GetOut.yaml

---
mapping:
  rules:
  - local:
      user:
        domain: '5821006'
        name: "{D}"
        email: "{At(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)}"
        roles:
          >-
             {Pts(
               let $groups := mapping:get-attributes('http://schemas.xmlsoap.org/claims/Group')
               return 
                 if ($groups = 'admin') then $groups else error(xs:QName('mapping:reject'),'Get out!')
             )}
        expire: "{D}"
  version: RAX-1