Configuring IBM TRIRIGA with Microsoft Exchange 365 and OAuth
There are several steps for configuring IBM® TRIRIGA® Workplace Reservation Manager (Reserve) with Microsoft Exchange 365 and OAuth authorization. For the complete integration to work effectively between TRIRIGA and Microsoft Exchange, you must register two different applications using the OAuth registration process. First OAuth registration is used for the back-end server communication between TRIRIGA and Microsoft Exchange and the second OAuth registration is required for integrating TRIRIGA with Reserve Perceptive app.
Contents
I. Concept
- Exchange to TRIRIGA: Exchange sends meeting requests to TRIRIGA for the room resources that TRIRIGA is managing. This communication is done via Simple Mail Transfer Protocol (SMTP) protocol.
- TRIRIGA to Exchange: TRIRIGA sends messages back to Exchange to accept or reject a meeting request for a managed room. It sends free/busy data to Exchange to ensure the Exchange calendars are kept in sync with TRIRIGA. This communication is done via Graph API.
To enable this communication, you must perform initial configuration in both Exchange and TRIRIGA.
II. Registering OAuth to integrate TRIRIGA server with Exchange
To use Microsoft Exchange 365 with TRIRIGA Reserve, you must register an OAuth application with Microsoft Azure, and register the OAuth provider (Microsoft Azure) with TRIRIGA. This registration enables the communication from TRIRIGA Reserve to Exchange.
a. Registering OAuth Application with Microsoft Azure
- Launch the Microsoft Azure app registration screen from the following URL:
- Select New Registration to begin the app
registration process.
- Name: Specify the name to identify the registration in the Microsoft Azure portal.
- Account Type: This value may vary depending on your organization's overall use of Microsoft Azure and Microsoft 365. However, for normal TRIRIGA integrations, Single Tenant is sufficient.
- Redirect URL: Select Web from the drop down list and set the redirect URI to: <TRIRIGA base URL>/p/oauth/signon. For example: https://triapp.company.com/dev/p/oauth/signon
- Specify the client ID, credentials, and certificates.
- Create a client secret by completing the following steps:
- Click Certificates & secrets.
- Click New client secret.
- Provide a description and enter a value for the duration of when the client secret expires.
- Click Add.
- Copy the client secret value from the
Value column. This value is later
provided in the OAuth Application
Secret field of the Microsoft OAuth
profile record in TRIRIGA. Note: The client secret can only be viewed immediately after creation so ensure to make note of the value before leaving the page.
- Configure API permissions by completing the following steps:
- Click API permissions. Note: A default User.Read permission for Graph API is available in the API permissions list. You can configure the required permissions by adding them to the existing permissions list.
- Click Add a permission.
- Select Microsoft Graph.
- Click Application permissions to provide permissions for TRIRIGA.
- Select the following permissions:
- Calendars.ReadWrite: Allows TRIRIGA to fetch events in a room's calendar. Retrieves a list of event objects that contains single instance meetings and series instances (occurrences) of an event for a specified time range, read event and its attendees, organizers, and get the master working hour events. The permission also allows to create, update, delete, cancel, accept, decline, and tentatively accept events in a room's calendar.
- Mail.ReadWrite: Allows TRIRIGA to create, read, update, and delete email in resource mailboxes but does not include permission to send mails. This is applicable only for the resource mailboxes and does not include all user mailboxes.
- Click Add permissions.
- Click Grant admin consent for "application
name" for providing consent.Note: You need admin access to view the option to grant admin consent.
- Click Yes.
- Click API permissions.
- Specify the permissions to limit the application access to a specific set of mailboxes by using the ApplicationAccessPolicy PowerShell cmdlet to configure access control. For more information, see Limiting application permissions to specific Exchange Online mailboxes.
b. Entering OAuth Provider (Microsoft Azure) in TRIRIGA
After you register an OAuth application with Microsoft Azure, you must enter the OAuth provider (Microsoft Azure) in TRIRIGA. To enter the OAuth provider (and OAuth application), you must create a Microsoft OAuth profile record in TRIRIGA.
- Log in to the TRIRIGA main portal.
- Navigate to .
- Select Add to add a new Microsoft OAuth profile record.
- In the OAuth Setup section, specify the
following OAuth settings:
- Name: This name may be displayed to end users, and used in API calls to identify the target record.
- OAuth Provider: Name of the OAuth provider. For example, "Azure" for Microsoft Azure Active Directory. Name is not case-sensitive.
- Access Type: Set the access type as Application (OAuth application with Microsoft Azure).
- Description: Description that describes this profile, so an application may display it to end users.
- OAuth Application Key: Enter the value of the Application (Client) ID field from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve.
