Upload
dinhkhue
View
246
Download
1
Embed Size (px)
Citation preview
W H I T E P A P E R
C E N T R I F Y C O R P .
M A Y 2 0 0 8
Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory
The Active Directory-Based Single Sign-On Solution for SAP R/3
A B S T R A C T
Many of the largest, most recognizable and successful organizations use SAP
R/3. But to the end-users within those organizations who need access to SAP
R/3, this means yet another username and password they have to remember
and constantly enter and re-enter. To IT managers, SAP R/3 represents yet
another authentication and identity store to manage. In addition, given the
sensitive nature of the data stored in SAP R/3 systems, there is a compelling
need from both a security and compliance perspective to ensure that
communication and access to that sensitive data is done in a highly secure
manner.
In most organizations, Microsoft’s Active Directory is now the de facto standard
for providing authentication and identity management for Windows systems and
applications. Centrify’s DirectControl extends Active Directory’s reach to UNIX,
Linux, Mac, Java/web and database environments. Centrify DirectControl for
SAP goes one step farther by enabling Active Directory-based single sign-on for
SAP R/3. This means Windows users using SAP GUI and non-Windows users
using SAP Java client can enter their Active Directory credentials to access SAP
R/3 running on UNIX or Linux without having to remember or re-enter another
username and password. And auditors and security professionals can feel safe
that access to SAP R/3 is more secure due to DirectControl’s use of Kerberos.
This white paper describes how Centrify DirectControl for SAP delivers single
sign-on capabilities for SAP R/3 and how this ability translates into major
benefits in the form of increased security, ease of use and enterprise readiness.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE II
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.
Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Centrify Corporation. All rights reserved.
Centrify is a registered trademark, and DirectControl and DirectAudit are trademarks of Centrify Corporation. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names used are trademarks of their respective companies
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
WP017-2008-05-18
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE III
Contents
1 Introduction ........................................................................1
2 Challenges with SAP Authentication ....................................2
3 Addressing SAP Authentication Challenges with DirectControl for SAP...........................................................3
3.1 The Centrify DirectControl Solution.................................... 4
3.2 SAP Secure Network Communications (BC-SNC) Overview ...6
3.3 Enterprise Readiness .......................................................6
4 SAP and DirectControl Integration: Step-by-Step ................7
4.1 Join the SAP Server to Active Directory with DirectControl .... 8
4.2 Configure Service and Kerberos ........................................ 8
4.3 Configure SNC on the SAP Server...................................... 9
4.4 Configure the SAP Client ..................................................9
4.5 Single Sign-On Using SNC, Kerberos and Active Directory .. 10
5 Summary ...........................................................................11
6 How to Contact Centrify .....................................................12
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 1
1 Introduction
Centrify DirectControl delivers secure access control and centralized identity
management by seamlessly integrating your UNIX, Linux, Mac, web and database
platforms with Microsoft Active Directory. DirectControl effectively turns a non-
Microsoft system into an Active Directory client, enabling you to secure that system using
the same authentication, authorization and Group Policy services currently deployed for
your Windows systems. With its patent-pending Zone technology, Centrify delivers the
only solution that does not require intrusive reconfiguration of existing systems and
provides the granular administrative control needed to securely manage a diverse set of
systems and applications. With DirectControl, you can fully leverage your investment in
Active Directory to address regulatory compliance, strengthen security, and enhance IT
and end-user efficiency and productivity.
Centrify DirectControl for SAP enables Active Directory-based single sign-on to SAP R/3
servers running on a UNIX or Linux system. This means users who access SAP R/3 via
the SAP GUI client application on Windows workstations and/or via the SAP Java client
on non-Windows workstations can access the desired SAP business application using
their Active Directory user credentials. DirectControl enables this capability via
integration with SAP’s Secure Network Communication (SNC) interface.
Key benefits of Centrify DirectControl for SAP include the ability to:
Increase user satisfaction and reduce user/password-related support calls by
providing users with single sign-on (SSO) access to SAP R/3 through their Active
Directory credentials.
Increase security by allowing IT administrators to disable access not only to Windows
but also to DirectControl-managed systems and applications such as SAP via a single
management tool — Microsoft Active Directory.
Enforce consistent password and other security policies using familiar Active
Directory tools.
Implement encrypted communication between the SAP client and the SAP R/3 server
via DirectControl’s use of Kerberos.
