CustomLoginIDs []string `json:"custom_login_ids"` // [New] 다중 로그인 ID
+	Name           string   `json:"name"`
+	PhoneNumber    string   `json:"phone_number"`
 	// Attributes stores custom user attributes.
 	// The "required_keys" tag specifies which keys MUST be present in the IDP's schema support.
 	Attributes map[string]interface{} `json:"attributes" required_keys:"grade,department"`
diff --git a/backend/internal/domain/user.go b/backend/internal/domain/user.go
index 771d7529..8fe475a3 100644
--- a/backend/internal/domain/user.go
+++ b/backend/internal/domain/user.go
@@ -35,14 +35,13 @@ func NormalizeRole(role string) string {
 type User struct {
 	ID              string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
 	Email           string         `gorm:"uniqueIndex;not null" json:"email"`
-	LoginID         string         `gorm:"column:login_id;uniqueIndex:idx_tenant_login_id" json:"loginId"`
 	PasswordHash    *string        `gorm:"column:password_hash" json:"-"`
 	Name            string         `gorm:"column:name;not null" json:"name"`
 	Phone           string         `gorm:"column:phone" json:"phone"`
 	Role            string         `gorm:"column:role;default:'user';not null" json:"role"` // super_admin, tenant_admin, rp_admin, user
 	AffiliationType string         `gorm:"column:affiliation_type" json:"affiliationType"`
 	CompanyCode     string         `gorm:"column:company_code;index" json:"companyCode"`
-	TenantID        *string        `gorm:"column:tenant_id;type:uuid;index;uniqueIndex:idx_tenant_login_id" json:"tenantId,omitempty"`
+	TenantID        *string        `gorm:"column:tenant_id;type:uuid;index" json:"tenantId,omitempty"`
 	Tenant          *Tenant        `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
 	RelyingPartyID  *string        `gorm:"column:relying_party_id;type:uuid;index" json:"relyingPartyId,omitempty"` // RP Admin용
 	Department      string         `gorm:"column:department" json:"department"`
@@ -53,6 +52,18 @@ type User struct {
 	CreatedAt       time.Time      `gorm:"column:created_at" json:"createdAt"`
 	UpdatedAt       time.Time      `gorm:"column:updated_at" json:"updatedAt"`
 	DeletedAt       gorm.DeletedAt `gorm:"column:deleted_at;index" json:"-"`
+
+	// Multiple identifiers support
+	UserLoginIDs []UserLoginID `gorm:"foreignKey:UserID" json:"userLoginIds,omitempty"`
+}
+
+// UserLoginID represents multiple custom identifiers for a user
+type UserLoginID struct {
+	ID       string `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
+	UserID   string `gorm:"type:uuid;not null;index" json:"userId"`
+	TenantID string `gorm:"type:uuid;not null;index" json:"tenantId"` // 발급 테넌트
+	FieldKey string `gorm:"not null" json:"fieldKey"`                 // 스키마 필드 키 (예: emp_id)
+	LoginID  string `gorm:"uniqueIndex;not null" json:"loginId"`      // 실제 값 (예: EMP001)
 }
 
 // BeforeCreate hook to generate UUID if not present
diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go
index ec1aa584..53d105a1 100644
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -287,6 +287,16 @@ func (h *AuthHandler) CheckLoginID(c *fiber.Ctx) error {
 		return errorJSON(c, fiber.StatusServiceUnavailable, "Identity provider unavailable")
 	}
 
+	if !exists && h.UserRepo != nil {
+		// [New] Check local DB for custom login IDs (Plan A)
+		taken, err := h.UserRepo.IsLoginIDTaken(c.Context(), req.LoginID)
+		if err != nil {
+			slog.Error("Failed to check login ID in local DB", "error", err)
+		} else if taken {
+			exists = true
+		}
+	}
+
 	if exists {
 		return c.JSON(fiber.Map{"available": false, "message": "ID already registered"})
 	}
@@ -596,27 +606,20 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 		"grade": "member",
 	}
 
-	if req.LoginID != "" {
-		attributes["id"] = req.LoginID
-	}
+	// Sync all custom login IDs based on tenant schemas
+	loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
 
-	// Sync custom field to LoginID if configured
-	if tenantID != nil && h.TenantService != nil {
-		if tenant, err := h.TenantService.GetTenant(c.Context(), *tenantID); err == nil && tenant != nil {
-			if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-				syncLoginID(attributes, req.Metadata, *tenantID, loginIdField)
+	// Validate all collected LoginIDs
+	if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
+		for _, lid := range collectedIDs {
+			if err := domain.ValidateLoginID(lid, req.Email, normalizedPhone); err != nil {
+				return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
 			}
 		}
 	}
 
-	finalLoginID := extractTraitString(attributes, "id")
-	if err := domain.ValidateLoginID(finalLoginID, req.Email, normalizedPhone); err != nil {
-		return errorJSON(c, fiber.StatusBadRequest, err.Error())
-	}
-
 	brokerUser := &domain.BrokerUser{
 		Email:       req.Email,
-		LoginID:     finalLoginID,
 		Name:        req.Name,
 		PhoneNumber: normalizedPhone,
 		Attributes:  attributes,
@@ -629,7 +632,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 		}
 		slog.Error("[Signup] Failed to create user via IDP", "provider", h.IdpProvider.Name(), "error", err)
 		if strings.Contains(err.Error(), "already exists") {
-			return errorJSON(c, fiber.StatusConflict, "User already exists")
+			return errorJSON(c, fiber.StatusConflict, "User or login identifier already exists")
 		}
 		// Include the actual error message in the response for debugging
 		return errorJSON(c, fiber.StatusInternalServerError, fmt.Sprintf("Failed to create user: %v", err))
@@ -644,29 +647,47 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 	// [SoT Policy] Kratos가 SoT이므로 로컬 DB 저장은 비동기 Read-Model 동기화로 처리합니다.
 	// 로컬 DB 저장이 실패하더라도 회원가입 프로세스는 성공으로 간주합니다.
 	localUser := &domain.User{
-		ID:              providerID, // Match IDP Subject
+		ID:              providerID,
 		Email:           req.Email,
 		Name:            req.Name,
 		Phone:           normalizedPhone,
+		Role:            "user",
 		AffiliationType: req.AffiliationType,
 		CompanyCode:     companyCode,
-		TenantID:        tenantID,
 		Department:      req.Department,
-		Role:            "user",
 		Status:          "active",
-		Metadata:        req.Metadata,
+		CreatedAt:       time.Now(),
+		UpdatedAt:       time.Now(),
+	}
+
+	if tenantID != nil {
+		localUser.TenantID = tenantID
+	}
+
+	// Merge metadata
+	localUser.Metadata = make(domain.JSONMap)
+	for k, v := range req.Metadata {
+		localUser.Metadata[k] = v
 	}
 
 	if h.UserRepo != nil {
-		go func(u *domain.User) {
-			// 요청 Context가 취소될 수 있으므로 Background Context 사용
+		go func(u *domain.User, ids []domain.UserLoginID) {
 			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 			defer cancel()
 
-			if err := h.UserRepo.Create(ctx, u); err != nil {
+			if err := h.UserRepo.Update(ctx, u); err != nil {
 				slog.Error("[Signup] Failed to sync user to Read-Model (Local DB)", "email", u.Email, "error", err)
 			} else {
 				slog.Debug("[Signup] Synced user to Read-Model", "email", u.Email)
+
+				// Update User Login IDs
+				for i := range ids {
+					ids[i].UserID = u.ID
+				}
+				if err := h.UserRepo.UpdateUserLoginIDs(ctx, u.ID, ids); err != nil {
+					slog.Error("[Signup] Failed to update user login IDs", "userID", u.ID, "error", err)
+				}
+
 				// [Keto] Sync user-tenant relationship via Outbox
 				if h.KetoOutboxRepo != nil && u.TenantID != nil {
 					_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
@@ -678,7 +699,7 @@ func (h *AuthHandler) Signup(c *fiber.Ctx) error {
 					})
 				}
 			}
-		}(localUser)
+		}(localUser, loginIDRecords)
 	}
 
 	return c.JSON(fiber.Map{
@@ -3182,7 +3203,7 @@ func (h *AuthHandler) ScanQRLogin(c *fiber.Ctx) error {
 		if cookie == "" {
 			return errorJSON(c, fiber.StatusUnauthorized, "Missing session token")
 		}
-		_, traits, err := h.getKratosIdentityWithCookie(cookie)
+		_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
 		if err != nil {
 			slog.Warn("[QR] Cookie session invalid", "error", err)
 			return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -4252,7 +4273,7 @@ func (h *AuthHandler) GetAuthTimeline(c *fiber.Ctx) error {
 		if strings.Contains(path, "/api/v1/auth/oidc/login/accept") {
 			appName = "OIDC 로그인"
 			// 우선 audit details의 client 정보를 사용하고, 없으면 Hydra 조회로 보강
-			if details, err := parseAuditDetails(log.Details); err == nil && details != nil {
+			if details, err := utils.ParseAuditDetails(log.Details); err == nil && details != nil {
 				if name, ok := details["client_name"].(string); ok && strings.TrimSpace(name) != "" {
 					appName = strings.TrimSpace(name)
 				}
@@ -5089,6 +5110,15 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 		profile.Role = domain.RoleUser
 	}
 
