I think I get this now… as you still need to create the identities in the controller… it’s just that you don’t enrol them…
This is the point of the external signer… which uses the IdP to facilitate the identification.
Not 100% sure yet how a server identity would be used in an IdP… as it does not have a password to authenticate itself… whereas… a client would.
Is this correct? I look forward to your further comments… especially how a server identity would engage with an IdP… I find it totally fascinating.