- OAuth Application Secret: Enter the value of the client secret Value column from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve.
- OAuth Authorize URL: Enter the
tenant-specific URL value of the OAuth 2.0
authorization endpoint (v2) field from the
above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example:
https://login.microsoftonline.com/<tenant
Id>/oauth2/v2.0/authorize.Note: To obtain the URL value, click Overview on the Azure App registrations page, and then click the Endpoints tab. Copy the value of the OAuth 2.0 authorization endpoint (v2) field.
- OAuth Token URL: Enter the tenant-specific URL value of the OAuth 2.0 token endpoint (v2) field from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example: https://login.microsoftonline.com/<tenant Id>/oauth2/v2.0/token
- OAuth Redirect URL: Enter the value for: <TRIRIGA base URL>/p/oauth/signon. This value is required by TRIRIGA Reserve. For example: https://triapp.company.com/dev/p/oauth/signon
- OAuth Scope: API permissions that are granted to an OAuth application. For Microsoft Azure, enter: .default. This value is required by TRIRIGA Reserve. End users may be asked to approve these permissions when they login.
- Login section: This section is not used by TRIRIGA Reserve.
- Domain Filter:
Specify the domain name for the OAuth profile. For example,
<domain name>.onmicrosoft.com.Important: In multiple-tenant Exchange environments, a valid Domain Filter value must be defined for the OAuth profile so that TRIRIGA searches for the correct OAuth profile for reserving a room in that particular tenant. However, even in the single-tenant Exchange environments, the Domain Filter value must be defined for the Exchange tenant that is being used.
- Use with Exchange: Select this checkbox for processing the reservation request.
- Microsoft Graph Callback URL: The callback URL is used for the Graph Subscriptions setup.
- Save your new Microsoft OAuth profile record.
III. Registering OAuth to integrate TRIRIGA Perceptive App with Exchange
a1. Registering OAuth Application with Microsoft Azure
- Launch the Microsoft Azure app registration screen from the following URL:
- Select New Registration to begin the app
registration process.
- Name: Specify the name to identify the registration in the Microsoft Azure portal.
- Account Type: Select the account type as Accounts in any organizational directory (Any Azure AD directory - Multitenant).
- Redirect URL: Select Web from the drop down list and Set the redirect URI to: https://<tririga_server>/<tririga_context>/app/tririgaRoomReservation/oauth. For example: https://triapp.company.com/dev/app/tririgaRoomReservation/oauth.
- Specify the client ID, credentials, and certificates.
- Create a client secret by completing the following steps:
- Click Certificates & secrets.
- Click New client secret.
- Provide a description and enter a value for the duration of when the client secret expires.
- Click Add.
- Copy the client secret value from the
Value column. This value is later
provided in the OAuth Application
Secret field of the Microsoft OAuth
profile record in TRIRIGA. Note: The client secret can only be viewed immediately after creation so ensure to make note of the value before leaving the page.
- Configure API permissions for Microsoft Graph by completing the following steps:
- Click API permissions.
- Click Add a permission.
- Select Microsoft Graph.
- Click Delegated permissions to provide permissions for TRIRIGA.
- Select the following permissions:
- Calendars.ReadWrite : Get full access to user calendars. Allows the app to create, read, update, and delete events in user calendars.
- Contacts.Read: Read user contacts and allow the app to read logged-in user contacts. i.e get Exchange photo.
- People.Read: Read users' relevant people lists and allow the app to read a scored list of people relevant to the logged-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications. In Reserve Perceptive app, this permission allows the logged-in user to retrieve attendees.
- User.Read: Read user profiles, allow users to sign-in to the app, and allow the app to read the profile of logged-in users. It also allows the app to read basic company information of logged-in users.
- User.ReadBasic.All: Read all users' basic profiles. Allows the app to read a basic set of profile properties of other users in your organization on behalf of the logged-in user. This includes display name, first and last name, email address, open extensions, and photo. Also allows the app to read the full profile of the logged-in user. Reserve uses this permission to create or get a custom field that is unavailable in the Exchange event. For example, the Reserve app stores the Additional Location information in a custom extension.
- Click Add permissions.
- Click Grant admin consent for "application
name" for providing consent.Note: You need admin access to view the option to grant admin consent.
- Click Yes.
b1. Entering OAuth Provider (Microsoft Azure) in TRIRIGA
After you register an OAuth application with Microsoft Azure, you must enter the OAuth provider (Microsoft Azure) in TRIRIGA. To enter the OAuth provider (and OAuth application), you must create a Microsoft OAuth profile record in TRIRIGA.
- Log in to the TRIRIGA main portal.