Deploy without intrusive changes to Active Directory.
Simplify compliance with regulatory requirements.
Maximize your existing investment in Active Directory.
Before discussing the details of the DirectControl for SAP solution, let’s first discuss some
of the challenges of SAP authentication.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 2
2 Challenges with SAP Authentication
SAP R/3 is a mature technology that has been widely used in many organizations for
many years. However, SAP provides many approaches to securing communication and
authenticating end-users to SAP R/3. Understanding and choosing the right approach
can be a confusing and difficult process, often requiring external consulting time and
rationalization with existing security policies and architecture. With the standard SAP-
defined username and password approach to authentication (which is the default
deployment option with SAP R/3), SAP administrators may find that this approach has
some shortcomings when compared to more secure approaches provided by commercial
security software:
Additional usernames and passwords have to be defined and managed in SAP. This
creates a hassle both for end-users, who need to remember another username and
password, and for IT and SAP administrators, who need to deal with password resets
and user account lockouts.
Additional usernames and passwords also create security vulnerability, as end-users
often write down their username and password in order to remember them.
Another security concern arises when end-users leave an organization. Their user
account in SAP (and in Active Directory, and in every system and application they are
provisioned into) needs to be at least deactivated if not completely deprovisioned.
Administrators would prefer to make deprovisioning a periodic task and not a
security issue requiring expensive and complex software and processes that exist just
to manage identities throughout their lifecycle.
Microsoft provides basic information on how to integrate SAP with Active Directory if the
R/3 server is installed on Windows Server. This is of little help to the majority of SAP R/3
customers who have deployed on AIX, HP-UX, Solaris or a flavor of Linux. Alternatives to
using basic username and password authentication for SAP servers installed on UNIX or
Linux include:
Complex and expensive public key infrastructure (PKI) providing access via SSL and
X.509 client certificates.
Pluggable Authentication Modules (“PAM”) to leverage the UNIX operating system
credentials. While the PAM approach can be integrated with Active Directory using
DirectControl for Systems, this is less than an ideal solution because it challenges
end-users to re-enter their Active Directory username and password, depriving them
of the SSO login experience.
Other challenges arise when organizations need enterprise-quality end-to-end support.
For example, Microsoft will support the Windows client side for SSO and authentication,
but does not provide support services for UNIX.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 3
Other higher-end enterprise features such as cross-domain authentication, failover
support for NTLM, domain controller failover support, large group-based access control,
and access rights reporting are simply not supported with most other approaches.
Based on feedback from SAP R/3 users who needed true enterprise-level SSO capabilities
for working with Active Directory, Centrify has built a dedicated solution that extends
DirectControl to SAP R/3.
3 Addressing SAP Authentication Challenges with DirectControl for SAP
In order to address the challenge of providing a more secure, Active Directory-centric
SSO solution for SAP, Centrify provides a solution that consists of the following
components:
DirectControl for Systems. Centrify DirectControl delivers secure access control
and centralized identity management by seamlessly integrating your UNIX, Linux,
Mac, Java/web and database platforms with Microsoft Active Directory. The
DirectControl Agent effectively turns a non-Microsoft system into an Active Directory
client, enabling you to secure that system using the same operating system-level
authentication, authorization and Group Policy services currently deployed for your
Windows systems. DirectControl is non-intrusive, easy to deploy and manage, and is
the only solution that enables fine-grained operating system access control through
its unique Zone technology.
SAP Secure Network Communication. SAP provides a standard layer for SAP
R/3 to integrate and interface with third-party security software called SNC (Secure
Network Communication). SNC enables a secure connection between SAP clients,
servers and services. This layer is designed to allow third-party security software
providers to cleanly and comprehensively integrate with SAP R/3 to provide security
services such as SSO authentication. In fact, SNC is being developed in the Internet
Engineering Task Force (IETF), an international standards body.
DirectControl for SAP. The DirectControl for SAP module is an extension of SNC
providing single sign-on for an SAP client based on the exchange of Kerberos tickets.
By implementing the Generic Security Services API (GSS-API), DirectControl for SAP
provides the necessary SNC extensions to enable Kerberos ticket exchange from the
SAP client to the SAP server. Additional security, including signing and encrypting of
data that is communicated between the SAP client and server, is provided by
leveraging these Kerberos tickets.
