I'm just trying to understand exactly how this process works...I get the first two steps, then things get a bit fuzzy

1. IDP receives kerberos token
2. IDP confirms token with KDC

Once the kerberos is confirmed as valid, how does the example in the readme take affect (i.e. what is %Email% value and how is it constructed).

Property Name: SearchQuery
Property Value: (&(objectclass=person)(mail=%Email%))
Is %Email% still the built {username}@KERB_REALM(S) ?? If so, how does this benefit over setting the User Attribute in the class?