SSO
Java EE Policy Agent Setup
The instructions have some details missing.
Click Access Control.
You will see the default Top Level Realm. You can read more from Oracle on what a realm means.
What is the best practice around this? I assume a server usually is with an organization, but if you are a service provider you should create a realm per company you work with for example, dailyplanet and lexcrop. After that, within those realms you might have subrealms, like humanresources where you grant more access.
It looks like each realm also has its own data repository.
So for testing purposes.
References
http://openam.forgerock.org/doc/agent-install-guide/OpenAM-Agent-Install-Guide.html
https://wikis.forgerock.org/confluence/display/openam/Add+Authentication+to+a+Website+using+OpenAM