Maximizing Value from Salesforce Identity Licenses
Salesforce Identity licenses (Identity-Only licenses) can significantly reduce CRM licensing costs by providing single sign-on and authentication for users who don’t need full Salesforce functionality.
This article is a comprehensive guide for CIOs, CTOs, and IT Asset Managers on optimizing identity licenses. It covers strategies for identifying which users should have Identity licenses, avoiding overspending, monitoring and adjusting license allocations, and practical negotiation tips.
By implementing these best practices, enterprises can ensure they maximize the value of their Salesforce investment while maintaining secure access management.
Read Salesforce External Identity Licenses: Managing Customer and Partner Access.
The Role of Identity Licenses in Cost Optimization
Not every user who logs into Salesforce or connected systems in large organizations needs a full-fledged Salesforce CRM license.
Salesforce Identity licenses are pivotal: they allow users to authenticate via Salesforce (using SSO, MFA, etc.) without incurring the cost of a standard CRM user seat.
Leveraging Identity licenses can yield significant cost savings:
- Cost Savings per User: A full Salesforce user license (e.g., Sales Cloud or Service Cloud) can range from $25 to over $150 monthly, depending on edition and features. In contrast, an Identity-Only license costs roughly $5 per user monthly. Reassigning users who only need login capabilities to an Identity license instead of a full license can save $20–$145 per user monthly.
- Wider SSO Adoption: Identity licenses make it affordable to extend single sign-on to a broad population (e.g., all employees, contractors, or even external users in some cases). Without them, companies might pay for unnecessary full licenses just to offer SSO. By lowering the cost barrier, Identity licenses encourage best practices like company-wide SSO and MFA usage without busting the budget.
- Avoiding “License Overkill”: Organizations often overprovision standard licenses to users who rarely use Salesforce’s core features. For example, an executive or HR staff member might occasionally log into a Salesforce-based portal or view a dashboard. Instead of assigning an expensive full license for occasional use, an Identity license covers their login needs at a fraction of the cost.
In summary, Salesforce Identity licenses are a cost optimization tool – when used correctly, they ensure you’re not paying enterprise software prices for users needing authentication.
Identifying Candidates for Identity-Only Licenses
A crucial step in maximizing value is determining which users in your organization are best suited for Identity licenses rather than a full Salesforce license.
Consider the following categories:
- Employees Who Only Need SSO: Many users simply need to log into applications via the company’s single sign-on portal (Salesforce can serve as that portal). If a user does not actively work inside Salesforce CRM (entering records, running reports), they are a prime candidate for an Identity license. Common examples include:
- HR and Finance staff accessing an internal HR system or financial tool integrated with Salesforce.
- Executives or managers who only view high-level dashboards (read-only) occasionally could use a lower license or an identity-based access if the dashboards are external.
- Contractors or temporary staff who need access to certain tools or communities via SSO but are not given Salesforce data access.
- Users of Integrated Apps: If you use Salesforce as an authentication hub for other enterprise apps (like Office 365, Google Workspace, or custom apps), many app users might not need Salesforce itself. For instance, a field technician might only use a mobile app that authenticates through Salesforce. Giving them an identity license allows them to log in securely without granting or paying for Salesforce CRM access they don’t need.
- Community/Portal Users (Depending on Use): This gets tricky (since Salesforce has special community licenses), but if you have a scenario where external users only need to log in to a non-Salesforce platform and you leverage Salesforce as the IdP (Identity Provider), an External Identity license (a related concept, discussed in another article) or Identity license could cover that. For internal cost optimization, focus on employees first.
- Inactive or Former Full Users: Some employees’ roles change over time. An employee might have needed a full license last year but no longer uses Salesforce features (e.g., moved to a non-sales role). Rather than simply leaving their full license allocated, you could downgrade such users to an Identity license so they still authenticate, but free up an expensive license. Regularly review login and feature usage to spot these cases.
How to Identify: Use Salesforce’s built-in User License Usage and login history reports. Salesforce’s “Company Information” page lists how many licenses are in use vs. purchased for each type. Combine that with a login or App Manager report to see who hasn’t logged into core Salesforce or isn’t using any CRM features. Those with logins but zero record interactions could likely be downgraded to Identity licenses.
Read Salesforce Identity vs Identity Plus Licenses.
Best Practices for License Allocation and Management
Once you’ve identified who should have which license, apply these best practices to continuously optimize license usage:
- Conduct Regular License Audits: Set a schedule (e.g., quarterly or biannually) to audit Salesforce usage. The audit includes users with full licenses who have not logged in or have had minimal activity over the last 3–6 months. Users who primarily use Salesforce for SSO are included in other systems. Check if any Identity license users have started needing full access (it can happen the other way, too—an Identity user might take on a role that requires
- a full license).
