I think it shouldn't need end-user documentation.
For a remote accounts provider we already have the UI fields and docs. Nothing changes for it, I guess.
On a local accounts provider installation we can replace the existing machine credentials with a new dedicated identity which is created automatically once, during RPM install/update. I'd choose a random user name and a random password. If possible set it hidden in Users&Groups page. The credentials should be visible in the UI, like the LDAP provider do, to cut/paste them to a remote host.