//from Splunk authentication.conf 
[authenticationResponseAttrMap_SAML]
mail = Email
realName = UserName
role = Roles


//Actions script for user mapping in Zitadel
function splunksamlroles(ctx, api) {
    const user = ctx.v1.getUser()
    let userMetadata = ctx.v1.user.getMetadata();
	let roleSplunk = userMetadata.metadata.find(md => md.key == 'roleSplunk');
	
	//Below setting attributes individually, but it only duplicated these attributes in the SAML response
	//api.v1.attributes.setCustomAttribute('UserName', '', user.human.username);
	//api.v1.attributes.setCustomAttribute('Email', '', user.human.email);
	//	SAML Response would the include:
	//		Email = email@example.com
	//		Email = email@example.com
	//		UserName = example.username
	//		UserName = example.username
	
    if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
        return;
    }
    let roles = [];
    ctx.v1.user.grants.grants.forEach(grant => {
        grant.roles.forEach(role => {
            roles.push(role)  
        })
    })
    
    api.v1.attributes.setCustomAttribute('Roles', '', ...roles)
  }