Is there an attribute on the "identities" you do not want. If
there is, then you can utilize some input transformation code where you
can have us "throw away" the record and not save it. This is controlled
by utilizing DELETE_OBJECT"
At first I though that if it were so easy I would have used an LDAP Filter. But then I realized that
handling filters in javascript was a lot more flexible than an LDAP Expression. But still, I couldn't
filter as many unwanted accounts as I wanted.

Then I thought of a hack, an ugly one at that. But one that would allow me to do without a powershell
script. I tried this:

1) Call the OAUTH server and get an authentication token.
2) With the token make a GET Request and get every users employeeID and put them into an array (employeeID is the attribute that I use to match an AD account).
3) If the collected AD.employeeID is in the array, let the operation pass. If not: outputVale = DELETE_OBJECT.

1) and 2) worked, after much testing, in the browser. But alas, when I tried to put the code
(here it is if anyone is curious ) in a transformation script, it failed.

I then realized that the javascript engine of IG is probably nashorn or even rhino.

I'm pretty much giving up on this approach, but I though I'd share it in case anyone feels inclined to
go down the rabbit hole.