Salesforce Identity licences (Identity-Only licences) allow users to authenticate via Salesforce for single sign-on and MFA without incurring the cost of a full CRM user seat. At roughly $5 per user per month versus $25–$150+ for a standard licence, they represent one of the most effective cost optimisation levers in the Salesforce licensing model. This guide covers how Identity licences work, which users are candidates for them, best practices for allocation and management, negotiation strategies, a real-world cost savings illustration, and ongoing governance recommendations.
Not every user who logs into Salesforce or connected systems needs a full CRM licence. Salesforce Identity licences allow users to authenticate via Salesforce (using SSO, MFA) without incurring the cost of a standard user seat. This creates significant cost optimisation opportunities.
| Licence Type | Typical Cost | What It Includes | Best For |
|---|---|---|---|
| Sales/Service Cloud (Enterprise) | $150+/user/month | Full CRM functionality, data access, reporting, automation, customisation | Users who actively work in Salesforce daily — sales reps, service agents, operations |
| Platform Starter | ~$25/user/month | Custom apps, limited CRM objects, basic platform access | Users needing some Salesforce data access but not full CRM |
| Identity Only | ~$5/user/month | SSO authentication, MFA, App Launcher, user self-service settings — no CRM data access | Users who only need to log into connected systems via Salesforce SSO |
| Integration User | Often free with editions | API-only access, no UI login, system-to-system integration | Non-human accounts: middleware, automated processes, API connections |
Organisations often overprovision standard licences to users who rarely use Salesforce’s core features. An executive viewing a dashboard occasionally, an HR staff member accessing an integrated portal, or a contractor needing SSO access — all are candidates for Identity licences at a fraction of the cost.
HR and finance staff accessing integrated systems, executives viewing occasional dashboards, contractors needing portal access. If they do not actively enter records, run reports, or work inside Salesforce CRM, they are prime candidates for Identity licences.
Field technicians using mobile apps that authenticate through Salesforce, employees accessing Office 365 or Google Workspace via Salesforce as IdP. They need secure login but not CRM data access — Identity licences cover authentication without paying for unused functionality.
Employees whose roles changed — moved from sales to a non-sales function but still need to authenticate. Rather than leaving their full licence allocated, downgrade to Identity to free up an expensive licence for someone who needs it.
Use Salesforce’s built-in User Licence Usage and login history reports. The Company Information page lists licences in use vs. purchased for each type. Combine with an App Manager report to find users who log in but have zero record interactions — those could be downgraded to Identity licences.
| Practice | How to Implement | Impact |
|---|---|---|
| Quarterly licence audits | Review users with full licences who have not logged in or had minimal activity over 3–6 months; check if any Identity users now need full access | Continuous right-sizing; reclaim full licences from low-usage users and convert to Identity |
| Onboarding decision tree | Define a request process with criteria: Does the user need CRM data? If yes, assign full licence. If only SSO/portal, assign Identity | Prevents default assignment of full licences to everyone; institutionalises cost-effective allocation |
| Permission sets for edge cases | Use permission sets to grant limited access (single custom object, approval form) to Identity users without upgrading to full licence | Avoids unnecessary upgrades; stretches Identity licences to cover borderline use cases |
| Login pattern monitoring | Use Salesforce reports, Optimizer tool, or Login History to track Identity user activity; flag users who never log in or who hit limitations | Identifies unused licences to reclaim at renewal and users who may need different licence types |
| Use free allowances first | Check for Identity licences included with your edition or other products (e.g. Pardot/Account Engagement often includes 100 free Identity licences) | Consume free entitlements before purchasing; avoid paying for licences you already have |
| Automated provisioning | Integrate Salesforce with Active Directory or HR system; automatically adjust licence type when a user’s role changes | Reduces manual oversight; optimises allocations in real time as roles evolve |
Forecast Identity licence needs and purchase in volume during contract negotiations. Salesforce is more likely to discount 500 licences at once than 50 purchased incrementally. Bulk purchasing during negotiation reduces per-licence cost significantly.
Account executives have quarterly and annual targets. Discussing Identity licence needs near quarter-end or fiscal year-end, when Salesforce is motivated to close deals, often secures more favourable pricing or additional free licences.
Multi-year contracts can lock in pricing and cap escalation, but ensure the agreement allows annual adjustment of Identity licence counts — you need the ability to reduce if needs drop, not just increase.
If purchasing Sales Cloud, Service Cloud, or Marketing Cloud simultaneously, request Identity licences as part of the bundle. For example: “If we buy 200 Sales Cloud licences, we want 200 Identity-Only licences included for our other staff.”
If Salesforce knows you are evaluating Okta, Azure AD Premium, or another identity provider for SSO, they may offer better Identity licence pricing to keep identity management within the Salesforce ecosystem. The key is conveying that Salesforce Identity is preferable for integration but must be cost-competitive.
Our independent Salesforce advisory helps enterprises negotiate optimal licence terms, bundle Identity licences, cap escalation, and build flexibility into multi-year agreements.
Salesforce Negotiation Service →| Scenario | Without Identity Licences | With Identity Licences |
|---|---|---|
| Total employees | 1,000 | |
| Full CRM users (sales, service, operations) | 700 × full licence | 700 × full licence (unchanged) |
| SSO-only users (finance, HR, contractors) | 300 × Platform Starter @ $25/user/mo = $7,500/mo | 300 × Identity @ $5/user/mo = $1,500/mo |
| Annual cost for SSO-only users | $90,000 | $18,000 |
| Annual savings | — | $72,000 |
| 3-year contract savings | — | $216,000+ |
This conservative example uses Platform Starter as the baseline. If those 300 users had Sales Cloud Enterprise licences ($150+/user/mo), the savings would be $522,000+ annually. At scale, Identity licence optimisation is one of the highest-ROI licensing decisions an organisation can make.
