📈 Read the 2025 Salesforce Threat Landscape Report

Connected app

Learn what is a connected app in WithSecure Cloud Protection for Salesforce and how to set it up.

Recommendation: To install a connected app, ensure the following requirements are in place:

  • Dedicated Salesforce Integration profile user for the connected app.
  • WithSecure Cloud Protection Connected App permission set.
  • Installation of  Withsecure Connected App in your Salesforce Org.
  • Assign WithSecure Cloud Protection Permission Sets (Withsecure Cloud. Protection Admin, Withsecure Cloud Protection Integration User and Approve Uninstall app) to the Salesforce Admin users.
  • Completion of the authentication process using a user from the Cloud Protection for Salesforce App UI.

Note: If you’re installing the Withsecure Cloud Protection Connected App for the first time, we recommend performing all the steps using a Salesforce Admin profile. Once the connected app is successfully installed and linked locally, it’s best to assign a dedicated integration profile to manage the app.

Create a dedicated Salesforce Integration license user for the connected app

WithSecure Cloud Protection connected app will access your Salesforce org under the user who will enable it. It is highly recommended to create a dedicated user account for the connected app and assign required permissions only.

Note:

Follow the steps below to create a new Salesforce API Integration profile user for WithSecure Cloud Protection connected app.

  • Open Salesforce Setup.
  • Navigate to Administration > Users.
  • Click New User to create a new user.
  • Enter the Last Name, Alias, Email, Username and other details for a new user account as appropriate. For User License select Salesforce Integration, and for Profile select Minimum Access – API Only Integrations or any other profile/custom profile with same license.
  • Click Save.
  • The new user is created and an email message is sent to the email address specified in Email. 
  • Complete other details and set the password for the user by clicking on the ‘Reset Password’ button.

Note: If the installed version of the Cloud Protection for Salesforce (CPSF) app is 2.5 or above, assign “WithSecure Cloud Protection Integration User“ permission set to the integration user. If the installed version of the app is 2.4.1 or below

  • Clone the WithSecure Cloud Protection Admin permission set and remove the access for Visualforce page at the cloned permission set
  • Assign the cloned permission set and “WithSecure Cloud Protection Connected App” to the integration user.

Why is a dedicated integration user account recommended?

Standard or System Administrator users will also work authentication, but an integration account needs different levels of access to Salesforce data and functionality than regular users. Additionally, creating a separate account for integration purposes allows for better tracking and control of access to Salesforce data. For example, if an issue arises with the integration, it is easier to trace the problem to the specific integration account, rather than trying to identify which regular user account may be causing the issue. Another reason is that if you use a regular user account for integration, and that user leaves the organization, the integration will stop working. Having a separate account that is not tied to a specific user, ensures continuity even if users come and go.

It is also important to note that the integration account should be properly secured, with a strong and unique password, and it should be regularly monitored for any suspicious activity.

Create WithSecure Cloud Protection Connected App permission set

Follow the steps below to create a new permission set with the required permissions.

  • Open Salesforce Setup.
  • Navigate to Administration > Users> Permission Sets.
  • Click New to create a new permission set.
  • Enter the Label and API name for the new permission set. For example, the label can be “WithSecure Cloud Protection Connected App” with auto-generated API name: WithSecure_Cloud_Protection_Connected_App.
  • Select the license as ‘Salesforce API Integration.
  • Click Save.
  • On the page with the newly created permission set, find and click  System Permissions.
  • On the page with System Permissions, click Edit and Select ‘API Enabled’

Note: If the user is a System Admin or the Salesforce API integration user, this setting is already enabled. For all other users, please make sure that the API Enabled option is selected.

  • On the page with System Permissions, click  Edit and Select ‘View All Data’
  • On the page with App Permissions, click Edit and Select ‘Query All Files

Install WithSecure Connected App locally in the org

Note: If the Cloud Protection for Salesforce app is not yet installed locally, follow the steps below to complete the setup.

  • Create the required permission set (Approve Uninstalled Connected App)
  • Assign the permission set to an admin or a user with a Salesforce license
  • Connect the Connected App 
  • Install the Connected App 

 After installation, if needed, the connected Admin User can be switched to an Integration User. Alternatively, the admin can disconnect, and the dedicated user created for the Connected App can reconnect after the disconnection. The below steps mention how to create a dedicated user for the connected app and assign the required permission sets to this dedicated user.