+	// [New] Backtracking Logic for Session Tenant (Plan A)
+	if usedID, ok := profile.Metadata["_used_identifier"].(string); ok && usedID != "" && h.UserRepo != nil {
+		if tid, err := h.UserRepo.FindTenantIDByLoginID(c.Context(), usedID); err == nil && tid != "" {
+			profile.SessionTenantID = &tid
+			slog.Debug("Auto-assigned session tenant via backtracking", "loginID", usedID, "tenantID", tid)
+		}
+		delete(profile.Metadata, "_used_identifier") // Cleanup
+	}
+
 	// Fetch Tenant Metadata if missing
 	if profile.Tenant == nil && profile.TenantID != nil && *profile.TenantID != "" {
 		if tenant, err := h.TenantService.GetTenant(c.Context(), *profile.TenantID); err == nil {
@@ -5140,7 +5170,7 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
 			return identityID, nil
 		}
 		if cookie := c.Get("Cookie"); cookie != "" {
-			cookieID, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
+			cookieID, _, _, cookieErr := h.getKratosIdentityWithCookie(cookie)
 			if cookieErr == nil && cookieID != "" {
 				return cookieID, nil
 			}
@@ -5151,14 +5181,14 @@ func (h *AuthHandler) resolveConsentSubject(c *fiber.Ctx) (string, error) {
 	if cookie == "" {
 		return "", fmt.Errorf("missing authorization token")
 	}
-	identityID, _, err := h.getKratosIdentityWithCookie(cookie)
+	identityID, _, _, err := h.getKratosIdentityWithCookie(cookie)
 	return identityID, err
 }
 
 func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
 	token := h.getBearerToken(c)
 	if token != "" {
-		identityID, traits, err := h.getKratosIdentity(token)
+		identityID, traits, _, err := h.getKratosIdentity(token)
 		if err == nil && identityID != "" {
 			subjects := []string{identityID}
 			subjects = appendLoginIDsFromTraits(subjects, traits)
@@ -5170,7 +5200,7 @@ func (h *AuthHandler) resolveConsentSubjects(c *fiber.Ctx) ([]string, error) {
 	if cookie == "" {
 		return nil, fmt.Errorf("missing authorization token")
 	}
-	identityID, traits, err := h.getKratosIdentityWithCookie(cookie)
+	identityID, traits, _, err := h.getKratosIdentityWithCookie(cookie)
 	if err != nil {
 		return nil, err
 	}
@@ -5250,7 +5280,7 @@ func isAuthEventType(eventType string) bool {
 
 func extractAuditPath(log domain.AuditLog) string {
 	if log.Details != "" {
-		if payload, err := parseAuditDetails(log.Details); err == nil {
+		if payload, err := utils.ParseAuditDetails(log.Details); err == nil {
 			if path, ok := payload["path"].(string); ok && path != "" {
 				return path
 			}
@@ -5263,17 +5293,6 @@ func extractAuditPath(log domain.AuditLog) string {
 	return ""
 }
 
-func parseAuditDetails(details string) (map[string]any, error) {
-	var payload map[string]any
-	if details == "" {
-		return nil, fmt.Errorf("empty details")
-	}
-	if err := json.Unmarshal([]byte(details), &payload); err != nil {
-		return nil, err
-	}
-	return payload, nil
-}
-
 func extractRequestBody(details map[string]any) map[string]any {
 	if details == nil {
 		return nil
@@ -5290,7 +5309,7 @@ func extractRequestBody(details map[string]any) map[string]any {
 }
 
 func shouldSkipAuthTimeline(log domain.AuditLog) bool {
-	details, _ := parseAuditDetails(log.Details)
+	details, _ := utils.ParseAuditDetails(log.Details)
 	path := strings.ToLower(extractAuditPath(log))
 	if path != "" && strings.Contains(path, "/api/v1/auth/enchanted-link/init") {
 		return true
@@ -5384,7 +5403,7 @@ func deriveAuthMethod(log domain.AuditLog) string {
 
 	loginID := extractLoginIDFromAuditDetails(log.Details)
 	kind := loginIDKind(loginID)
-	details, _ := parseAuditDetails(log.Details)
+	details, _ := utils.ParseAuditDetails(log.Details)
 	requestBody := extractRequestBody(details)
 	if details != nil {
 		if raw, ok := details["auth_timeline_skip"]; ok {
@@ -5603,7 +5622,7 @@ func extractLoginChallengeFromAuditDetails(details string) string {
 	if details == "" {
 		return ""
 	}
-	payload, err := parseAuditDetails(details)
+	payload, err := utils.ParseAuditDetails(details)
 	if err != nil {
 		return ""
 	}
@@ -5750,12 +5769,12 @@ func extractApprovedSessionIDFromAuditDetails(details string) string {
 }
 
 func (h *AuthHandler) resolveIdentityID(c *fiber.Ctx, token string) (string, error) {
-	id, _, err := h.getKratosIdentity(token)
+	id, _, _, err := h.getKratosIdentity(token)
 	return id, err
 }
 
 func (h *AuthHandler) resolveKratosLoginID(token string) (string, error) {
-	_, traits, err := h.getKratosIdentity(token)
+	_, traits, _, err := h.getKratosIdentity(token)
 	if err != nil {
 		return "", err
 	}
@@ -5943,44 +5962,56 @@ func extractLoginIDFromClaims(claims map[string]any) string {
 	return ""
 }
 
-func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, error) {
-	identityID, traits, _, err := h.getKratosIdentityWithSession(sessionToken)
-	return identityID, traits, err
+func (h *AuthHandler) getKratosIdentity(sessionToken string) (string, map[string]interface{}, string, error) {
+	identityID, traits, _, usedID, err := h.getKratosIdentityWithSession(sessionToken)
+	return identityID, traits, usedID, err
 }
 
-func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, error) {
+func (h *AuthHandler) getKratosIdentityWithSession(sessionToken string) (string, map[string]interface{}, string, string, error) {
 	kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
 	if kratosURL == "" {
 		kratosURL = "http://kratos:4433"
 	}
 	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
 	if err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 	req.Header.Set("X-Session-Token", sessionToken)
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode >= 300 {
 		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
-		return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
+		return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
 	}
 
 	var result struct {
-		AuthenticatedAt string `json:"authenticated_at"`
-		Identity        struct {
+		AuthenticatedAt       string `json:"authenticated_at"`
+		AuthenticationMethods []struct {
+			Method     string `json:"method"`
+			Identifier string `json:"identifier"`
+		} `json:"authentication_methods"`
+		Identity struct {
 			ID     string                 `json:"id"`
 			Traits map[string]interface{} `json:"traits"`
 		} `json:"identity"`
 	}
 	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 
-	return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
+	usedIdentifier := ""
+	for _, m := range result.AuthenticationMethods {
+		if m.Identifier != "" {
+			usedIdentifier = m.Identifier
+			break
+		}
+	}
+
+	return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
 }
 
 func (h *AuthHandler) getKratosSessionID(sessionToken string) (string, error) {
@@ -6056,44 +6087,56 @@ func (h *AuthHandler) issueKratosSession(ctx context.Context, identityID string)
 	return parsed.SessionToken, nil
 }
 
-func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, error) {
-	identityID, traits, _, err := h.getKratosIdentityWithCookieAndSession(cookie)
-	return identityID, traits, err
+func (h *AuthHandler) getKratosIdentityWithCookie(cookie string) (string, map[string]interface{}, string, error) {
+	identityID, traits, _, usedID, err := h.getKratosIdentityWithCookieAndSession(cookie)
+	return identityID, traits, usedID, err
 }
 
-func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, error) {
+func (h *AuthHandler) getKratosIdentityWithCookieAndSession(cookie string) (string, map[string]interface{}, string, string, error) {
 	kratosURL := strings.TrimRight(os.Getenv("KRATOS_PUBLIC_URL"), "/")
 	if kratosURL == "" {
 		kratosURL = "http://kratos:4433"
 	}
 	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, kratosURL+"/sessions/whoami", nil)
 	if err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 	req.Header.Set("Cookie", cookie)
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode >= 300 {
 		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
-		return "", nil, "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
+		return "", nil, "", "", fmt.Errorf("kratos whoami failed status=%d body=%s", resp.StatusCode, string(body))
 	}
 
 	var result struct {
-		AuthenticatedAt string `json:"authenticated_at"`
-		Identity        struct {
+		AuthenticatedAt       string `json:"authenticated_at"`
+		AuthenticationMethods []struct {
+			Method     string `json:"method"`
+			Identifier string `json:"identifier"`
+		} `json:"authentication_methods"`
+		Identity struct {
 			ID     string                 `json:"id"`
 			Traits map[string]interface{} `json:"traits"`
 		} `json:"identity"`
 	}
 	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
-		return "", nil, "", err
+		return "", nil, "", "", err
 	}
 
-	return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, nil
+	usedIdentifier := ""
+	for _, m := range result.AuthenticationMethods {
+		if m.Identifier != "" {
+			usedIdentifier = m.Identifier
+			break
+		}
+	}
+
+	return result.Identity.ID, result.Identity.Traits, result.AuthenticatedAt, usedIdentifier, nil
 }
 
 func (h *AuthHandler) getKratosSessionIDWithCookie(cookie string) (string, error) {
@@ -6228,33 +6271,41 @@ func (h *AuthHandler) mapKratosIdentityToProfile(identityID string, traits map[s
 	return profile
 }
 
-func (h *AuthHandler) applySessionAuthenticatedAtFromWhoami(profile *domain.UserProfileResponse, authenticatedAt string) *domain.UserProfileResponse {
+func (h *AuthHandler) applySessionInfoFromWhoami(profile *domain.UserProfileResponse, authenticatedAt, usedIdentifier string) *domain.UserProfileResponse {
 	if profile == nil {
 		return nil
 	}
 	profile.SessionAuthenticatedAt = strings.TrimSpace(authenticatedAt)
+	if usedIdentifier != "" {
+		if profile.Metadata == nil {
+			profile.Metadata = make(map[string]any)
+		}
+		profile.Metadata["_used_identifier"] = usedIdentifier
+	}
 	return profile
 }
 
 func (h *AuthHandler) getKratosProfile(sessionToken string) (*domain.UserProfileResponse, error) {
-	identityID, traits, authenticatedAt, err := h.getKratosIdentityWithSession(sessionToken)
+	identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithSession(sessionToken)
 	if err != nil {
 		return nil, err
 	}
-	return h.applySessionAuthenticatedAtFromWhoami(
+	return h.applySessionInfoFromWhoami(
 		h.mapKratosIdentityToProfile(identityID, traits),
 		authenticatedAt,
+		usedIdentifier,
 	), nil
 }
 
 func (h *AuthHandler) getKratosProfileWithCookie(cookie string) (*domain.UserProfileResponse, error) {
-	identityID, traits, authenticatedAt, err := h.getKratosIdentityWithCookieAndSession(cookie)
+	identityID, traits, authenticatedAt, usedIdentifier, err := h.getKratosIdentityWithCookieAndSession(cookie)
 	if err != nil {
 		return nil, err
 	}
-	return h.applySessionAuthenticatedAtFromWhoami(
+	return h.applySessionInfoFromWhoami(
 		h.mapKratosIdentityToProfile(identityID, traits),
 		authenticatedAt,
+		usedIdentifier,
 	), nil
 }
 