- Implement a Request Process: Especially in large enterprises, have a defined process for managers or IT to request Salesforce access for a user. Include criteria or a checklist in that process:
- Does the user need CRM data access? If yes, assign the appropriate full license.
- If not, will they only use SSO or a portal? If yes, assign an Identity license.
By institutionalizing this decision tree, you avoid the knee-jerk assignment of full licenses to everyone.
- Use Permission Sets to Extend Functionality: One clever practice is using permission sets to grant specific additional access to Identity users without moving them to full licenses. For example, suppose an Identity user needs access to a single custom object or a simple approval form in Salesforce. In that case, you might be able to accommodate that with a combination of an Identity license + a special permission set or connected app, rather than upgrading them to a full license. Always explore if a smaller permission or integration can meet the need.
- Monitor Login Patterns: Use Salesforce reports or the Optimizer tool to monitor how Identity license holders use the system. If some identity users never log in (perhaps they don’t use the SSO), you might reduce those licenses in the next renewal. Conversely, if some Identity users start logging in heavily and hitting limitations, that’s a sign they may need a different license type.
- Keep an Eye on Free Allowances: Salesforce often provides a small number of certain licenses for free. For instance, many orgs get a handful of Identity licenses included (especially if you have orgs created after a certain date or certain editions). Also, Salesforce’s Integration User licenses (for API-only use) and others might be included. Use those first. Similarly, if you have Account Engagement (Pardot), you might have 100 free Identity licenses that come with it – make sure to use them for appropriate users before buying more.
- Automate Where Possible: If you have a large user base, consider using automated user management tools or Salesforce’s own User Provisioning (if using something like Active Directory integration or Identity Connect). You can automatically adjust a user’s Salesforce license via integration when a user’s role is updated in AD or your HR system. For example, if a person moves from a sales role to an external-facing non-sales role, a workflow will be triggered to downgrade the license to identity. This reduces manual oversight and optimizes your license allocations in real time.
Negotiation and Renewal Strategies
Optimizing costs isn’t just about technical management – it’s also about how you purchase and renew your Salesforce agreement:
- Consolidate Identity License Purchases: Rather than buying Identity licenses ad hoc in small quantities, forecast your needs and buy in bulk if possible. Salesforce is more likely to give a discount on, say, 500 Identity licenses purchased at once versus buying 50 at a time. Buying in bulk during a negotiation can reduce the per-license cost.
- Time Your Negotiations: Salesforce account executives have quarterly and annual targets. We plan to discuss additional identity license needs near the end of the quarter or fiscal year-end. During these periods, when Salesforce is keen to close deals, you might secure more favorable pricing or extra freebies (like additional identity licenses thrown in).
- Multi-Year Agreements: If your organization is comfortable committing, negotiating a multi-year contract for Identity licenses can lock in pricing. Ensure that the contract allows flexibility in adjusting the number of identity licenses annually (you want the ability to reduce count if your needs drop, not just increase). Multi-year deals can sometimes cap any price escalation and provide budget certainty.
- Bundle with Other Products: If you’re also purchasing other Salesforce products (Sales Cloud, Service Cloud, Marketing Cloud, etc.), bring up your need for Identity licenses in the same conversation. As an incentive, Salesforce may bundle several Identity licenses at low or no cost. For example, “If we buy 200 Sales Cloud licenses, we want 200 Identity-Only licenses included for free to cover our other staff.” It never hurts to ask for these bundle deals.
- Leverage Competitor Solutions: As a negotiation tactic, consider alternative Identity and SSO solutions (like Okta, Azure AD Premium, etc.). Suppose Salesforce knows you are considering using an external identity provider for SSO. In that case, they may be more inclined to offer a good deal on Identity licenses to keep your identity management within Salesforce. The key is to convey that while Salesforce Identity is preferable for integration reasons, it must be cost-effective compared to standalone IAM solutions.
- Understand Support Costs: Salesforce’s subscription pricing generally includes standard support, but if you use Salesforce Identity features extensively, you might consider Salesforce’s Premier Support for quicker issue resolution when negotiating. Determine whether an elevated support package for identity features is needed, and negotiate that. (For example, if Identity is mission-critical for internal logins, you want good support SLAs.)
Real-World Example: Cost Savings Illustration
To put the benefits in perspective, consider a hypothetical enterprise scenario:
- 1,000 total employees:
- 700 are in sales, service, or operational roles that actively use Salesforce CRM daily – they have full Salesforce licenses.
- Three hundred are in other roles (finance, HR, support staff, external contractors) who do not use CRM features but need to log into some systems (email, intranet, support portal) via SSO.
Without Identity licenses, one might mistakenly give those 300 users at least a Platform Starter license at $25/user/month just to authenticate, which would cost $7,500 per month—$90,000 per year.
