Editorial photograph of an identity team reviewing Salesforce user mapping and SSO scope on a wall sized dashboard inside a corporate boardroom
Article · Salesforce · Identity

Salesforce Identity licenses. The user, the scope, the renewal.

Identity, Identity Verification, External Identity, and Customer Identity all carry different price points and different audit rules. The buyer side levers that keep a Salesforce identity estate from doubling on a quiet renewal.

Read the Framework Salesforce Hub
$5 to $30Identity license per user per month
a leading industry analyst firmRecognized
Read the framework. · Independent. Buyer side. Reads in your browser. Read the framework →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Salesforce Knowledge Hub Salesforce Identity OptimizationSalesforce Knowledge HubSoftware Spend Health CheckBenchmarking
Portrait placeholder for Fredrik Filipsson, Co Founder and Group CEO
Written by Fredrik Filipsson Co Founder & Group CEO · ex Oracle, IBM, SAP
PublishedNovember 12, 2025
Last updatedJanuary 15, 2026

Salesforce Identity rewards buyers who map every authenticating user to the cheapest license that still grants access, and quietly overcharges those who default everyone to a full platform seat.

Key takeaways

  • Three SKUs: Identity, External Identity, and Identity Verification each cover a different population and price very differently.
  • Internal users: Salesforce Identity is bundled with most internal user licenses, so paying again is usually a mapping error.
  • External Identity: priced per monthly active user blocks, which punishes over provisioning of dormant community accounts.
  • SSO scope: single sign on is included in core licenses, so a separate Identity purchase for SSO alone is often unnecessary.
  • Verification: Identity Verification credits expire, so buying ahead of demand burns budget.
  • Outcome: a disciplined mapping exercise moves 12 to 25 percent of Identity spend in most estates we review.

How do Salesforce Identity licenses actually work?

Salesforce splits identity into three products that cover different people. Getting the population right is the whole game.

Internal employees authenticate through the Identity capability bundled in standard licenses. External customers and partners use External Identity. Step up checks use Identity Verification.

Which users actually need a paid Identity seat?

  • Internal staff: usually covered already, see the Salesforce license type reference.
  • External consumers: covered by External Identity, billed on monthly active users.
  • High risk transactions: covered by Identity Verification credits.

The product overview sits in the Salesforce Identity documentation, which confirms the bundled internal entitlement.

What does single sign on require?

Single sign on ships inside core licenses. You rarely need a separate Identity purchase just to enable SSO for employees who already hold a Salesforce seat.

What are the real cost levers in Salesforce Identity?

The headline price per user matters less than the population you attach to it. Mapping discipline beats discount chasing here.

Three levers carry most of the value. Each is an entitlement decision, not a negotiation favor.

  • Deduplication: remove internal users from standalone Identity counts.
  • Active user sizing: match External Identity blocks to real monthly actives, not registrations.
  • Credit pacing: buy Verification credits to consumption, never ahead of it.

Why does monthly active sizing matter so much?

External Identity is sold in blocks of monthly active users. A community with 100,000 registrations but 20,000 monthly actives needs the 20,000 tier, confirmed in the Salesforce Platform pricing page.

Salesforce Identity SKU comparison, illustrative

ProductWho it coversBilling basisCommon waste
Salesforce IdentityInternal employeesPer user, often bundledPaying twice for bundled users
External IdentityCustomers and partnersPer monthly active blockSizing to registrations not actives
Identity VerificationAny step up eventPrepaid credit packsCredits expiring unused

Where the common advice on this topic is wrong

The standard partner pitch is that every authenticating identity needs its own paid Identity license, so buyers stack seats to be safe. We disagree. In roughly 20 of the 30 Salesforce estates we reviewed in 2024 and 2025, the bundled internal entitlement already covered most employees, and External Identity blocks were sized to registrations rather than monthly actives. That double counting inflated Identity spend by 12 to 25 percent. The buyer side move is to map every authenticating population to the cheapest license that still grants the required access before you renew, then size External Identity to the trailing twelve month active peak, not the registration total.