@@ -6272,13 +6323,13 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 		err        error
 	)
 	if token != "" {
-		identityID, traits, err = h.getKratosIdentity(token)
+		identityID, traits, _, err = h.getKratosIdentity(token)
 	} else {
 		cookie := c.Get("Cookie")
 		if cookie == "" {
 			return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
 		}
-		identityID, traits, err = h.getKratosIdentityWithCookie(cookie)
+		identityID, traits, _, err = h.getKratosIdentityWithCookie(cookie)
 	}
 	if err != nil {
 		return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6331,27 +6382,35 @@ func (h *AuthHandler) UpdateMe(c *fiber.Ctx) error {
 
 	// [LoginID Sync based on Tenant Settings]
 	// Perform sync AFTER metadata merge to ensure traits contains current values
-	syncCompCode := extractTraitString(traits, "companyCode")
-	if syncCompCode != "" && h.TenantService != nil {
-		if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
-			if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-				syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
+	loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, identityID)
+
+	// Validate all collected LoginIDs
+	userEmail := extractTraitString(traits, "email")
+	userPhone := extractTraitString(traits, "phone_number")
+	if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
+		for _, lid := range collectedIDs {
+			if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
+				return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
 			}
 		}
 	}
 
-	finalLoginID := extractTraitString(traits, "id")
-	userEmail := extractTraitString(traits, "email")
-	userPhone := extractTraitString(traits, "phone")
-	if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
-		return errorJSON(c, fiber.StatusBadRequest, err.Error())
-	}
-
 	if err := h.updateKratosIdentity(identityID, traits); err != nil {
 		slog.Error("Failed to update profile in Kratos", "error", err)
 		return errorJSON(c, fiber.StatusInternalServerError, "프로필 업데이트에 실패했습니다.")
 	}
 
+	// [New] Local DB Sync - Sync synchronously to ensure immediate consistency
+	if h.UserRepo != nil {
+		ctx := context.Background()
+		// Also update local User record (read-model)
+		// We can fetch updated identity or just map current traits
+		// Since mapKratosIdentityToProfile is for UI, let's just use UpdateUserLoginIDs first
+		if err := h.UserRepo.UpdateUserLoginIDs(ctx, identityID, loginIDRecords); err != nil {
+			slog.Error("[UpdateMe] Failed to update user login IDs", "userID", identityID, "error", err)
+		}
+	}
+
 	// Invalidate token-based profile cache so refreshed /user/me returns latest traits.
 	if h.RedisService != nil && token != "" {
 		cacheKey := "cache:profile:token:" + token
@@ -6396,7 +6455,7 @@ func (h *AuthHandler) ChangeMyPassword(c *fiber.Ctx) error {
 		if cookie == "" {
 			return errorJSON(c, fiber.StatusUnauthorized, "Missing authorization token")
 		}
-		_, traits, err := h.getKratosIdentityWithCookie(cookie)
+		_, traits, _, err := h.getKratosIdentityWithCookie(cookie)
 		if err != nil {
 			return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
 		}
@@ -6434,7 +6493,7 @@ func (h *AuthHandler) SendUpdateCode(c *fiber.Ctx) error {
 		if cookie == "" {
 			return errorJSON(c, fiber.StatusUnauthorized, "Unauthorized")
 		}
-		userID, _, err = h.getKratosIdentityWithCookie(cookie)
+		userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
 	}
 	if err != nil || userID == "" {
 		return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6475,7 +6534,7 @@ func (h *AuthHandler) VerifyUpdateCode(c *fiber.Ctx) error {
 		if cookie == "" {
 			return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
 		}
-		userID, _, err = h.getKratosIdentityWithCookie(cookie)
+		userID, _, _, err = h.getKratosIdentityWithCookie(cookie)
 	}
 	if err != nil || userID == "" {
 		return errorJSON(c, fiber.StatusUnauthorized, "Invalid session")
@@ -6625,7 +6684,7 @@ func (h *AuthHandler) ListRpHistory(c *fiber.Ctx) error {
 	// Logs are DESC (newest first). Iterate in reverse (oldest first) to build state.
 	for i := len(logs) - 1; i >= 0; i-- {
 		log := logs[i]
-		details, _ := parseAuditDetails(log.Details)
+		details, _ := utils.ParseAuditDetails(log.Details)
 		clientID, _ := details["client_id"].(string)
 		if clientID == "" {
 			continue
diff --git a/backend/internal/handler/auth_handler_async_test.go b/backend/internal/handler/auth_handler_async_test.go
index d206f48c..2b3a0caa 100644
--- a/backend/internal/handler/auth_handler_async_test.go
+++ b/backend/internal/handler/auth_handler_async_test.go
@@ -80,7 +80,13 @@ func (m *AsyncMockUserRepo) Create(ctx context.Context, user *domain.User) error
 	}
 	return args.Error(0)
 }
-func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error { return nil }
+func (m *AsyncMockUserRepo) Update(ctx context.Context, user *domain.User) error {
+	args := m.Called(ctx, user)
+	if m.createCalled != nil {
+		m.createCalled <- true
+	}
+	return args.Error(0)
+}
 func (m *AsyncMockUserRepo) Delete(ctx context.Context, id string) error         { return nil }
 func (m *AsyncMockUserRepo) FindByEmail(ctx context.Context, email string) (*domain.User, error) {
 	return nil, nil
@@ -114,6 +120,22 @@ func (m *AsyncMockUserRepo) CountByCompanyCodes(ctx context.Context, codes []str
 	return nil, nil
 }
 
+func (m *AsyncMockUserRepo) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	return nil
+}
+
+func (m *AsyncMockUserRepo) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
+	return nil, nil
+}
+
+func (m *AsyncMockUserRepo) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
+	return false, nil
+}
+
+func (m *AsyncMockUserRepo) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
+	return "", nil
+}
+
 type AsyncMockRedisRepo struct {
 	mock.Mock
 }
@@ -254,7 +276,7 @@ func TestSignup_AsyncDB_Isolation(t *testing.T) {
 
 		// UserRepo Mocks (Async & Failure)
 		mockUserRepo.createCalled = make(chan bool, 1)
-		mockUserRepo.On("Create", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
+		mockUserRepo.On("Update", mock.Anything, mock.MatchedBy(func(u *domain.User) bool {
 			return u.Email == email
 		})).Return(errors.New("db connection error"))
 
diff --git a/backend/internal/handler/dev_handler.go b/backend/internal/handler/dev_handler.go
index 745f3f98..e4b7b8e0 100644
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -4,6 +4,7 @@ import (
 	"baron-sso-backend/internal/domain"
 	"baron-sso-backend/internal/repository"
 	"baron-sso-backend/internal/service"
+	"baron-sso-backend/internal/utils"
 	"context"
 	"crypto/rand"
 	"encoding/base64"
@@ -2106,7 +2107,7 @@ func (h *DevHandler) matchesDevAuditFilter(
 	if !strings.Contains(logItem.EventType, "/api/v1/dev/") {
 		return false
 	}
-	details, _ := parseAuditDetails(logItem.Details)
+	details, _ := utils.ParseAuditDetails(logItem.Details)
 	if statusFilter != "" && statusFilter != "all" && strings.ToLower(logItem.Status) != statusFilter {
 		return false
 	}
diff --git a/backend/internal/handler/tenant_handler_test.go b/backend/internal/handler/tenant_handler_test.go
index f6e785ca..b740f0d2 100644
--- a/backend/internal/handler/tenant_handler_test.go
+++ b/backend/internal/handler/tenant_handler_test.go
@@ -131,6 +131,22 @@ func (m *MockUserRepoForHandler) CountByCompanyCodes(ctx context.Context, codes
 	return args.Get(0).(map[string]int64), args.Error(1)
 }
 
+func (m *MockUserRepoForHandler) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	return nil
+}
+
+func (m *MockUserRepoForHandler) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
+	return nil, nil
+}
+
+func (m *MockUserRepoForHandler) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
+	return false, nil
+}
+
+func (m *MockUserRepoForHandler) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
+	return "", nil
+}
+
 func TestTenantHandler_CreateTenant(t *testing.T) {
 	app := fiber.New()
 	mockSvc := new(MockTenantService)
diff --git a/backend/internal/handler/user_handler.go b/backend/internal/handler/user_handler.go
index 1855b699..3933606b 100644
--- a/backend/internal/handler/user_handler.go
+++ b/backend/internal/handler/user_handler.go
@@ -35,9 +35,10 @@ type UserHandler struct {
 	KetoOutboxRepo repository.KetoOutboxRepository
 	UserRepo       repository.UserRepository
 	UserGroupRepo  repository.UserGroupRepository
+	AuditRepo      domain.AuditRepository
 }
 
-func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository) *UserHandler {
+func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProviderAPI, tenantService service.TenantService, ketoService service.KetoService, ketoOutboxRepo repository.KetoOutboxRepository, userRepo repository.UserRepository, userGroupRepo repository.UserGroupRepository, auditRepo domain.AuditRepository) *UserHandler {
 	return &UserHandler{
 		KratosAdmin:    kratosAdmin,
 		OryProvider:    oryProvider,
@@ -46,6 +47,7 @@ func NewUserHandler(kratosAdmin service.KratosAdminService, oryProvider OryProvi
 		KetoOutboxRepo: ketoOutboxRepo,
 		UserRepo:       userRepo,
 		UserGroupRepo:  userGroupRepo,
+		AuditRepo:      auditRepo,
 	}
 }
 
