To setup a Juju Controller to use an external identity provider the identity provider needs to be configured at bootstrap time using the
allow-model-access settings. For example to bootstrap a controller that use the jujucharms identity provider do the following:
juju bootstrap google \ --config identity-url=https://api.jujucharms.com/identity \ --config allow-model-access=true
identity-url configures the URL of the external identity provider. The identity provider should be a candid server 1.
allow-model-access configures the controller to not check that a user has been explicitly added to the set of users known to the controller before checking if the user has access to a particular model.