Why do we need to install withsecure connected app locally within the org?
Starting in early September 2025, Salesforce will restrict the use of uninstalled connected apps. This usage restriction will block end users from using uninstalled connected apps.

Salesforce Orgs will start seeing OAuth errors when trying to enable connected app when environment has an API management is turned on. The error message might look like  “We can’t authorize you because of an OAuth error. For more information, contact your Salesforce administrator.” and the OAUTH_APPROVAL_ERROR_GENERIC message”  Or  OAUTH_APP_BLOCKED and error_description=this+app+is+blocked+by+admin.

This can be avoided by installing the withsecure connected app in the org itself. Please check the below instructions on how to perform the same.

Create  a new ‘Approve Uninstalled Connected Apps’ permission set

  • Create a permission set named ‘Approve Uninstalled Connected Apps’ and select the license as ‘Salesforce’.
  • Go to ‘System Permissions’ > ‘Edit’ > ‘Approve Uninstalled Connected Apps’ > Check the checkbox and Save it.

Note: Perform the following step only if API Access Control is enabled; otherwise, skip to step 4 and continue.

  • If API Access Control is enabled, and if any of the “For admin-approved users, limit API access to only allowlisted connected app” or “For customers and partners, limit API access to only installed connected apps” is checked then goto Permission Sets  > Approve Uninstalled Connected AppsSystem Permissions > Edit check Use Any API Client.
    • Click on ‘Manage Assignments’ and select the User (Either System Admin or any other user with Salesforce License).

    Assign WithSecure Cloud Protection Permission Sets

    Assign ‘WithSecure Cloud Protection Admin‘, ‘WithSecure Cloud Protection Integration User’ and Approve Uninstalled Connected Apps permission sets to the user (Salesforce Admin).

    1. Open Salesforce Setup.
    2. Navigate to Administration > Users.
    3. Find and open the user created or intended to be used for WithSecure Cloud Protection connected app.
    4. Click Permission Set Assignments and then Edit Assignments.
    5. On the list of Available Permission Sets, select WithSecure Cloud Protection Integration User and the permission set created earlier WithSecure Cloud Protection Connected App and Approve Uninstalled Connected Apps. If its required to remove the CPSF user interface access for the integration user, create a new Permissions Set by cloning WithSecure Cloud Protection Admin permission set and assign it to the user instead of WithSecure Cloud Protection Admin.  

    Enabling Cloud Protection Connected App

    • Login to Salesforce as admin and open WithSecure’s Cloud Protection app.
    • Navigate to Administration > Tools.
    • Click Connect under Manage connected app.
    • Click Connect when Connect WithSecure™ Cloud Protection is shown.
    • When Allow Access dialog is shown, click the link ‘Not you?’
    • Add username and password for the user created for the connected app purposes.
    • Verify the permissions and ‘Allow’.
    • Once the connection is successfully established, the status on the Tools page will be reflected when Admin logs in ‘Administration‘ page.
    • If it is still not connected, look into the troubleshooting section and add the Login IP Ranges for the Profile and try the aforesaid steps below.

    Note: Please note that the steps below are applicable only when there are IP restrictions implemented by the organization. Please reach out to the technical account manager to get info on IP addresses.

    • Ensure that Cloud Protection IP address is allowed in both of these (if used by customer)
      • Setup > Security > Network Access >Allowed IP ranges
      • Setup > Users > Profiles > Profile used by Cloud Protection Integration user > Login IP Ranges (NOTE: only need to add this if there are any restrictions from before)
    • After allowlisting our backend IP addresses, everything seems to be working properly and try again to connect.
    • The informational alert will be created and you can find it in Analytics > Alerts.
    • Install the connected app into the org. Go to Setup > Connected Apps OAuth Usage > click the Install button beside the WithSecureTM Cloud Protection app.
    • Below screen should appear. Hit Install button.
      • This should automatically install the app inside the org. To verify go to Setup > Connected App and verify that the WithSecureTM Cloud Protection app shows there.