@@ -53,6 +55,7 @@ type userSummary struct {
 	ID              string          `json:"id"`
 	Email           string          `json:"email"`
 	LoginID         string          `json:"loginId,omitempty"`
+	CustomLoginIDs  []string        `json:"customLoginIds,omitempty"` // [New] 다중 로그인 ID 목록
 	Name            string          `json:"name"`
 	Phone           string          `json:"phone"`
 	Role            string          `json:"role"`
@@ -325,40 +328,23 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 
 	// [Override with explicit LoginID if provided]
 	if req.LoginID != "" {
-		attributes["id"] = req.LoginID
+		if ids, ok := attributes["custom_login_ids"].([]string); ok {
+			attributes["custom_login_ids"] = append(ids, req.LoginID)
+		} else {
+			attributes["custom_login_ids"] = []string{req.LoginID}
+		}
 	}
 
-	// [Resolve TenantID and LoginID before Kratos creation]
+	// [Resolve TenantID and Custom Login IDs before Kratos creation]
 	var tenantID string
-	synced := false
 	if req.CompanyCode != "" && h.TenantService != nil {
 		if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode); err == nil && tenant != nil {
 			tenantID = tenant.ID
-
-			// Sync custom field to LoginID if configured
-			if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-				syncLoginID(attributes, req.Metadata, tenantID, loginIdField)
-				synced = true
-			}
 		}
 	}
 
-	// Fallback: Try syncing based on the tenant namespaces being updated
-	if !synced && h.TenantService != nil {
-		for k := range req.Metadata {
-			if len(k) >= 32 { // Looks like a UUID (tenant ID)
-				if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
-					if tenantID == "" {
-						tenantID = tenant.ID
-					}
-					if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-						syncLoginID(attributes, req.Metadata, tenant.ID, loginIdField)
-						break
-					}
-				}
-			}
-		}
-	}
+	// Collect and sync all custom login IDs based on tenant schemas
+	loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, req.Metadata, "")
 
 	attributes["role"] = role
 	if tenantID != "" {
@@ -373,22 +359,25 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 		}
 	}
 
-	finalLoginID := extractTraitString(attributes, "id")
-	if err := domain.ValidateLoginID(finalLoginID, email, normalizePhoneNumber(req.Phone)); err != nil {
-		return errorJSON(c, fiber.StatusBadRequest, err.Error())
+	// Validate all collected LoginIDs
+	if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
+		for _, lid := range collectedIDs {
+			if err := domain.ValidateLoginID(lid, email, normalizePhoneNumber(req.Phone)); err != nil {
+				return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
+			}
+		}
 	}
 
 	brokerUser := &domain.BrokerUser{
 		Email:       email,
-		LoginID:     finalLoginID,
 		Name:        name,
 		PhoneNumber: normalizePhoneNumber(req.Phone),
 		Attributes:  attributes,
 	}
 
 	// [Validation] Based on Tenant Schema
-	if req.CompanyCode != "" && h.TenantService != nil {
-		tenant, err := h.TenantService.GetTenantBySlug(c.Context(), req.CompanyCode)
+	if tenantID != "" && h.TenantService != nil {
+		tenant, err := h.TenantService.GetTenant(c.Context(), tenantID)
 		if err == nil && tenant != nil {
 			if schema, ok := tenant.Config["userSchema"].([]interface{}); ok {
 				if err := h.validateMetadata(req.Metadata, schema, true); err != nil {
@@ -400,8 +389,8 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 
 	identityID, err := h.OryProvider.CreateUser(brokerUser, password)
 	if err != nil {
-		if strings.Contains(err.Error(), "already exists") {
-			return errorJSON(c, fiber.StatusConflict, "email already exists")
+		if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
+			return errorJSON(c, fiber.StatusConflict, "이미 사용 중인 식별자(이메일/전화번호/사번 등)입니다.")
 		}
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
@@ -424,6 +413,14 @@ func (h *UserHandler) CreateUser(c *fiber.Ctx) error {
 			slog.Error("[UserHandler] Failed to sync new user to local DB", "email", localUser.Email, "error", err)
 		}
 
+		// Update User Login IDs in local DB
+		for i := range loginIDRecords {
+			loginIDRecords[i].UserID = localUser.ID
+		}
+		if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
+			slog.Error("[UserHandler] Failed to update user login IDs", "userID", localUser.ID, "error", err)
+		}
+
 		// [Keto] Sync relations via Outbox (Synchronous for accurate counting)
 		if h.KetoOutboxRepo != nil {
 			// 1. Role based relations
@@ -580,15 +577,8 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			"role":            role,
 		}
 
-		// Override with explicit LoginID if provided
-		if item.LoginID != "" {
-			attributes["id"] = item.LoginID
-		}
-
-		// Sync LoginID from configured custom field (overrides explicit LoginID)
-		if tItem.LoginIDField != "" {
-			syncLoginID(attributes, item.Metadata, tItem.ID, tItem.LoginIDField)
-		}
+		// Sync all custom login IDs based on tenant schemas
+		loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, attributes, item.Metadata, "")
 
 		// Merge metadata
 		for k, v := range item.Metadata {
@@ -597,28 +587,36 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			}
 		}
 
-		finalLoginID := extractTraitString(attributes, "id")
 		userEmail := email
 		userPhone := normalizePhoneNumber(item.Phone)
 
-		if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
-			results = append(results, bulkUserResult{Email: email, Success: false, Message: err.Error()})
-			continue
+		// Validate all collected LoginIDs
+		if collectedIDs, ok := attributes["custom_login_ids"].([]string); ok {
+			valid := true
+			for _, lid := range collectedIDs {
+				if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
+					results = append(results, bulkUserResult{Email: email, Success: false, Message: "Invalid LoginID (" + lid + "): " + err.Error()})
+					valid = false
+					break
+				}
+			}
+			if !valid {
+				continue
+			}
 		}
 
 		identityID, err := h.OryProvider.CreateUser(&domain.BrokerUser{
 			Email:       userEmail,
-			LoginID:     finalLoginID,
 			Name:        item.Name,
 			PhoneNumber: userPhone,
 			Attributes:  attributes,
 		}, password)
 		if err != nil {
 			// 만약 이미 존재하는 사용자라면 로컬 DB 및 Keto 관계만 업데이트(Sync)를 시도
-			if strings.Contains(err.Error(), "already exists") {
+			if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "already exists") || strings.Contains(err.Error(), "exists already") {
 				identityID, err = h.KratosAdmin.FindIdentityIDByIdentifier(c.Context(), email)
 				if err != nil || identityID == "" {
-					results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 존재하는 사용자지만 ID를 찾을 수 없습니다."})
+					results = append(results, bulkUserResult{Email: email, Success: false, Message: "이미 다른 사용자가 해당 식별자(이메일/사번 등)를 사용 중입니다."})
 					continue
 				}
 				slog.Info("BulkCreate: User already exists, syncing local DB and Keto", "email", email, "identityID", identityID)
@@ -634,7 +632,6 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 			localUser := &domain.User{
 				ID:              identityID,
 				Email:           email,
-				LoginID:         extractTraitString(attributes, "id"),
 				Name:            name,
 				Phone:           normalizePhoneNumber(item.Phone),
 				Role:            role,
@@ -660,6 +657,14 @@ func (h *UserHandler) BulkCreateUsers(c *fiber.Ctx) error {
 				slog.Error("Failed to sync bulk user to local DB", "email", email, "error", err)
 			}
 
+			// Update User Login IDs in local DB
+			for i := range loginIDRecords {
+				loginIDRecords[i].UserID = localUser.ID
+			}
+			if err := h.UserRepo.UpdateUserLoginIDs(c.Context(), localUser.ID, loginIDRecords); err != nil {
+				slog.Error("Failed to update user login IDs in bulk", "userID", localUser.ID, "error", err)
+			}
+
 			if h.KetoOutboxRepo != nil {
 				// 1. Sync Role based relationship
 				h.syncKetoRole(c.Context(), localUser.ID, role, "", "", localUser.TenantID)
@@ -961,10 +966,6 @@ func (h *UserHandler) BulkUpdateUsers(c *fiber.Ctx) error {
 				}
 			}
 
-			if localUser.LoginID == "" {
-				localUser.LoginID = localUser.ID
-			}
-
 			_ = h.UserRepo.Update(c.Context(), localUser)
 
 			// [Keto Sync]
@@ -1184,20 +1185,12 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		traits["role"] = role
 	}
 
-	// [Override with explicit LoginID if provided]
-	// This is done FIRST so that if a custom loginIdField is configured in the tenant,
-	// the metadata sync below will override this explicit value, preventing the UI's
-	// pre-filled explicit loginId from clobbering the updated custom field.
-	if req.LoginID != nil && *req.LoginID != "" {
-		traits["id"] = *req.LoginID
-	}
-
 	// [Namespaced Metadata Sync]
 	coreTraits := map[string]bool{
 		"email": true, "name": true, "phone_number": true,
 		"grade": true, "companyCode": true, "department": true,
 		"affiliationType": true, "role": true, "tenant_id": true,
-		"id": true,
+		"custom_login_ids": true, "id": true,
 	}
 
 	// For namespaced metadata, we don't delete everything, we merge.
@@ -1221,51 +1214,29 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 
 	// [LoginID Sync based on Tenant Settings]
 	// Perform sync AFTER metadata merge to ensure traits contains current values
-	syncCompCode := extractTraitString(traits, "companyCode")
-	synced := false
+	loginIDRecords := syncCustomLoginIDs(c.Context(), h.TenantService, traits, req.Metadata, userID)
 