Solution Documentation. DirectControl for SAP includes an installation and
deployment guide. There is also guidance related to configuring your SAP R/3 server,
SNC environment and SAP clients (SAPgui and SAPjava.)
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 4
Solution Support. Licensed Centrify customers who have maintenance contracts
and are running Centrify DirectControl for SAP R/3 can get support for the
integration of DirectControl with SAP R/3.
By packaging the DirectControl Agent for the operating system and SAP SNC, along with
installation and configuration documentation of the DirectControl and SAP products into
a single comprehensive solution, Centrify delivers a true SAP R/3 single sign-on solution
and better interoperability with your enterprise. Not only do you get a finished product
that works — you know who to contact if you encounter problems.
In addition, Centrify addresses a number of issues related to central user attribute
storage, enterprise functionality and complete integration with Active Directory, as
mentioned earlier in this paper.
Let’s take a look at these components in more detail.
3.1 The Centrify DirectControl Solution
Centrify DirectControl delivers secure access control and centralized identity
management by seamlessly integrating your UNIX, Linux, Mac and web platforms with
Microsoft Active Directory. DirectControl effectively turns a non-Microsoft system into an
Active Directory client, enabling you to secure that system using the same authentication,
authorization and Group Policy services currently deployed for your Windows systems.
DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that
enables fine-grained access control through its unique Zone technology.
DirectControl also supports strong Kerberos-based Active Directory authentication for
databases such as IBM’s DB2 and Informix, and for enterprise applications such as SAP.
While many of these platforms offer some type of Kerberos support, setting up and
administering the Kerberos service to talk with Active Directory securely and reliably can
be a complex task on non-Microsoft platforms. With the DirectControl Agent installed,
the host platform becomes Active Directory-aware and can take advantage of active
Directory services — such as automatic updates of Keytab files and Keytab versioning,
automatic time synchronization with Active Directory, local caching for disconnected
mode, and dynamic DNS support — that greatly simplify initial configuration and provide
a much higher degree of maintainability and reliability. The end result is cross-platform
and cross-application single sign-on as shown by Figure 1.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 5
Figure 1. Centrify eliminates the need for multiple Access Control, Identity and Policy
Management solutions in the distributed environment by consolidating management in Microsoft
Active Directory: one user, one account, one directory, one policy mechanism.
The DirectControl suite is comprised of two main architectural components that
seamlessly integrate with your Active Directory infrastructure:
On UNIX, Linux and Mac systems, a DirectControl Agent is installed on each
server or workstation. The DirectControl Agent, which is natively compiled for each
platform, effectively turns the host system into an Active Directory client, enabling
you to secure that system using the same authentication, access control and Group
Policy services currently deployed for your Windows systems. The agent is not a
single piece of code; rather, it is a central service that interacts with a set of
seamlessly integrated modules that provide services such as web and database single
sign-on and Samba integration. UNIX administrators have a comprehensive
command-line interface for real-time or scripted interaction with Active Directory-
held data.
The DirectControl Management Tools enable both Windows and UNIX
administrators to manage UNIX-specific data stored in Active Directory. The
Windows tools consist of a Microsoft Management Console (MMC) application for all
administrative tasks and centralized reporting and license management. Property
extensions to the Active Directory Users and Computers MMC are also provided, and
DirectControl’s UNIX/Linux/Mac policies are fully integrated into the standard
Group Policy Editor. A browser-based management console also provides cross-
platform access to essential administrative tasks.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 6
3.2 SAP Secure Network Communications (BC-SNC) Overview
SAP provides a standard layer for SAP R/3 and ERP to integrate and interface with third-
party security software called SNC (Secure Network Communication). SNC protects the
communication between SAP components (client, router, application server, etc.). By
leveraging SNC you can extend the basic user and password authentication used by SAP
to include the protection and benefits of Centrify DirectControl and Active Directory. SNC
is also being developed in the Internet Engineering Task Force (IETF), an international
standards body.
The primary integration point with SNC is via the GSSAPI v2 (Generic Security Services
Application Programming Interface version 2). Centrify DirectControl provides support
for integration via Kerberos and the GSSAPI as depicted below:
Figure 2. Centrify DirectControl integration with SAP.
In addition to providing an interface to authenticate users via DirectControl, SNC also
allow higher levels of security through the configuration of communication integrity
(ensuring that communication has not been tampered or altered) as well as
communication encryption (ensuring that communication is secure in transit).