With Identity licenses at $5/user/month, those 300 users cost only $1,500 or $18,000 annually. Annual savings: $72,000. Over a typical 3-year contract, that’s over $200,000 saved using identity-appropriate licensing. And those users still benefit from seamless single sign-on and security.
This simple example demonstrates why optimizing who gets an Identity license matters greatly at scale.
Ongoing Management and Governance
Maintaining license optimization is an ongoing effort, not a one-time task:
- Establish a governance committee or designate an owner (often the Salesforce Platform Owner or License Manager) responsible for periodic license reviews.
- Keep documentation—Maintain a list or report of all Identity license users and their business justification. This helps in audits, and if admin staff turnover occurs, the next person will understand why certain users are identity-only.
- Stay informed about Salesforce licensing changes. Salesforce occasionally introduces new license types or changes pricing. For instance, the introduction of Salesforce Integration User licenses in 2023 gave a new opportunity to offload API users from full licenses. Similarly, changes to Identity license terms or new bundles should be on your radar to optimize costs continually.
- Collaborate with your ITAM (IT Asset Management) or SAM team. They might use tools to track software usage and can help verify that your Salesforce license usage aligns with entitlements, preventing under-utilization and overuse (compliance risks).
Treating license management as a living process ensures cost savings persist year after year without unintended compliance issues.
Recommendations
- Audit User Needs Regularly: Don’t set and forget. Conduct scheduled audits of Salesforce user activity to identify who can be downgraded to an Identity license. Remove or reassign unused full licenses promptly – this discipline directly saves money.
- Classify Users by Role: Implement an internal policy to classify new users at onboarding (CRM user vs. SSO-only user). If a role doesn’t need Salesforce data access, default them to an Identity license. This proactive approach prevents over-licensing from the start.
- Maximize Existing License Entitlements: Before purchasing new Identity licenses, ensure you have utilized any that come free with your Salesforce edition or other products (e.g., Marketing Cloud or Pardot bundling). Always consume free allotments first.
- Use Identity for SSO-Only Access: Rather than giving everyone a costly full license “just in case,” use Identity licenses to cover employees who only require single sign-on or basic Salesforce platform access (like Chatter or simple apps). This targeted allocation can drastically cut licensing costs for large organizations.
- Leverage Technology for Management: Use tools and Salesforce features (e.g., Salesforce Optimizer, reports, or third-party license management tools) to continuously monitor usage. Automation can alert you to inactive users or license misalignment, enabling quick adjustments.
- Negotiate in Bulk: When possible, purchase identity licenses in bulk during contract negotiations. Aim for multi-year commitments or bundled deals that lower the per-license cost. Engage Salesforce with clear data on your usage to get the best volume pricing.
- Educate Stakeholders: Ensure managers and IT requesters know the difference between license types. Explain that asking for a Salesforce login doesn’t always mean a $XXX full license—it could be a $5 Identity user. This awareness ensures the right ask is made and prevents unnecessary provisioning of expensive licenses.
- Monitor and Prevent Scope Creep: Over time, an identity-only user might start requesting extra access. Before granting any additional permissions that might turn them into a CRM user, consider whether upgrading their license is more appropriate. Conversely, ensure that Identity users aren’t mistakenly given access to features they aren’t licensed for (which could violate terms). Good monitoring and communication between admins prevent these issues.
- Plan for Future Needs: Monitor company growth or projects that could increase identity license needs—mergers, new applications being onboarded to SSO, etc. Forecasting and reserving budget for more Identity licenses (or freeing some from elsewhere) will avoid scrambling purchases later at potentially higher rates.
- Engage Experts if Needed: If managing Salesforce licensing becomes cumbersome, consider consulting with a Salesforce licensing expert or a SAM consultant. They can often identify overlooked optimization opportunities or negotiation levers to ensure you’re getting maximum value for your spend.
FAQ
Q1: How do I check how many Identity licenses my organization uses (and how many are available)?
A: In Salesforce, navigate to Setup -> Company Information. On that page, you’ll see a section listing all licenses. Look for “Identity” (or “Identity Only”) in the list of User Licenses. The columns will show Total Licenses, Used, and Remaining. This gives a quick snapshot of usage. Additionally, you can run a User report filtering by User License = Identity to list all users currently assigned an Identity license.
Q2: We have Salesforce Enterprise Edition – do we get any free Identity licenses included?
A: Enterprise and Unlimited Editions include the identity features for all your standard users. However, they typically do not automatically include separate Identity-Only licenses for additional users (those need to be purchased). However, Salesforce’s packaging can change, and sometimes, companies secure several free Identity licenses during sales negotiations. Developer Edition orgs include a few (like 5) identity user licenses, mostly for testing purposes. It’s best to check your contract or ask your Salesforce rep if any Identity or External Identity licenses were bundled in your purchase.