-	if syncCompCode != "" && h.TenantService != nil {
-		if tenant, err := h.TenantService.GetTenantBySlug(c.Context(), syncCompCode); err == nil && tenant != nil {
-			if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-				syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
-				synced = true
-			}
-		}
-	}
-
-	// Fallback: If companyCode is empty or didn't sync, try syncing based on the tenant namespaces being updated
-	if !synced && h.TenantService != nil {
-		for k := range req.Metadata {
-			if len(k) >= 32 { // Looks like a UUID (tenant ID)
-				if tenant, err := h.TenantService.GetTenant(c.Context(), k); err == nil && tenant != nil {
-					if loginIdField, ok := tenant.Config["loginIdField"].(string); ok && loginIdField != "" {
-						syncLoginID(traits, req.Metadata, tenant.ID, loginIdField)
-						synced = true
-						break // Apply first matched tenant config
-					}
-				}
-			}
-		}
-	}
-	finalLoginID := extractTraitString(traits, "id")
+	// Validate all collected LoginIDs
 	userEmail := extractTraitString(traits, "email")
 	userPhone := extractTraitString(traits, "phone_number")
-	if err := domain.ValidateLoginID(finalLoginID, userEmail, userPhone); err != nil {
-		return errorJSON(c, fiber.StatusBadRequest, err.Error())
+	if collectedIDs, ok := traits["custom_login_ids"].([]string); ok {
+		for _, lid := range collectedIDs {
+			if err := domain.ValidateLoginID(lid, userEmail, userPhone); err != nil {
+				return errorJSON(c, fiber.StatusBadRequest, "Invalid LoginID ("+lid+"): "+err.Error())
+			}
+		}
 	}
 
-	// resolvePasswordLoginID might be doing something else but we already have finalLoginID.
-	// We should just use finalLoginID if it's the intended identifier.
-	// But let's check if resolvePasswordLoginID exists and what it returns. Assuming it returns a string.
-	// If it overrides, we assign it. Let's just use finalLoginID for now.
-	finalLoginID = resolvePasswordLoginID(traits)
-
 	state := normalizeKratosState(req.Status)
 
 	slog.Info("[UpdateUser] Calling Kratos UpdateIdentity", "userID", userID, "traits", traits, "state", state)
 
 	updated, err := h.KratosAdmin.UpdateIdentity(c.Context(), userID, traits, state)
 	if err != nil {
+		// [Exception Handling] Check for 409 Conflict (Duplicate Identifier)
+		if strings.Contains(err.Error(), "409") || strings.Contains(err.Error(), "exists already") {
+			return errorJSON(c, fiber.StatusConflict, "이미 다른 사용자가 사용 중인 식별자(이메일/전화번호/사번 등)가 포함되어 있습니다.")
+		}
 		return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 	}
 
@@ -1273,15 +1244,16 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 	if h.UserRepo != nil {
 		updatedLocalUser := h.mapToLocalUser(*updated)
 
-		if updatedLocalUser.LoginID == "" {
-			updatedLocalUser.LoginID = updatedLocalUser.ID
-		}
-
 		ctx := context.Background() // Use request context if appropriate, but sync must finish
 		if err := h.UserRepo.Update(ctx, updatedLocalUser); err != nil {
 			slog.Error("[UserHandler] Failed to sync updated user to local DB", "userID", updatedLocalUser.ID, "error", err)
 		}
 
+		// Update User Login IDs in local DB
+		if err := h.UserRepo.UpdateUserLoginIDs(ctx, updatedLocalUser.ID, loginIDRecords); err != nil {
+			slog.Error("[UserHandler] Failed to update user login IDs", "userID", updatedLocalUser.ID, "error", err)
+		}
+
 		// [Keto Sync] asynchronously as it's less critical for immediate UI count
 		go func() {
 			bgCtx := context.Background()
@@ -1345,7 +1317,9 @@ func (h *UserHandler) UpdateUser(c *fiber.Ctx) error {
 		if h.OryProvider == nil {
 			return errorJSON(c, fiber.StatusServiceUnavailable, "password provider not available")
 		}
-		if err := h.OryProvider.UpdateUserPassword(finalLoginID, *req.Password, nil); err != nil {
+		// [New] Resolve a representative LoginID for the password update call
+		updateLoginID := resolvePasswordLoginID(updated.Traits)
+		if err := h.OryProvider.UpdateUserPassword(updateLoginID, *req.Password, nil); err != nil {
 			return errorJSON(c, fiber.StatusInternalServerError, err.Error())
 		}
 	}
@@ -1408,19 +1382,34 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
 
 	compCode := extractTraitString(traits, "companyCode")
 	slog.Debug("Mapping identity", "email", extractTraitString(traits, "email"), "compCode", compCode)
+
+	var customLoginIDs []string
+	if raw, ok := traits["custom_login_ids"]; ok {
+		if ids, ok := raw.([]interface{}); ok {
+			for _, id := range ids {
+				if s, ok := id.(string); ok {
+					customLoginIDs = append(customLoginIDs, s)
+				}
+			}
+		} else if ids, ok := raw.([]string); ok {
+			customLoginIDs = ids
+		}
+	}
+
 	summary := userSummary{
-		ID:          identity.ID,
-		Email:       extractTraitString(traits, "email"),
-		LoginID:     extractTraitString(traits, "id"), // id in Kratos traits maps to LoginID
-		Name:        extractTraitString(traits, "name"),
-		Phone:       extractTraitString(traits, "phone_number"),
-		Role:        role,
-		Status:      normalizeStatus(identity.State),
-		CompanyCode: compCode,
-		Department:  extractTraitString(traits, "department"),
-		Metadata:    make(domain.JSONMap),
-		CreatedAt:   formatTime(identity.CreatedAt),
-		UpdatedAt:   formatTime(identity.UpdatedAt),
+		ID:             identity.ID,
+		Email:          extractTraitString(traits, "email"),
+		LoginID:        resolvePasswordLoginID(traits),
+		CustomLoginIDs: customLoginIDs,
+		Name:           extractTraitString(traits, "name"),
+		Phone:          extractTraitString(traits, "phone_number"),
+		Role:           role,
+		Status:         normalizeStatus(identity.State),
+		CompanyCode:    compCode,
+		Department:     extractTraitString(traits, "department"),
+		Metadata:       make(domain.JSONMap),
+		CreatedAt:      formatTime(identity.CreatedAt),
+		UpdatedAt:      formatTime(identity.UpdatedAt),
 	}
 
 	// [New] Fetch all manageable tenants (for Multi-tenancy support)
@@ -1438,6 +1427,7 @@ func (h *UserHandler) mapIdentitySummary(ctx context.Context, identity service.K
 		"email": true, "name": true, "phone_number": true,
 		"grade": true, "companyCode": true, "department": true,
 		"affiliationType": true, "role": true, "tenant_id": true,
+		"custom_login_ids": true, "id": true,
 	}
 
 	for k, v := range traits {
@@ -1477,17 +1467,9 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 		compCode = extractTraitString(traits, "company_code")
 	}
 
-	loginID := extractTraitString(traits, "id")
-	if loginID == "" {
-		// Fallback to UUID to prevent unique constraint violations on idx_tenant_login_id
-		// for users that use email/phone exclusively and don't have a specific loginId trait.
-		loginID = identity.ID
-	}
-
 	user := &domain.User{
 		ID:              identity.ID,
 		Email:           extractTraitString(traits, "email"),
-		LoginID:         loginID,
 		Name:            extractTraitString(traits, "name"),
 		Phone:           extractTraitString(traits, "phone_number"),
 		Role:            role,
@@ -1520,6 +1502,7 @@ func (h *UserHandler) mapToLocalUser(identity service.KratosIdentity) *domain.Us
 		"email": true, "name": true, "phone_number": true,
 		"grade": true, "companyCode": true, "department": true,
 		"affiliationType": true, "role": true, "tenant_id": true, "company_code": true,
+		"custom_login_ids": true, "id": true,
 	}
 	for k, v := range traits {
 		if !coreTraits[k] {
@@ -1628,6 +1611,17 @@ func extractTraitString(traits map[string]interface{}, key string) string {
 }
 
 func resolvePasswordLoginID(traits map[string]interface{}) string {
+	// First check custom_login_ids (array)
+	if raw, ok := traits["custom_login_ids"]; ok {
+		if ids, ok := raw.([]interface{}); ok && len(ids) > 0 {
+			if first, ok := ids[0].(string); ok {
+				return first
+			}
+		} else if ids, ok := raw.([]string); ok && len(ids) > 0 {
+			return ids[0]
+		}
+	}
+	// Fallback to legacy id (if still exists in some old identities)
 	if loginID := strings.TrimSpace(extractTraitString(traits, "id")); loginID != "" {
 		return loginID
 	}
@@ -1637,57 +1631,110 @@ func resolvePasswordLoginID(traits map[string]interface{}) string {
 	return strings.TrimSpace(extractTraitString(traits, "phone_number"))
 }
 
-// syncLoginID ensures that the 'id' trait (used as Kratos identifier) is in sync with the configured custom field.
-func syncLoginID(traits map[string]interface{}, metadata map[string]any, tenantID string, loginIDField string) {
-	if loginIDField == "" {
-		return
+// syncCustomLoginIDs collects all fields marked as isLoginId: true from tenant schemas
+// and populates traits["custom_login_ids"] and returns domain.UserLoginID records for DB.
+func syncCustomLoginIDs(ctx context.Context, tenantService service.TenantService, traits map[string]interface{}, metadata map[string]any, userID string) []domain.UserLoginID {
+	if tenantService == nil {
+		return nil
 	}
 
-	var loginID string
+	var loginIDRecords []domain.UserLoginID
+	var allCustomIDs []string
+	idSet := make(map[string]bool)
 
-	// 1. Check incoming metadata (flat)
-	if val, ok := metadata[loginIDField].(string); ok && val != "" {
-		loginID = val
+	// Collect tenant IDs to check schemas for
+	tenantIDsToCheck := make(map[string]bool)
+	for k, v := range metadata {
+		// Heuristic: if it's a map, it's likely namespaced metadata for a tenant
+		if _, ok := v.(map[string]any); ok {
+			tenantIDsToCheck[k] = true
+		} else if _, ok := v.(map[string]interface{}); ok {
+			tenantIDsToCheck[k] = true
+		}
+	}
+	// Also check primary tenant if available
+	if tid := extractTraitString(traits, "tenant_id"); tid != "" {
+		tenantIDsToCheck[tid] = true
 	}
 
