> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Applications

Applications represent the services you are protecting with the Maverics Orchestrator. When you set up a deployment, you configure three things: **identity providers** (where users authenticate), **applications** (what you are protecting), and the **policies** that connect them. Applications are the "what" -- each one describes a service the Orchestrator manages on behalf of your users.

## How Applications Fit into a Deployment

A typical Maverics deployment looks like this:

1. **Identity Fabric** -- connect one or more identity providers (Entra ID, Okta, LDAP, etc.) that authenticate your users
2. **Applications** -- register the services the Orchestrator protects, each with a type that matches how the service communicates (HTTP, OIDC, SAML, or MCP)
3. **Policies** -- define who can access what, which identity providers handle authentication, and what identity information flows to each application

The Orchestrator sits between your users and your applications. When a request comes in, the Orchestrator matches it to an application, authenticates the user or agent against the configured identity providers, evaluates authorization policies, and then takes the appropriate action -- forwarding the request with injected headers, issuing an OIDC or SAML token, or translating and proxying MCP tool calls to upstream services.

## Applications, Policies, and Identity Providers

In both the Maverics Console and YAML configuration, an application's authentication policies, header mappings, and identity provider bindings are configured directly on the application itself -- there is no separate object that ties them together.

The typical Console workflow is:

1. Create an **Identity Fabric** connector (e.g., Entra ID)
2. Create an **Application** (e.g., a proxy app for your legacy HR portal)
3. Configure the application's authentication policies, header mappings, and identity provider bindings to control sign-on behavior and what identity information reaches the application

In YAML, the same information is configured directly within each application's `policies`, `headers`, and `attrProviders` blocks.

## App Types and Orchestrator Modes

Each application has a type that determines which protocol it uses and which Orchestrator mode it connects to. Choose the app type that matches how your service communicates.

| App Type   | Orchestrator Mode                                           | Protocol   | When to Use                                          |
| ---------- | ----------------------------------------------------------- | ---------- | ---------------------------------------------------- |
| Proxy      | [HTTP Proxy](/reference/modes/http-proxy)                   | HTTP       | Legacy apps -- identity via headers, no code changes |
| OIDC       | [OIDC Provider](/reference/modes/oidc-provider)             | OIDC       | Modern apps with native OpenID Connect support       |
| SAML       | [SAML Provider](/reference/modes/saml-provider)             | SAML 2.0   | Enterprise apps requiring SAML assertions            |
| MCP Proxy  | [AI Identity Gateway](/reference/modes/ai-identity-gateway) | MCP        | AI agents accessing upstream MCP servers             |
| MCP Bridge | [AI Identity Gateway](/reference/modes/ai-identity-gateway) | MCP + REST | Expose REST APIs as MCP tools for AI agents          |

<Note>
  **Looking for Custom APIs?** Custom API endpoints (the `apis[]` configuration) are not an application type. They are managed through [Service Extensions](/reference/orchestrator/service-extensions/custom-apis). In the Console, create and manage APIs from the **Service Extensions** area in the sidebar.
</Note>

<Tip>
  Not sure which type fits your service? See the [Choosing a Mode](/guides/authentication/choosing-a-mode) guide for a decision framework.
</Tip>

## App Type Pages

Each app type has its own page with Console UI setup steps and configuration reference.

<CardGroup cols={2}>
  <Card title="Proxy App" icon="globe" href="/reference/orchestrator/applications/proxy">
    Identity-aware reverse proxy for legacy and header-based applications
  </Card>

  <Card title="OIDC App" icon="openid" href="/reference/orchestrator/applications/oidc">
    Register OIDC clients with the Orchestrator's built-in OIDC Provider
  </Card>

  <Card title="SAML App" icon="shield-halved" href="/reference/orchestrator/applications/saml">
    Register SAML Service Providers with the Orchestrator's SAML Provider
  </Card>

  <Card title="MCP Proxy App" icon="shuffle" href="/reference/orchestrator/applications/mcp-proxy">
    Proxy MCP traffic to upstream MCP servers with identity injection
  </Card>

  <Card title="MCP Bridge App" icon="bridge" href="/reference/orchestrator/applications/mcp-bridge">
    Expose REST APIs as MCP tools using OpenAPI specifications
  </Card>
</CardGroup>

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="compass" href="/reference/orchestrator/identity-fabric">
    Configure the identity providers that authenticate users for your applications
  </Card>

  <Card title="Authorization" icon="scale-balanced" href="/reference/orchestrator/authorization">
    Authorization rules that control who can access what
  </Card>

  <Card title="Service Extensions" icon="puzzle-piece" href="/reference/orchestrator/service-extensions">
    Custom request/response modification and API endpoints
  </Card>

  <Card title="Sessions" icon="id-badge" href="/reference/orchestrator/sessions">
    Session storage for user authentication state
  </Card>

  <Card title="Transport Layer Security (TLS)" icon="shield-halved" href="/reference/orchestrator/tls-security">
    Named TLS profiles for upstream connections and IdP communication
  </Card>

  <Card title="Choosing a Mode" icon="signs-post" href="/guides/authentication/choosing-a-mode">
    Decision framework for selecting the right Orchestrator mode
  </Card>
</CardGroup>