- Navigate to .
- Select Add to add a new Microsoft OAuth profile record.
- In the OAuth Setup section, specify the
following OAuth settings:
- Name: This name may be displayed to end users, and used in API calls to identify the target record.
- OAuth Provider: Name of the OAuth provider. For example, "azure" for Microsoft Azure Active Directory.
- Access type: Set the access type as Both or User Delegate (recommended for delegated permissions).
- Description: Description that describes this profile, so an application may display it to end users.
- OAuth Application Key: Enter the value of the Application (Client) ID field from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve.
- OAuth Application Secret: Enter the value of the client secret Value column from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve.
- OAuth Authorize URL: Enter the
tenant-specific URL value of the OAuth 2.0
authorization endpoint (v2) field from the
above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example:
https://login.microsoftonline.com/<tenant
Id>/oauth2/v2.0/authorize.Note: To obtain the URL value, click Overview on the Azure App registrations page, and then click the Endpoints tab. Copy the value of the OAuth 2.0 authorization endpoint (v2) field.
- OAuth Token URL: Enter the tenant-specific URL value of the OAuth 2.0 token endpoint (v2) field from the above OAuth application registration in Microsoft Azure. This value is required by TRIRIGA Reserve. For example: https://login.microsoftonline.com/<tenant Id>/oauth2/v2.0/token
- OAuth Redirect URL: Enter the value for: <TRIRIGA base URL>/p/oauth/. This value is required by TRIRIGA Reserve. For example: https://<tririga_server>/<tririga_context>/app/tririgaRoomReservation/oauth
- OAuth Scope: API permissions that are
granted to an OAuth application. For Microsoft Azure, enter:
https://graph.microsoft.com/People.Read https://graph.microsoft.com/Calendars.ReadWrite
https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/Contacts.Read
offline_access
Note: Users might need to approve these permissions when they login.
- Login section: This section is not used by TRIRIGA Reserve.
- Domain Filter:
Specify the domain name for the OAuth profile. For example,
<domain name>.onmicrosoft.com.Important: In multiple-tenant Exchange environments, a valid Domain Filter value must be defined for the OAuth profile so that TRIRIGA searches for the correct OAuth profile for reserving a room in that particular tenant. However, even in the single-tenant Exchange environments, the Domain Filter value must be defined for the Exchange tenant that is being used.
- Use with Exchange: Clear this checkbox.
- Save your new Microsoft OAuth profile record.
IV. Importing Microsoft 365 SSL certificate
For TRIRIGA to access the Microsoft Graph API, the application server must make a SSL connection to the Microsoft 365 cloud services. This requires the application server to trust the Microsoft 365 SSL certificate. Typically, Java Virtual Machines (JVMs) browsers and application servers include the signer certificate from most major certificate authorities, so they trust any certificate signed by these certificate authorities including those used by the Microsoft 365 services. However, high security application server deployments do not include any certificate authority certificates in the application server trust store as part of the base install. This means that the application server does not trust the Microsoft 365 certificates and connections to the Graph API service fail with an SSL Handshake exception. To resolve this issue, the certificate authority public root certificate used by the Microsoft 365 service must be imported into the application server trust store.
There is some variance observed in the certificate presented by the Microsoft 365 service both over time and by region, so these steps might need to be repeated periodically. The procedure varies based on the application server.
For more information about the Microsoft 365 SSL certificate, see Microsoft 365 encryption chains.
V. Configuring IBM TRIRIGA
Procedure
VI. Verifying Configuration
- Go to your Calendar to create an appointment.
- Go to the Scheduling Assistant tab, and Select Rooms section. Add the room that you created above.
- Send the invitation. You should get an acceptance email back.
VII. Next
After you have confirmed that the TRIRIGA Reserve-Exchange integration is working, you can then install and use the Advanced Room Search add-in for Microsoft Outlook.
VIII. Appendix
This section provides the list of application permissions and delegated permissions used for the integration between TRIRIGA and Microsoft Exchange. For more information, see Microsoft Graph permissions reference.
Application permissions
- https://docs.microsoft.com/en-us/graph/api/user-post-events?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/user-list-events?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-list-instances?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-update?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-delete?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-cancel?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-accept?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-tentativelyaccept?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-decline?view=graph-rest-1.0&tabs=http
Delegated permissions
- https://docs.microsoft.com/en-us/graph/api/user-post-events?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/user-list-events?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-list-instances?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-update?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-delete?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-cancel?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-accept?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-tentativelyaccept?view=graph-rest-1.0&tabs=http
- https://docs.microsoft.com/en-us/graph/api/event-decline?view=graph-rest-1.0&tabs=http