When enterprises talk about identity governance, one question always comes up: how do we connect our governance platform to all the different systems we run?
In Oracle Access Governance Cloud Service (AGCS), the answer lies in connectors — the bridges that allow AGCS to communicate with external applications. Some of these systems are modern SaaS tools with rich APIs. Others are legacy, on-premises platforms hidden behind firewalls.
AGCS supports two main connector models:
1
ICF Gateway (Online, Real-Time)
Think of this as a highway with live traffic. Data flows instantly, requests are processed in real time, and the system stays in sync.
- How it works: AGCS connects directly to applications using APIs (REST, SCIM, SOAP).
- What it’s best for: Cloud apps like Workday, Salesforce, ServiceNow, Oracle Fusion HCM.
- Why it matters: New employees get access immediately, and access removals are near-instant — reducing security risks.
2
Agent-Based (Offline, Batch-Driven)
Now imagine a shuttle bus that runs on a schedule. Instead of constant flow, data is collected, encrypted, and delivered in batches.
- How it works: An AGCS Agent exchanges encrypted files with AGCS through secure storage (OCI, SFTP, etc.).
- What it’s best for: On-premises Active Directory, legacy HRMS, Oracle E-Business Suite.
- Why it matters: Keeps sensitive systems shielded from the internet, while still ensuring identity data gets synchronized.
ICF vs. Agent at a Glance
| Aspect | ICF Gateway (Online) | Agent-Based (Offline) |
| Connectivity | Real-time via APIs | Scheduled via encrypted files |
| Use Cases | Cloud SaaS apps | On-prem / air-gapped systems |
| Speed | Instant updates | Depends on batch schedule |
| Strength | Always up to date | Works without APIs or open ports |
Real-World Examples
- Oracle Fusion HCM → Cloud → ICF Gateway (instant updates)
- Salesforce → SaaS → ICF Gateway (REST/SCIM)
- On-Prem Active Directory → Behind firewall → Agent-Based (batch CSV sync)
- Legacy HRMS → No API → Agent-Based (flat-file integration)
Why It Matters
The choice between ICF Gateway and Agent-based integration isn’t just technical — it changes how secure, compliant, and efficient your governance processes are.
- Security: ICF Gateway integrations provide encrypted, API-driven communication, so access changes are reflected instantly across cloud systems. This minimizes risk when someone leaves or changes roles. Agent-based integrations keep systems shielded by design, moving data only through secure, encrypted file transfers — ideal for environments where exposing APIs isn’t possible.
- Compliance: Regulators expect timely control of access. With ICF Gateway, changes are near real-time, making audits smoother. Agent-based, though slower, offers predictability: every batch sync is logged and auditable, which is critical for industries with strict oversight.
- Efficiency: ICF Gateway means new hires get SaaS access within minutes, improving productivity and reducing IT tickets. Agent-based ensures even the most outdated, locked-down systems remain part of the governance framework, without forcing costly modernization.
In practice, most enterprises use both: real-time connectors for cloud apps and agent-based sync for restricted systems. This hybrid model gives organizations the flexibility to cover their entire landscape without compromise.
The Takeaway
- Use ICF Gateway when the system is modern, API-enabled, and real-time control matters.
- Use Agent-Based when the system is legacy, air-gapped, or behind a firewall, and secure file exchange is the only option.
- Most enterprises will use both, depending on the system.
By offering both models, Oracle AGCS ensures identity governance can keep up with the dual reality of cloud-first innovation and legacy system dependency.
That flexibility is what allows governance to work at enterprise scale.
References
https://www.oracle.com/security/identity/access-governance/
https://docs.oracle.com/en/industries/energy-water/cloud-integrations/22a/wacs-ofs-setup-guide/index.html#page/WACS-OFS_SETUP_GUIDE_22A/Setup_Guide_Additional_OFS_Configurations.4.08.html
https://docs.oracle.com/en/cloud/paas/access-governance/igqes/index.html