“In our experience optimising Salesforce licensing for large enterprises, Identity licences are consistently the single most overlooked cost-saving opportunity. Organisations routinely assign full CRM licences to hundreds of users who only need SSO access — an annual waste of tens to hundreds of thousands of dollars. The fix is straightforward: audit usage, identify SSO-only users, and reassign them to Identity licences. The savings are immediate and recurring.”
— Redress Compliance Advisory Team
Assign a Salesforce Platform Owner or Licence Manager responsible for periodic reviews. This ensures licence optimisation is an ongoing discipline, not a one-time exercise.
Keep a list of all Identity licence users with their business justification. This aids in audits, supports knowledge transfer when admin staff change, and provides evidence of deliberate licence allocation decisions.
Salesforce regularly introduces new licence types and changes pricing. The 2023 introduction of Integration User licences created new optimisation opportunities. Stay informed about changes to Identity licence terms, new bundles, or pricing adjustments to continuously refine your approach.
IT Asset Management teams can verify that Salesforce licence usage aligns with entitlements, using tools to track utilisation and flag both under-utilisation (waste) and over-use (compliance risk).
Identity users may gradually request additional access that effectively turns them into CRM users. Before granting permissions that exceed Identity licence capabilities, evaluate whether a licence upgrade is appropriate. Conversely, ensure Identity users are not inadvertently given access to features they are not licensed for.
Review Salesforce activity to identify who can be downgraded to Identity. Remove or reassign unused full licences promptly — this discipline directly saves money every renewal cycle.
Implement an internal policy: if a role does not require CRM data access, assign an Identity licence from day one. Proactive classification prevents over-licensing from the start.
Before purchasing Identity licences, verify you have utilised any included with your Salesforce edition or bundled products (Pardot/Account Engagement, Marketing Cloud). Always exhaust free allowances before buying.
Forecast needs and buy Identity licences in volume for maximum discount. Bundle with other Salesforce product purchases for additional leverage. Multi-year commitments with annual adjustment flexibility provide both cost certainty and adaptability.
When an Identity user needs limited additional access (a single custom object, an approval workflow), explore permission sets before upgrading to a full licence. This extends Identity licence coverage to borderline use cases.
Integrate Salesforce with Active Directory or HR systems to automatically adjust licence types when roles change. This eliminates manual oversight gaps and ensures allocations stay optimal as the organisation evolves.
Include Salesforce de-provisioning in HR off-boarding checklists. Licences assigned to departed employees are money left on the table — deactivating users frees licences for re-use or count reduction at renewal.
Salesforce licensing complexity (Identity, Platform, Integration User, Community, full CRM) creates opportunities for misalignment. Independent advisors identify overlooked optimisation opportunities and negotiation levers that ensure maximum value.
Redress Compliance helps enterprises identify licence misalignment across Identity, Platform, Integration, and full CRM user types. We audit usage, quantify savings, and negotiate optimised agreements that typically reduce Salesforce spend by 20–40%.
Explore Licence Optimisation →A Salesforce Identity licence (Identity-Only licence) allows users to authenticate via Salesforce for single sign-on (SSO) and multi-factor authentication (MFA) without access to CRM data or standard Salesforce functionality. At roughly $5 per user per month, it is designed for users who need secure login to connected applications but do not work inside Salesforce CRM itself.
Identity licences are ideal for employees who only need authentication access: HR and finance staff accessing integrated portals, executives viewing occasional dashboards, contractors needing SSO access, and field workers using mobile apps that authenticate through Salesforce. If a user does not actively enter records, run reports, or work inside Salesforce CRM, they are a candidate for an Identity licence at a fraction of the cost of a full CRM seat.
Savings range from $20 to $145+ per user per month depending on which licence type you are replacing. Moving 300 users from Platform Starter ($25/mo) to Identity ($5/mo) saves $72,000 annually. Moving them from Sales Cloud Enterprise ($150+/mo) saves $522,000+ annually. Over a 3-year contract, these savings compound significantly. Identity licence optimisation is consistently one of the highest-ROI licensing decisions for Salesforce customers.
Identity licences do not include access to standard CRM objects (Accounts, Contacts, Opportunities, Cases). Users can authenticate via SSO, use the App Launcher to access connected applications, and manage their own user settings. In some cases, permission sets can grant limited access to specific custom objects or approval workflows without upgrading to a full licence, but this should be carefully validated against Salesforce’s licence terms.
Some Salesforce editions and products include free Identity licences. For example, Pardot/Account Engagement often includes 100 free Identity licences. Check your Salesforce contract and the Company Information page in Setup to see what is already included before purchasing additional Identity licences. Always exhaust free allowances before buying.
Several strategies improve pricing: buy in bulk during contract negotiations (500+ at once gets better rates), time discussions to Salesforce quarter-end or fiscal year-end, bundle Identity licences with other product purchases (Sales Cloud, Service Cloud), negotiate multi-year commitments with annual adjustment flexibility, and leverage competitor IAM solutions (Okta, Azure AD Premium) to demonstrate competitive alternatives. Independent advisors can help quantify needs and negotiate optimal terms.
Redress Compliance provides independent Salesforce licensing advisory for enterprises. We audit current licence usage, identify SSO-only users who can be moved to Identity licences, quantify savings, negotiate optimal pricing and bundle terms, and implement ongoing governance processes. Our clients typically reduce Salesforce spend by 20–40% through right-sizing across Identity, Platform, Integration, and full CRM licence types. All engagements are fixed-fee and 100% vendor-independent.
Redress Compliance helps enterprises identify licence misalignment across Identity, Platform, Integration, and full CRM user types. We audit usage, quantify savings, and negotiate optimised agreements that typically reduce Salesforce spend by 20–40%.