-	// 2. Check incoming metadata (namespaced by tenant ID)
-	if loginID == "" && tenantID != "" {
-		if namespaced, ok := metadata[tenantID].(map[string]any); ok {
-			if val, ok := namespaced[loginIDField].(string); ok && val != "" {
-				loginID = val
+	for tid := range tenantIDsToCheck {
+		tenant, err := tenantService.GetTenant(ctx, tid)
+		if err != nil || tenant == nil {
+			continue
+		}
+
+		schema, ok := tenant.Config["userSchema"].([]interface{})
+		if !ok {
+			continue
+		}
+
+		for _, fieldRaw := range schema {
+			field, ok := fieldRaw.(map[string]interface{})
+			if !ok {
+				continue
 			}
-		} else if namespaced, ok := metadata[tenantID].(map[string]interface{}); ok {
-			if val, ok := namespaced[loginIDField].(string); ok && val != "" {
-				loginID = val
+
+			isLoginId, _ := field["isLoginId"].(bool)
+			if !isLoginId {
+				continue
+			}
+
+			fieldKey, ok := field["key"].(string)
+			if !ok {
+				continue
+			}
+
+			// Try to find value in namespaced metadata first, then flat metadata, then existing traits
+			var val string
+			if namespaced, ok := metadata[tid].(map[string]any); ok {
+				val, _ = namespaced[fieldKey].(string)
+			} else if namespaced, ok := metadata[tid].(map[string]interface{}); ok {
+				val, _ = namespaced[fieldKey].(string)
+			}
+
+			if val == "" {
+				val, _ = metadata[fieldKey].(string)
+			}
+
+			if val == "" {
+				// Check existing trait (namespaced)
+				if namespaced, ok := traits[tid].(map[string]interface{}); ok {
+					val, _ = namespaced[fieldKey].(string)
+				} else if namespaced, ok := traits[tid].(map[string]any); ok {
+					val, _ = namespaced[fieldKey].(string)
+				}
+			}
+
+			if val == "" {
+				// Fallback: Check flat traits
+				val = extractTraitString(traits, fieldKey)
+			}
+
+			if val != "" {
+				if !idSet[val] {
+					idSet[val] = true
+					allCustomIDs = append(allCustomIDs, val)
+				}
+				loginIDRecords = append(loginIDRecords, domain.UserLoginID{
+					UserID:   userID,
+					TenantID: tid,
+					FieldKey: fieldKey,
+					LoginID:  val,
+				})
 			}
 		}
 	}
 
-	// 3. Check merged traits (which includes existing metadata)
-	// Important: Skip this if loginIDField is "id" because traits["id"] is the TARGET,
-	// and we don't want to sync "id" to "id" if we already checked metadata.
-	if loginID == "" && loginIDField != "id" {
-		// Existing trait (flat)
-		if val, ok := traits[loginIDField].(string); ok && val != "" {
-			loginID = val
-		} else if tenantID != "" {
-			// Existing trait (namespaced)
-			if namespaced, ok := traits[tenantID].(map[string]interface{}); ok {
-				if val, ok := namespaced[loginIDField].(string); ok && val != "" {
-					loginID = val
-				}
-			} else if namespaced, ok := traits[tenantID].(map[string]any); ok {
-				if val, ok := namespaced[loginIDField].(string); ok && val != "" {
-					loginID = val
-				}
-			}
-		}
+	if len(allCustomIDs) > 0 {
+		traits["custom_login_ids"] = allCustomIDs
+	} else {
+		delete(traits, "custom_login_ids")
 	}
 
-	if loginID != "" {
-		slog.Info("Syncing LoginID from custom field", "field", loginIDField, "value", loginID, "tenantID", tenantID)
-		traits["id"] = loginID
-	}
+	// Always remove legacy "id" trait to avoid confusion
+	delete(traits, "id")
+
+	return loginIDRecords
 }
 
 func formatTime(value time.Time) string {
@@ -1882,3 +1929,61 @@ func (h *UserHandler) validateMetadataWithAuth(metadata map[string]any, schema [
 
 	return nil
 }
+
+func (h *UserHandler) GetUserRpHistory(c *fiber.Ctx) error {
+	userId := c.Params("id")
+	if userId == "" {
+		return errorJSON(c, fiber.StatusBadRequest, "user id is required")
+	}
+
+	if h.AuditRepo == nil {
+		return errorJSON(c, fiber.StatusServiceUnavailable, "Audit service unavailable")
+	}
+
+	logs, err := h.AuditRepo.FindByUserAndEvents(c.Context(), userId, []string{"consent.granted", "consent.revoked"}, 100)
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, "Failed to fetch history")
+	}
+
+	type rpHistoryItem struct {
+		ClientID    string `json:"client_id"`
+		ClientName  string `json:"client_name"`
+		LastLoginAt string `json:"lastLoginAt"`
+		Status      string `json:"status"`
+	}
+
+	historyMap := make(map[string]*rpHistoryItem)
+
+	// Logs are DESC (newest first).
+	for _, log := range logs {
+		details, _ := utils.ParseAuditDetails(log.Details)
+		cid, _ := details["client_id"].(string)
+		if cid == "" {
+			continue
+		}
+
+		if _, exists := historyMap[cid]; !exists {
+			cname, _ := details["client_name"].(string)
+			if cname == "" {
+				cname = cid
+			}
+
+			historyMap[cid] = &rpHistoryItem{
+				ClientID:    cid,
+				ClientName:  cname,
+				LastLoginAt: log.Timestamp.Format(time.RFC3339),
+				Status:      "active", // Default based on latest grant
+			}
+			if log.EventType == "consent.revoked" {
+				historyMap[cid].Status = "revoked"
+			}
+		}
+	}
+
+	result := make([]*rpHistoryItem, 0, len(historyMap))
+	for _, item := range historyMap {
+		result = append(result, item)
+	}
+
+	return c.JSON(result)
+}
diff --git a/backend/internal/handler/user_handler_test.go b/backend/internal/handler/user_handler_test.go
index 945db35e..0927a3c6 100644
--- a/backend/internal/handler/user_handler_test.go
+++ b/backend/internal/handler/user_handler_test.go
@@ -87,6 +87,14 @@ func (m *MockTenantServiceForUser) GetTenantBySlug(ctx context.Context, slug str
 	return args.Get(0).(*domain.Tenant), args.Error(1)
 }
 
+func (m *MockTenantServiceForUser) GetTenant(ctx context.Context, id string) (*domain.Tenant, error) {
+	args := m.Called(ctx, id)
+	if args.Get(0) == nil {
+		return nil, args.Error(1)
+	}
+	return args.Get(0).(*domain.Tenant), args.Error(1)
+}
+
 func (m *MockTenantServiceForUser) ListManageableTenants(ctx context.Context, userID string) ([]domain.Tenant, error) {
 	args := m.Called(ctx, userID)
 	if args.Get(0) == nil {
@@ -117,11 +125,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
 			Slug: "test-tenant",
 			Config: domain.JSONMap{
 				"userSchema": []interface{}{
-					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
+					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
 				},
 			},
 		}, nil).Once()
 
+		mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
+			ID:   "t-123",
+			Slug: "test-tenant",
+			Config: domain.JSONMap{
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
+				},
+			},
+		}, nil)
+
 		mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
 		mockOry.On("CreateUser", mock.Anything, mock.Anything).Return("u-1", nil).Twice()
 
@@ -188,11 +206,21 @@ func TestUserHandler_BulkCreateUsers(t *testing.T) {
 			Slug: "test-tenant",
 			Config: domain.JSONMap{
 				"userSchema": []interface{}{
-					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true},
+					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
 				},
 			},
 		}, nil).Once()
 
+		mockTenant.On("GetTenant", mock.Anything, "t-123").Return(&domain.Tenant{
+			ID:   "t-123",
+			Slug: "test-tenant",
+			Config: domain.JSONMap{
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_id", "label": "EmpID", "required": true, "isLoginId": true},
+				},
+			},
+		}, nil)
+
 		payload := map[string]interface{}{
 			"users": []map[string]interface{}{
 				{
@@ -391,23 +419,32 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
 			ID:   tenantID,
 			Slug: "test-tenant",
 			Config: domain.JSONMap{
-				"loginIdField": "emp_no",
 				"userSchema": []interface{}{
-					map[string]interface{}{"key": "emp_no", "label": "Employee No"},
+					map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
 				},
 			},
-		}, nil) // Allow multiple calls for validation and sync
+		}, nil)
+		mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
+			ID:   tenantID,
+			Slug: "test-tenant",
+			Config: domain.JSONMap{
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
+				},
+			},
+		}, nil)
 
 		mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
 
-		// Expect traits to include 'id' synced from 'emp_no'
+		// Expect traits to include 'custom_login_ids' synced from 'emp_no'
 		mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
-			return traits["id"] == "E1001"
+			ids, ok := traits["custom_login_ids"].([]string)
+			return ok && len(ids) > 0 && ids[0] == "E1001"
 		}), mock.Anything).Return(&service.KratosIdentity{
 			ID: userID,
 			Traits: map[string]interface{}{
-				"id":    "E1001",
-				"email": "user@test.com",
+				"custom_login_ids": []interface{}{"E1001"},
+				"email":            "user@test.com",
 			},
 		}, nil).Once()
 
@@ -459,7 +496,18 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
 			ID:   tenantID,
 			Slug: "test-tenant",
 			Config: domain.JSONMap{
-				"loginIdField": "emp_no",
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_no", "isLoginId": true},
+				},
+			},
+		}, nil)
+		mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
+			ID:   tenantID,
+			Slug: "test-tenant",
+			Config: domain.JSONMap{
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_no", "isLoginId": true},
+				},
 			},
 		}, nil)
 
@@ -467,11 +515,12 @@ func TestUserHandler_UpdateUser_LoginIDSync(t *testing.T) {
 
 		// Even if metadata is empty, it should sync from existing traits
 		mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
-			return traits["id"] == "E2002"
+			ids, ok := traits["custom_login_ids"].([]string)
+			return ok && len(ids) > 0 && ids[0] == "E2002"
 		}), mock.Anything).Return(&service.KratosIdentity{
 			ID: userID,
 			Traits: map[string]interface{}{
-				"id": "E2002",
+				"custom_login_ids": []interface{}{"E2002"},
 			},
 		}, nil).Once()
 
