The following example is the ARPs used by the OhioLINK staff IdP. It releases the eduPersonPrincipalName attribute only to the OhioLINK servers and Internet2.

<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd" >
        <Description>OhioLINK Staff ARP</Description>
        <Rule>
                <Target>
                        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">

https://.+\.ohiolink\.edu/shibboleth

</Requester>
                </Target>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
                        <AnyValue release="permit"/>
                </Attribute>
        </Rule>
        <Rule>
                <Target>
                        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">

https://spaces.internet2.edu/shibboleth

</Requester>
                </Target>
                <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
                        <AnyValue release="permit"/>
                </Attribute>
        </Rule>
</AttributeReleasePolicy>

Browser not supported