Identity, Identity Verification, External Identity, and Customer Identity all carry different price points and different audit rules. The buyer side levers that keep a Salesforce identity estate from doubling on a quiet renewal.
Salesforce Identity is not one license. It is four. Identity for employees, Identity Verification for MFA, External Identity for partners, and Customer Identity for end customers. Each one carries different unit pricing and different audit rules.
The cost optimization opportunity sits in three places. User mapping discipline. SSO scope clarity. And the renewal negotiation on the four unit prices.
Read this alongside the Salesforce knowledge hub, the Salesforce services page, the renewal negotiation playbook, and the Vendor Shield subscription.
Salesforce sells identity capability across four distinct SKU groups. The differences matter at procurement.
| License | Audience | Pricing model | List price | Typical use |
|---|---|---|---|---|
| Identity | Employees | Per user per month | $5 to $10 | SSO to non Salesforce apps |
| Identity Verification | Employees | Per user per month | $5 | MFA on Salesforce login |
| External Identity | Partners and contractors | Per active user per month | $2 to $10 | Partner portal access |
| Customer Identity | End customers | Per active user per month | $1 to $5 | Consumer login |
The audit risk on Identity licenses sits in the user mapping. Salesforce checks the assignment against the actual login pattern and the user record metadata.
The buyer side discipline is a monthly Identity license cleanup. The cycle takes a SAM analyst three to five hours a month on a typical estate.
The output is a delta report. New assignments, expired users, license type mismatches, and SSO scope changes.
Salesforce External Identity bills on the monthly active user count. Salesforce computes active as one login in the trailing thirty days. The buyer side practice is to maintain an inactive user offboarding workflow inside twenty eight days. Slip past thirty days and the active user count climbs into the next billing tier.
Salesforce Identity is the SSO vehicle for non Salesforce applications. Every application connected through Salesforce as an identity provider drives an Identity license requirement.
The control model is a quarterly SSO scope review with the identity team. Three questions sit at the top.
The renewal is the only moment the unit price moves. Mid term true ups land at the original unit price plus a normal annual escalator.
Salesforce Identity is four products, not one. The optimization opportunity sits in the user mapping, the SSO scope, and the renewal negotiation across all four SKUs. Run a monthly cleanup, a quarterly SSO review, and an annual renewal posture.
The seven step checklist is the buyer side starting position for any Salesforce Identity estate approaching renewal.
No. Only employees who use Salesforce as their SSO provider for non Salesforce apps need an Identity license. Employees who only log into Salesforce itself need a standard Salesforce user license. Employees who use a non Salesforce SSO provider such as Okta or Microsoft Entra ID do not need a Salesforce Identity license at all.
Salesforce Identity Verification is the MFA add on for Salesforce itself, billed at five dollars per user per month. Third party MFA such as Duo, Okta Verify, or Microsoft Authenticator can serve the same purpose. The buyer side question is whether the existing enterprise MFA tool already covers Salesforce. If yes, Identity Verification is a duplicate cost.
External Identity bills on monthly active users defined as one login in the trailing thirty days. Partner portals that allow inactive users to retain accounts can spike the count when an industry event triggers logins. The buyer side practice is to maintain a twenty eight day offboarding workflow and to monitor the active user count by month.
Yes. Salesforce Customer Identity is built for consumer scale. The pricing tiers run from a free band below ten thousand MAU to volume discount bands above ten million MAU. The buyer side discipline is to negotiate the tier breakpoints and the rate per MAU above each breakpoint at the original contract or at renewal.
Redress runs Salesforce advisory inside the Vendor Shield subscription and the Renewal Program. The Identity workstream typically opens six months before a Sales Cloud or Service Cloud renewal. Every engagement is led by former Salesforce commercial executives now on the buyer side.
Yes. Agentforce per conversation pricing carries an Identity attach for every user who triggers an agent flow. The Identity attach can land on Identity or Identity Verification depending on the user profile. The buyer side preparation is to inventory the Agentforce user base by Identity SKU before any Agentforce expansion lands in procurement.
Redress runs Salesforce identity advisory inside the Vendor Shield subscription, the Renewal Program, the Benchmark Program, and the Software Spend Assessment. Every engagement is led by a former Salesforce commercial executive on the buyer side.
Read the related benchmarking, about us, locations, and contact pages.
A buyer side reference on Salesforce Sales Cloud, Service Cloud, Marketing Cloud, Agentforce, and Identity. The discount math, the SKU mix, the AI add on traps, and the renewal posture across every Salesforce commercial vehicle.
Independent. Buyer side. Written for CIOs, CFOs, and procurement leaders carrying Salesforce commercial agreements. No Salesforce influence. No sales kickback.
Open the white paper in your browser. Corporate email only.
Open the Paper →Salesforce Identity is four products, not one. The optimization opportunity sits in the user mapping, the SSO scope, and the renewal negotiation across all four SKUs. Run a monthly cleanup, a quarterly SSO review, and an annual renewal posture.
We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.
Identity SKU math, SSO scope discipline, Agentforce attach, and renewal negotiation across every Salesforce engagement we run on the buyer side.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