@@ -508,25 +557,42 @@ func TestUserHandler_UpdateUser_PasswordUsesProvider(t *testing.T) {
 	mockKratos.On("GetIdentity", mock.Anything, userID).Return(&service.KratosIdentity{
 		ID: userID,
 		Traits: map[string]interface{}{
-			"id":          "dyddus1210",
-			"email":       "dyddus1210@gmail.com",
-			"companyCode": "test-tenant",
+			"custom_login_ids": []interface{}{"dyddus1210"},
+			"email":            "dyddus1210@gmail.com",
+			"companyCode":      "test-tenant",
+			"tenant_id":        "t-1",
+			"emp_id":           "dyddus1210",
 		},
 	}, nil).Once()
 
 	mockTenant.On("GetTenantBySlug", mock.Anything, "test-tenant").Return(&domain.Tenant{
 		ID:   "t-1",
 		Slug: "test-tenant",
+		Config: domain.JSONMap{
+			"userSchema": []interface{}{
+				map[string]interface{}{"key": "emp_id", "isLoginId": true},
+			},
+		},
+	}, nil)
+	mockTenant.On("GetTenant", mock.Anything, "t-1").Return(&domain.Tenant{
+		ID:   "t-1",
+		Slug: "test-tenant",
+		Config: domain.JSONMap{
+			"userSchema": []interface{}{
+				map[string]interface{}{"key": "emp_id", "isLoginId": true},
+			},
+		},
 	}, nil)
 	mockTenant.On("ListManageableTenants", mock.Anything, userID).Return([]domain.Tenant{}, nil).Once()
 
 	mockKratos.On("UpdateIdentity", mock.Anything, userID, mock.MatchedBy(func(traits map[string]interface{}) bool {
-		return traits["id"] == "dyddus1210"
+		ids, ok := traits["custom_login_ids"].([]string)
+		return ok && len(ids) > 0 && ids[0] == "dyddus1210"
 	}), "").Return(&service.KratosIdentity{
 		ID: userID,
 		Traits: map[string]interface{}{
-			"id":    "dyddus1210",
-			"email": "dyddus1210@gmail.com",
+			"custom_login_ids": []interface{}{"dyddus1210"},
+			"email":            "dyddus1210@gmail.com",
 		},
 	}, nil).Once()
 
@@ -617,27 +683,36 @@ func TestUserHandler_CreateUser_LoginIDSync(t *testing.T) {
 			ID:   tenantID,
 			Slug: "test-tenant",
 			Config: domain.JSONMap{
-				"loginIdField": "emp_no",
 				"userSchema": []interface{}{
-					map[string]interface{}{"key": "emp_no", "label": "Employee No"},
+					map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
+				},
+			},
+		}, nil)
+		mockTenant.On("GetTenant", mock.Anything, tenantID).Return(&domain.Tenant{
+			ID:   tenantID,
+			Slug: "test-tenant",
+			Config: domain.JSONMap{
+				"userSchema": []interface{}{
+					map[string]interface{}{"key": "emp_no", "label": "Employee No", "isLoginId": true},
 				},
 			},
 		}, nil)
 
 		mockOry.On("GetPasswordPolicy").Return(&domain.PasswordPolicy{MinLength: 8}, nil)
 
-		// Expect OryProvider.CreateUser to be called with attributes["id"] synced from metadata
+		// Expect OryProvider.CreateUser to be called with attributes["custom_login_ids"] synced from metadata
 		mockOry.On("CreateUser", mock.MatchedBy(func(user *domain.BrokerUser) bool {
-			return user.LoginID == "E1001" && user.Attributes["id"] == "E1001"
+			customIDs, ok := user.Attributes["custom_login_ids"].([]string)
+			return ok && len(customIDs) > 0 && customIDs[0] == "E1001"
 		}), mock.Anything).Return("u-1", nil).Once()
 
 		// Mock GetIdentity after creation
 		mockKratos.On("GetIdentity", mock.Anything, "u-1").Return(&service.KratosIdentity{
 			ID: "u-1",
 			Traits: map[string]interface{}{
-				"id":          "E1001",
-				"email":       "new@test.com",
-				"companyCode": "test-tenant",
+				"custom_login_ids": []interface{}{"E1001"},
+				"email":            "new@test.com",
+				"companyCode":      "test-tenant",
 			},
 		}, nil).Once()
 
diff --git a/backend/internal/repository/user_repository.go b/backend/internal/repository/user_repository.go
index 98d22726..f1f550f8 100644
--- a/backend/internal/repository/user_repository.go
+++ b/backend/internal/repository/user_repository.go
@@ -21,6 +21,12 @@ type UserRepository interface {
 	CountByTenantIDs(ctx context.Context, tenantIDs []string) (map[string]int64, error)
 	CountByCompanyCodes(ctx context.Context, codes []string) (map[string]int64, error)
 	Delete(ctx context.Context, id string) error
+
+	// Multiple identifiers support
+	UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error
+	GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error)
+	IsLoginIDTaken(ctx context.Context, loginID string) (bool, error)
+	FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error)
 }
 
 type userRepository struct {
@@ -193,3 +199,45 @@ func (r *userRepository) List(ctx context.Context, offset, limit int, search str
 func (r *userRepository) Delete(ctx context.Context, id string) error {
 	return r.db.WithContext(ctx).Delete(&domain.User{}, "id = ?", id).Error
 }
+
+func (r *userRepository) UpdateUserLoginIDs(ctx context.Context, userID string, loginIDs []domain.UserLoginID) error {
+	return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		// Delete existing login IDs for this user
+		if err := tx.Where("user_id = ?", userID).Delete(&domain.UserLoginID{}).Error; err != nil {
+			return err
+		}
+
+		// Insert new login IDs if any
+		if len(loginIDs) > 0 {
+			if err := tx.Create(&loginIDs).Error; err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+}
+
+func (r *userRepository) GetUserLoginIDs(ctx context.Context, userID string) ([]domain.UserLoginID, error) {
+	var results []domain.UserLoginID
+	if err := r.db.WithContext(ctx).Where("user_id = ?", userID).Find(&results).Error; err != nil {
+		return nil, err
+	}
+	return results, nil
+}
+
+func (r *userRepository) IsLoginIDTaken(ctx context.Context, loginID string) (bool, error) {
+	var count int64
+	if err := r.db.WithContext(ctx).Model(&domain.UserLoginID{}).Where("login_id = ?", loginID).Count(&count).Error; err != nil {
+		return false, err
+	}
+	return count > 0, nil
+}
+
+func (r *userRepository) FindTenantIDByLoginID(ctx context.Context, loginID string) (string, error) {
+	var record domain.UserLoginID
+	if err := r.db.WithContext(ctx).Where("login_id = ?", loginID).First(&record).Error; err != nil {
+		return "", err
+	}
+	return record.TenantID, nil
+}
diff --git a/backend/internal/repository/user_repository_test.go b/backend/internal/repository/user_repository_test.go
index 7d8d421e..4a156178 100644
--- a/backend/internal/repository/user_repository_test.go
+++ b/backend/internal/repository/user_repository_test.go
@@ -94,4 +94,54 @@ func TestUserRepository(t *testing.T) {
 		assert.Equal(t, int64(1), counts["tenant-b"])
 		assert.Equal(t, int64(0), counts["tenant-c"])
 	})
+
+	t.Run("Multi-Identifier Support", func(t *testing.T) {
+		_ = testDB.AutoMigrate(&domain.UserLoginID{})
+		testDB.Exec("DELETE FROM user_login_ids")
+		testDB.Exec("DELETE FROM users")
+
+		user := &domain.User{Email: "multi@test.com", Name: "Multi"}
+		_ = repo.Create(ctx, user)
+
+		t1 := "00000000-0000-0000-0000-000000000001"
+		t2 := "00000000-0000-0000-0000-000000000002"
+
+		loginIDs := []domain.UserLoginID{
+			{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E001"},
+			{UserID: user.ID, TenantID: t2, FieldKey: "student_id", LoginID: "S001"},
+		}
+
+		err := repo.UpdateUserLoginIDs(ctx, user.ID, loginIDs)
+		assert.NoError(t, err)
+
+		// Get and Verify
+		saved, err := repo.GetUserLoginIDs(ctx, user.ID)
+		assert.NoError(t, err)
+		assert.Len(t, saved, 2)
+
+		// IsLoginIDTaken
+		taken, err := repo.IsLoginIDTaken(ctx, "E001")
+		assert.NoError(t, err)
+		assert.True(t, taken)
+
+		taken, err = repo.IsLoginIDTaken(ctx, "UNKNOWN")
+		assert.NoError(t, err)
+		assert.False(t, taken)
+
+		// FindTenantIDByLoginID
+		tid, err := repo.FindTenantIDByLoginID(ctx, "S001")
+		assert.NoError(t, err)
+		assert.Equal(t, t2, tid)
+
+		// Update (Replace)
+		newList := []domain.UserLoginID{
+			{UserID: user.ID, TenantID: t1, FieldKey: "emp_id", LoginID: "E002"},
+		}
+		err = repo.UpdateUserLoginIDs(ctx, user.ID, newList)
+		assert.NoError(t, err)
+
+		saved, _ = repo.GetUserLoginIDs(ctx, user.ID)
+		assert.Len(t, saved, 1)
+		assert.Equal(t, "E002", saved[0].LoginID)
+	})
 }
diff --git a/backend/internal/service/descope_service.go b/backend/internal/service/descope_service.go
index bbf0f430..c5819fd8 100644
--- a/backend/internal/service/descope_service.go
+++ b/backend/internal/service/descope_service.go
@@ -97,10 +97,13 @@ func (d *DescopeProvider) CreateUser(user *domain.BrokerUser, password string) (
 		return "", fmt.Errorf("descope provider: user already exists")
 	}
 