3.3 Enterprise Readiness
In addition, DirectControl for SAP supports a number of enterprise features that are not
found in other similar solutions.
Full Support for Active Directory Policies. DirectControl for SAP talks directly
to Active Directory; therefore, all native Active Directory features are supported. This
includes support for a centrally managed password policy and flexible user-naming
conventions of Active Directory.
Cross-Domain Authentication. Users who are authenticated members of a
remote domain can access an SAP server joined to another domain if the appropriate
cross-domain trust relationship has been established. This occurs without the user
being prompted for credentials. This is the same behavior that users would expect in
an all-Windows environment.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 7
Gold Standard Kerberos: Leveraging the MIT reference implementation of
Kerberos, DirectControl delivers the most compatible and mature approach to
Kerberos-based Active Directory authentication for enterprise applications such as
SAP. While many platforms offer some type of Kerberos support, setting up and
administering the Kerberos service to talk with Active Directory securely and reliably
can be a complex task on non-Microsoft platforms. With the DirectControl agent
installed, the host platform becomes Active Directory-aware and can take advantage
of DirectControl services – such as automatic updates of Keytab files and Keytab
versioning, automatic time synchronization with Active Directory, local caching for
disconnected mode, and dynamic DNS support – that greatly simplifies initial
configuration and provides a much higher degree of maintainability and reliability.
4 SAP and DirectControl Integration: Step-by-Step
Once the DirectControl for SAP solution is deployed, the basic steps to the authentication
are as follows:
When a user first signs on to a Windows XP workstation, a Kerberos ticket granting
ticket (tgt) is obtained from Active Directory.
When the user then opens SAPgui, XP requests, via SNC, an SAP service ticket from
the SAP Server/Router using the previously obtained tgt. SNC passes the service
request to the DirectControl Agent.
The DirectControl Agent validates the ticket with Active Directory.
The user is granted access and a secure user session is provided back to the client.
The simple steps to set up the various components of this solution are as follows:
Figure 3: Single Sign-On Flow for SAP R/3 using Active Directory
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 8
1. Join the SAP server to Active Directory with DirectControl.
2. Configure Kerberos and the SAP service.
3. Configure SNC on the SAP server.
4. Configure SNC on the SAPgui.
4.1 Join the SAP Server to Active Directory with DirectControl
The automation scripts included with DirectControl for Systems simplify the installation
and configuration of DirectControl and Active Directory. The installation script will do
the following automatically for you:
You will be prompted for the domain, Zone, and the Active Directory username and
password to be used for joining to Active Directory. The script will offer defaults
based on your current configuration.
Checks are made to ensure that DNS is set up correctly on your system.
PAM and NSS modules are configured correctly.
The machine is joined to the Active Directory domain, and is added to the
DirectControl Zone.
The DirectControl adclient service is started.
Scripts are created to automatically start the correct DirectControl services each time
the system boots.
The configuration information for DirectControl is output to the screen.
4.2 Configure Service and Kerberos
Another utility, adkeytab, is provided with DirectControl to simplify the creation of an
SAP service in Active Directory and to configure the Kerberos stack. This utility will do
the following automatically for you:
Create a new service account in Active Directory for SAP in the currently joined
domain.
Configure the encryption type.
Configure the Keytab file in the Kerberos stack to work correctly based on this new
service account.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 9
4.3 Configure SNC on the SAP Server
SNC must be enabled and properly configured on each of the SAP servers. The
DirectControl for SAP solution provides instructions that augment the SAP SNC
documentation and OSS notes to accomplish the following:
Install the DirectControl for SAP package into the DirectControl for Systems Agent.
Modify the default and instance profiles to enable and configure SNC.
Modify the SAP server UNIX environment to see the DirectControl libraries and to
renew Kerberos tickets periodically.
Modify the user profiles that are used to leverage SNC and map them to their Active
Directory User Principal Name (UPN).
Figure 4. Mapping of the Active Directory user to the SAP account. Once SAP is configured to use
SNC, it is very straightforward to map an Active Directory user to an SAP user.
4.4 Configure the SAP Client
The SAPgui Client must also be configured to use SNC for SSO to SAP R/3. The
DirectControl for SAP solution provides instructions that augment the SAP SNC
documentation and OSS notes to accomplish the following:
Install the SNC SSO patch for SAPgui.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 10
Enable Secure Networking Communications and provide the SNC name for the SAP
service.