Two analysts comparing a user access report on a laptop in an open office
The monthly active user report, not the registration count, is the artifact that decides External Identity tiering at renewal.
12 to 25%
Identity spend reclaimed by mapping
2 of 5
Estates with expired verification credits
30 to 50%
Dormant External Identity capacity

Source: Redress Compliance advisory engagement file, 2024 to 2025.

You do not buy identity by headcount. You buy it by who actually authenticates, and how often.

How should you size External Identity for a customer community?

Size to monthly active users measured over a full year, then add a modest burst margin. Registrations are vanity, actives are the bill.

Pull the active user trend from your community analytics and set the block to the trailing peak. Renegotiate the tier down at renewal if actives fell.

What about seasonal communities?

For communities with a clear seasonal spike, negotiate a burst clause rather than buying the peak tier for twelve months. You pay for the season, not the year.

What buyer side moves win a Salesforce Identity renewal?

Start with an entitlement audit, not a discount ask. The cheapest seat is the one you delete.

  1. Export every Identity, External Identity, and Verification line and tag the population it serves.
  2. Remove internal users already covered by a bundled license.
  3. Resize External Identity to trailing twelve month monthly actives.

What to do next

  1. Pull the full Identity entitlement list and label each line by population served.
  2. Cross check internal users against bundled license coverage and remove duplicates.
  3. Measure External Identity monthly actives over twelve months and set the block to the trailing peak.
  4. Stop prepaying Identity Verification credits beyond one quarter of demand.
  5. Negotiate a burst clause for any seasonal community rather than buying peak for the year.
  6. Set the renewal calendar so the entitlement audit completes 90 days before the contract date.
Cover of the Salesforce License Optimization white paper from Redress Compliance

White Paper · Salesforce

Salesforce License Optimization

Salesforce shelfware runs 15 to 30 percent of seats in most orgs. Read it free.

Read the white paper

Related reading

Salesforce PracticeBuyer side advisory across the Salesforce estate.Salesforce Knowledge HubGuides on Salesforce licensing and renewals.Salesforce Pillar HubThe comprehensive Salesforce negotiation reference.

Talk to the Salesforce Practice

Get the buyer side framework our advisors use on live Salesforce engagements. No sales pitch, just the levers, the benchmarks, and the sequence.

See the Salesforce Practice
Run the software spend health check against your Salesforce estate in minutes.
Start the assessment

Frequently asked questions

Is Salesforce Identity included with standard licenses?

Salesforce Identity is bundled with most internal user licenses, so employees who already hold a Salesforce seat usually do not need a separate paid Identity license. Paying again for those users is typically a mapping error rather than a real entitlement gap.

How is External Identity priced?

External Identity is priced in blocks of monthly active users, not total registrations. A community can hold hundreds of thousands of accounts yet only need the block that matches its real monthly active peak.

Do I need Salesforce Identity just for single sign on?

No in most cases. Single sign on for employees ships inside core Salesforce licenses, so a standalone Identity purchase purely to enable SSO is often unnecessary for internal users.

What is Identity Verification?

Identity Verification provides step up authentication checks billed through prepaid credit packs. The credits expire, so buying them ahead of real demand risks writing off the unused balance.

How much can a buyer save on Salesforce Identity?

A disciplined mapping exercise typically reclaims 12 to 25 percent of Identity spend, driven mainly by removing duplicate internal seats and resizing External Identity to monthly actives rather than registrations.

Should I size External Identity to registrations or active users?

Size to monthly active users measured over a full year. Registrations overstate demand because most community accounts authenticate rarely, and the bill follows actives, not sign ups.

Can I reduce Identity blocks at renewal?

Yes. External Identity tiers can be renegotiated down at renewal if your trailing monthly actives fell, which is why measuring actual usage before the contract date is the key buyer side step.

When should I start the Identity review?

Begin the entitlement audit at least 90 days before the renewal date so you have time to remove duplicates, resize blocks, and counter the opening proposal with usage data rather than estimates.