This article explains how to create a Salesforce connector in Keepit. Before you begin, you set up the Salesforce user Keepit authenticates with. The managed package supporting the External Client App is installed as part of the connector creation process.

About the External Client App

To connect Keepit to your Salesforce organization, you install a managed package called keepit-sf-managed-package. This package uses an External Client App (ECA) to handle OAuth authentication between Salesforce and Keepit, replacing the older Connected App setup method that Salesforce is phasing out.

The package contains:

• External Client App — establishes the secure OAuth connection that allows Keepit to access your Salesforce data.

Before you begin

Supported Salesforce editions 

The following Salesforce editions support API access, which Keepit requires to back up and restore data and metadata:

• Professional Edition (with API access enabled)
• Enterprise Edition
• Unlimited Edition
• Performance Edition
• Einstein 1
• Developer Edition

Required roles 

• System Administrator profile in Salesforce.
• Master Admin or Backup Admin role in Keepit.

Required permission set  

Permission sets grant Keepit access to the Salesforce data and metadata it needs to back up and restore through the Salesforce API.

Step 1: Create a Salesforce user for Keepit

Keepit requires a Salesforce user account with administrative privileges to back up and restore data and metadata. Create a dedicated user rather than using an existing account.

1. In Salesforce, go to Setup > Users > New User.

2. Enter a name, email address, and a unique username. For example: Keepit.

3. Assign a Salesforce user license.

4. Assign the System Administrator profile (or equivalent).

5. Select Save. Salesforce sends a password setup email to the new user's address.

6. Set a password for the user.

Note: Use the standard System Administrator profile or a custom profile with the same level of access. The user must have the API Enabled permission in Salesforce.

Step 2: Create a permission set and assign it to the dedicated user

1. In Salesforce, go to Setup > Users > Permission Sets > New.

2. Enter a label. For example: KeepitBackup Administrator.

3. Select the following permissions:

Required permissions

Optional permissions

4. Select Manage Assignments and assign the permission set to the dedicated System Administrator user you created in Step 1.

Step 3: Install the managed package

1. In Keepit, go to Connectors and select Add connector > Add Salesforce connector.

2. Select the environment: Production or Sandbox.

3. Select Install and sign in with your Salesforce credentials.

4. Select Install for Admins Only or Install for Specific Profile, then select the custom admin profile if needed.

5. Keepit installs the managed package in your Salesforce organization.

Note: If you previously installed the package in this organization, select Skip this step. If you're setting up a sandbox that has been created or refreshed, don't skip this step — reinstalling is required to reestablish the connection.

6. Return to the Keepit connector setup page and continue.

7. When prompted, sign in with the Salesforce user that has the Keepit Backup Admin permission set assigned.

Note: If your organization uses a custom Salesforce domain, select Use Custom Domain on the sign-in page before signing in.

8. Review and approve the permission request on the Salesforce authorization page.

After authorization, Keepit returns you to the connector configuration page.

Step 3: Configure the connector 

1. In the Name field, enter a name for the connector.

2. Move the toggle to configure API request usage.

3. (Optional) Select the lock icon in the lower-right corner to manage user access to the connector.

4. (Optional) Select the calendar icon in the lower-right corner to set a custom retention period.

5. Select Start backup. Keepit schedules the first backup.

Set up restore target organizations

Important: This section is required if you plan to restore data to a Salesforce organization other than the one you're backing up from.

The ECA package must be installed and the Keepit Backup Admin permission set assigned in any target Salesforce organization you want to restore data into. This applies to sandboxes, developer orgs, and separate production organizations.

For each restore target, repeat the full setup:

1. Create a Keepit Backup Admin permission set with all required permissions and assign it to the system administrator in the target organization.

2. Install the ECA package using the same installation link from the Keepit connector setup flow.

3. Authorize a connector for the target organization in Keepit.

Common scenarios that require this:

• Restoring production data into a sandbox for testing or validation.
• Restoring data into a developer org.
• Disaster recovery testing in a separate Salesforce organization.
• Data migration between two production organizations.

Login restrictions and password policies

Salesforce allows you to restrict user logins based on login hours and IP address ranges. Don't apply login hour restrictions to the profile used for the Keepit integration.

Salesforce also supports IP restrictions at the org level and the profile level. If IP restrictions are enabled, add the public IP addresses used by Keepit to the allowed IP list. For more information, see the Keepit help article for public IP ranges per data center, including the IP addresses used for the SIEM integration.

Salesforce also lets administrators define password policies at the profile level. Set the password policy for the Keepit integration profile to Never expires to ensure uninterrupted backups and restores.

Troubleshooting

Package installation fails or shows an error

• Confirm you're signed in as a System Administrator in Salesforce.
• Check that your Salesforce organization allows managed package installation. Some organizations restrict this under security settings, or the user installing the package doesn't have the required permissions.

The installed package isn't visible after installation

• Wait a few minutes. Salesforce can take time to make new items visible.
• Salesforce sends an email when the package has been installed.
• If you still don't see keepit-sf-managed-package under Setup > Installed Packages, contact Keepit Support.

Authorization fails or returns an error

• Confirm the user has the permission set with all required permissions assigned before attempting authorization.
• Confirm the user has the API Enabled permission in their Salesforce profile or via permission set.
• Check that the user can sign in to Salesforce normally.

Connector shows as disconnected after setup

• Verify the Keepit Backup Admin permission set is still assigned to the authenticating user.
• Check whether the user's password or MFA settings have changed since authorization.
• Select Reauthenticate on the connector in Keepit to reauthorize the connection.