Similar steps are documented for configuring the SAP Java client as well.
4.5 Single Sign-On Using SNC, Kerberos and Active Directory
Once the SAP server has been joined into Active Directory and the SAP server and clients
have been configured properly, the SAP server can be configured to use the Centrify
DirectControl GSSAPI library to support the authentication to Active Directory.
Figure 5. Single sign-on for SAPgui using Active Directory and Secure Network Communication.
In production the Centrify DirectControl for SAP solution has four primary steps:
The SAP client requests a service ticket using the built-in Kerberos SSP (Security
Service Provider) from the Active Directory KDC (or local cache). This is
accomplished via the cgsskrb5.dll library that translates standard GSS calls to SSP
calls on the client.
The SAP client then connects with the SAP server and presents the service ticket
received from step 1.
The SAP server consumes the request and validates it via the GSS libraries and
Centrify’s DirectControl Agent. Once the request is successfully authenticated with
Active Directory, a User Principal Name (UPN) is provided to the SAP server. This
UPN is mapped to an SAP user in the SNC tab of the user profile.
Finally, when the user is logged on using his Active Directory identity, he is mapped
to the correct SAP user without having to physically provide a username or password.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 11
5 Summary
In summary, Centrify DirectControl for SAP provides a number of unique features that
enable organizations to leverage Kerberos and Microsoft Active Directory to provide
single sign-on for their SAP users:
SAP users can now use their Active Directory username and password to log in to
their Windows workstation once and then gain SSO into SAP R/3 on UNIX.
SAP authentication is managed securely, using SNC and the Kerberos technology that
is part of DirectControl and Active Directory.
The SAP UNIX systems are securely joined to the Active Directory domain and a
DirectControl Zone and can be controlled and managed centrally through Active
Directory.
Advanced enterprise features such as full support for Active Directory policies, multi-
domain trusted authentication and NTLM support are provided by the DirectControl
software.
The complex and often underestimated tasks of administering a Kerberos service and
managing keytab and configuration files is scripted and automated.
Central password policy is applied to SAP through the Kerberos services.
Any update of DNS, KDC and other Active Directory-relevant information in a
distributed enterprise environment is required to achieve minimum downtime and
maximum security. DirectControl updates this information automatically.
SAP integration is much easier because of Centrify’s SNC module and the
professional support to provide a single point of contact for your problems.
In general, DirectControl is less complex and time-consuming to maintain in
comparison to open source integration solutions, delivering organizations a payback
of the product investment.
Centrify’s professional services and support help to guarantee organizations a faster
resolution in case of technical problems.
The resulting benefits for customers include:
More Secure. SAP is now tightly coupled with Active Directory authentication. In
addition, DirectControl Zone technology gives users the ability to create secure Zones
to help with enforcement of role-based access control to the SAP servers by the ABAP
administrators. DirectControl reports also allow administrators and auditors to
instantly see who has access to corporate resources.
WHITE PAPER SINGLE SIGN-ON FOR SAP R3 WITH CENTRIFY DIRECTCONTROL AND MICROSOFT ACTIVE DIRECTORY
© CENTRIFY CORPORATION 2008. ALL RIGHTS RESERVED. PAGE 12
More Manageable. The resulting solution is easier to configure and maintain.
Administrators have full centralized control over user and group access rights with
the DirectControl Administrator’s Console. Management costs can be reduced
because less time is required to maintain SAP.
Enterprise Ready. By providing pre-packaged, tested SAP binaries and enterprise-
class support, Centrify turns SAP SSO into a solution that any organization can feel
comfortable deploying.
6 How to Contact Centrify
For the latest product information on DirectControl, check out our web site:
http://www.centrify.com/products
See the DirectControl for SAP portal for the latest information on using this solution:
http://www.centrify.com/sap
North America (And All Locations Outside EMEA)
Europe, Middle East, Africa (EMEA)
Centrify Corporation 444 Castro St., Suite 1100 Mountain View, CA 94041 United States
Centrify EMEA Asmec Centre Merlin House Brunel Road Theale, Berkshire, RG7 4AB United Kingdom
Sales: +1 (650) 961-1100 Sales: +44 1189 026580
Enquiries: [email protected] Web site: www.centrify.com