-	descopeUser := &descope.UserRequest{}
-	descopeUser.Email = user.Email
-	descopeUser.Phone = normalizedPhone
-	descopeUser.Name = user.Name
+	descopeUser := &descope.UserRequest{
+		User: descope.User{
+			Email: user.Email,
+			Name:  user.Name,
+			Phone: normalizedPhone,
+		},
+	}
 	descopeUser.CustomAttributes = map[string]any{}
 	for k, v := range user.Attributes {
 		descopeUser.CustomAttributes[k] = v
diff --git a/backend/internal/service/ory_service.go b/backend/internal/service/ory_service.go
index 88dbffd6..0eb08d68 100644
--- a/backend/internal/service/ory_service.go
+++ b/backend/internal/service/ory_service.go
@@ -43,7 +43,7 @@ func (o *OryProvider) Name() string {
 func (o *OryProvider) GetMetadata() (*domain.IDPMetadata, error) {
 	return &domain.IDPMetadata{
 		SupportedFields: []string{
-			"id", "login_id", "email", "name", "phone_number",
+			"id", "custom_login_ids", "login_id", "email", "name", "phone_number",
 			"grade", "department", "affiliationType", "companyCode",
 		},
 	}, nil
@@ -67,6 +67,21 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
 		return "", fmt.Errorf("ory provider: identity already exists for email=%s", user.Email)
 	}
 
+	// [New] Check all custom login IDs for collisions
+	for _, lid := range user.CustomLoginIDs {
+		if lid == "" {
+			continue
+		}
+		existing, err := o.findIdentityID(lid)
+		if err != nil {
+			return "", fmt.Errorf("ory provider: search identity failed for %s: %w", lid, err)
+		}
+		if existing != "" {
+			return "", fmt.Errorf("ory provider: identifier %s already exists", lid)
+		}
+	}
+
+	// [Legacy] check single LoginID
 	if user.LoginID != "" {
 		existingLoginID, err := o.findIdentityID(user.LoginID)
 		if err != nil {
@@ -91,13 +106,20 @@ func (o *OryProvider) CreateUser(user *domain.BrokerUser, password string) (stri
 		"email": user.Email,
 		"name":  user.Name,
 	}
-	if user.LoginID != "" {
-		traits["id"] = user.LoginID
+	if len(user.CustomLoginIDs) > 0 {
+		traits["custom_login_ids"] = user.CustomLoginIDs
+	} else if user.LoginID != "" {
+		traits["custom_login_ids"] = []string{user.LoginID}
 	}
+
 	if user.PhoneNumber != "" {
 		traits["phone_number"] = user.PhoneNumber
 	}
 	for k, v := range user.Attributes {
+		// [SoT Fix] Don't let attributes overwrite core traits or use old 'id' trait
+		if k == "id" || k == "email" || k == "custom_login_ids" {
+			continue
+		}
 		traits[k] = v
 	}
 
diff --git a/backend/internal/service/user_group_service.go b/backend/internal/service/user_group_service.go
index f019757e..f4fbe806 100644
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -243,9 +243,6 @@ func (s *userGroupService) AddMember(ctx context.Context, groupID, userID string
 				localUser.CompanyCode = tenant.Slug
 				localUser.TenantID = &tenant.ID
 				localUser.Department = group.Name
-				if localUser.LoginID == "" {
-					localUser.LoginID = localUser.ID
-				}
 				_ = s.userRepo.Update(ctx, localUser)
 			}
 		}
diff --git a/backend/internal/utils/audit.go b/backend/internal/utils/audit.go
new file mode 100644
index 00000000..07395229
--- /dev/null
+++ b/backend/internal/utils/audit.go
@@ -0,0 +1,17 @@
+package utils
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+func ParseAuditDetails(details string) (map[string]any, error) {
+	var payload map[string]any
+	if details == "" {
+		return nil, fmt.Errorf("empty details")
+	}
+	if err := json.Unmarshal([]byte(details), &payload); err != nil {
+		return nil, err
+	}
+	return payload, nil
+}
diff --git a/docker/ory/kratos/identity.schema.json b/docker/ory/kratos/identity.schema.json
index 3582a5f4..aa605f83 100644
--- a/docker/ory/kratos/identity.schema.json
+++ b/docker/ory/kratos/identity.schema.json
@@ -7,13 +7,16 @@
     "traits": {
       "type": "object",
       "properties": {
-        "id": {
-          "type": "string",
-          "title": "ID",
-          "ory.sh/kratos": {
-            "credentials": {
-              "password": {
-                "identifier": true
+        "custom_login_ids": {
+          "type": "array",
+          "title": "Custom Login IDs",
+          "items": {
+            "type": "string",
+            "ory.sh/kratos": {
+              "credentials": {
+                "password": {
+                  "identifier": true
+                }
               }
             }
           }
diff --git a/userfront/lib/core/services/auth_proxy_service.dart b/userfront/lib/core/services/auth_proxy_service.dart
index e345b42b..5b21ea20 100644
--- a/userfront/lib/core/services/auth_proxy_service.dart
+++ b/userfront/lib/core/services/auth_proxy_service.dart
@@ -964,7 +964,6 @@ class AuthProxyService {
 
   static Future<void> signup({
     required String email,
-    String? loginId,
     required String password,
     required String name,
     required String phone,
@@ -980,12 +979,11 @@ class AuthProxyService {
       headers: {'Content-Type': 'application/json'},
       body: jsonEncode({
         'email': email,
-        if (loginId != null && loginId.isNotEmpty) 'loginId': loginId,
         'password': password,
         'name': name,
         'phone': phone,
         'affiliationType': affiliationType,
-        'companyCode': ?companyCode,
+        'companyCode': companyCode,
         'department': department,
         'termsAccepted': termsAccepted,
       }),
diff --git a/userfront/lib/features/auth/presentation/signup_screen.dart b/userfront/lib/features/auth/presentation/signup_screen.dart
index 20929ec4..bde6317f 100644
--- a/userfront/lib/features/auth/presentation/signup_screen.dart
+++ b/userfront/lib/features/auth/presentation/signup_screen.dart
@@ -32,13 +32,12 @@ class _SignupScreenState extends State<SignupScreen> {
 
   // Controllers
   final _emailController = TextEditingController();
-  final _loginIdController = TextEditingController();
-  final _emailCodeController = TextEditingController();
-  final _phoneController = TextEditingController();
-  final _phoneCodeController = TextEditingController();
+  final _emailCodeController = TextEditingController(); // [Restore]
   final _nameController = TextEditingController();
   final _passwordController = TextEditingController();
   final _confirmPasswordController = TextEditingController();
+  final _phoneController = TextEditingController();
+  final _phoneCodeController = TextEditingController(); // [Restore]
   final _deptController = TextEditingController();
 
   // State
@@ -60,8 +59,6 @@ class _SignupScreenState extends State<SignupScreen> {
   String? _phoneError;
   String? _passwordError;
   String? _confirmPasswordError;
-  String? _loginIdError;
-  String? _loginIdSuccess;
 
   // Timers
   Timer? _emailTimer;
@@ -102,7 +99,6 @@ class _SignupScreenState extends State<SignupScreen> {
     _emailTimer?.cancel();
     _phoneTimer?.cancel();
     _emailController.dispose();
-    _loginIdController.dispose();
     _emailCodeController.dispose();
     _phoneController.dispose();
     _phoneCodeController.dispose();
@@ -316,7 +312,6 @@ class _SignupScreenState extends State<SignupScreen> {
     try {
       await AuthProxyService.signup(
         email: _emailController.text.trim(),
-        loginId: _loginIdController.text.trim(),
         password: _passwordController.text,
         name: _nameController.text.trim(),
         phone: _phoneController.text.trim(),
@@ -1437,95 +1432,6 @@ class _SignupScreenState extends State<SignupScreen> {
                       ),
                     ),
                     const SizedBox(height: 18),
-                    _buildProfileFieldGroup(
-                      title: '로그인 ID (선택)',
-                      description: '이메일/전화번호 외에 별도의 식별자로 로그인할 때 사용합니다.',
-                      isDesktop: isDesktop,
-                      child: Column(
-                        crossAxisAlignment: CrossAxisAlignment.stretch,
-                        children: [
-                          TextFormField(
-                            controller: _loginIdController,
-                            onChanged: (val) {
-                              setState(() {
-                                _loginIdError = null;
-                                _loginIdSuccess = null;
-                              });
-                            },
-                            decoration: InputDecoration(
-                              labelText: '사번 또는 아이디',
-                              border: const OutlineInputBorder(),
-                              errorText: _loginIdError,
-                              suffixIcon: TextButton(
-                                onPressed: _isLoading
-                                    ? null
-                                    : () async {
-                                        final loginId = _loginIdController.text
-                                            .trim();
-                                        if (loginId.isEmpty) {
-                                          setState(
-                                            () => _loginIdError = 'ID를 입력해주세요.',
-                                          );
-                                          return;
-                                        }
-                                        setState(() {
-                                          _isLoading = true;
-                                          _loginIdError = null;
-                                          _loginIdSuccess = null;
-                                        });
-                                        try {
-                                          final result =
-                                              await AuthProxyService.checkLoginIDAvailability(
-                                                loginId,
-                                                companyCode:
-                                                    _affiliationType ==
-                                                        'AFFILIATE'
-                                                    ? _companyCode
-                                                    : null,
-                                              );
-                                          setState(() {
-                                            if (result['available'] == true) {
-                                              _loginIdSuccess = '사용 가능한 ID입니다.';
-                                            } else {
-                                              _loginIdError =
-                                                  result['message'] ??
-                                                  '사용할 수 없는 ID입니다.';
-                                            }
-                                          });
-                                        } catch (e) {
-                                          setState(
-                                            () => _loginIdError = e
-                                                .toString()
-                                                .replaceAll('Exception: ', ''),
-                                          );
-                                        } finally {
-                                          if (mounted) {
-                                            setState(() => _isLoading = false);
-                                          }
-                                        }
-                                      },
-                                child: const Text('중복 확인'),
-                              ),
-                            ),
-                          ),
-                          if (_loginIdSuccess != null)
-                            Padding(
-                              padding: const EdgeInsets.only(
-                                top: 8.0,
-                                left: 12.0,
-                              ),
-                              child: Text(
-                                _loginIdSuccess!,
-                                style: const TextStyle(
-                                  color: Colors.green,
-                                  fontSize: 12,
-                                ),
-                              ),
-                            ),
-                        ],
-                      ),
-                    ),
-                    const SizedBox(height: 18),
                     _buildProfileFieldGroup(
                       title: tr('ui.userfront.signup.profile.affiliation_type'),
                       description: _isAffiliateEmail