Q3: Can a user with an Identity license access Chatter or Communities?
A: An Identity user can access the Salesforce platform in a limited way – they can log in, which means they can use the App Launcher and such. Identity licenses do not have standard object or data access by default. For Chatter specifically, Salesforce used to have a “Chatter Free” or similar license for social collaboration. Identity licenses are separate; an Identity user might be able to see a Chatter feed if given access, but generally, if you want someone to use Chatter extensively, you might assign a Chatter Free license ($0 but limited) or a standard license. For Communities (Experience Cloud): Identity licenses alone won’t give external users access to community content; you’d need a community license or an External Identity license. If the user is internal and you want them in a community for employees, you can probably add them via their Identity user, but their capabilities will be limited. Always validate specific needs, as Salesforce’s license capabilities for Chatter/Communities can be nuanced.
Q4: What happens if we assign more users to Identity licenses than we have purchased?
A: Salesforce will prevent you from doing so at the point of assignment – you can’t actively assign more users than available licenses. However, if due to some oversight (like cloning a sandbox or during a true-up), you find yourself over the licensed count, it’s a compliance issue. Salesforce could bill you for the overage. In practice, Salesforce trust and compliance checks might catch if, for example, you’ve somehow gotten extra Identity users active. It’s best to keep track and purchase more licenses when approaching the limit rather than exceeding it. The Salesforce Optimizer can report on license limits and usage, which helps avoid this situation.
Q5: Can I convert an Identity license user to a full Salesforce license later if their role changes?
A: Yes. Upgrading a user from Identity to a full license is a common practice when roles evolve. To do this, you must have a full license (free or by purchasing one). Then you’d edit the user’s record in Setup, change their User License to the appropriate type (Salesforce, Platform, etc.), and assign a profile compatible with that license. Their existing user record remains; they may gain access to data and features according to the new license and profile. It’s generally seamless from the user perspective, though you should inform them if their login process or permissions will change. Always remove that Identity license assignment so it becomes free for someone else.
Q6: Are there any features Identity license users can use within Salesforce?
A: Identity users primarily authenticate and then use connected apps via SSO. They can also access the App Launcher to see tiles for apps they can launch. They can utilize things like Salesforce Identity Verification (for MFA). They might have access to the User Settings page to manage their own profile or reset their passwords. However, they won’t have access to standard CRM tabs (Accounts, Cases, etc.) unless you combine the Identity license with some special permission or if Salesforce opens limited features. In short, Identity users are considered to have “login only” access with some ability to self-serve their account settings.
Q7: How do I monitor if Identity license users use the service?
A: Track logins using Login History (available under Setup or via reports). You can filter login history by Username or Profile (you might create a special profile for Identity users). Alternatively, create a report on Users and include fields like Last Login Date. This will show you which Identity users have logged in recently. Another tip: if you have set up SSO integrations, sometimes those external apps will record usage too. However, Salesforce’s own reporting is usually enough to gauge if Identity licenses are being utilized.
Q8: We have many Identity licenses, but some have been assigned to people who left the company. What should we do?
A: Deactivate those users and free up the licenses! Salesforce licensing counts active users. If someone leaves, your admin should promptly deactivate the Salesforce user account. This frees up whichever license they were consuming (Identity or full license) for re-use. Including Salesforce de-provisioning in your HR off-boarding checklist is a good practice. Periodic audits can catch straggler accounts that might have been missed. Keeping licenses assigned to departed users is essentially money left on the table since you’re not getting any value from those licenses.
Q9: Can a full Salesforce user temporarily assign a second Identity license for SSO purposes?
A: A single user record can only have one license type at a time. However, note that any user with a full Salesforce license already inherently has the Salesforce Identity features. In other words, if you’re a Salesforce user, you can already use SSO and MFA but don’t need an Identity license. Identity licenses are specifically for those without a full license. Therefore, there’s no need (and it’s impossible) to have a user hold two license types simultaneously. If a full user only needs SSO, consider downgrading them to Identity, but they’ll lose the CRM access. It’s an either/or assignment.
Q10: What’s the difference between Identity and Integration User licenses we’ve heard about?
A: Salesforce introduced Integration User licenses intended for system-to-system integration accounts (they allow only API access, no UI access, and come with some editions for free). They serve a different purpose than Identity licenses:
- Identity licenses are for human users who must log in for SSO/authentication without full CRM access.
- Integration User licenses are for non-human integration accounts (like an API connection for middleware or an automated process) that don’t need a UI login but only API calls.
Both are cost-saving licenses: Identity saves cost by not using a full user license for SSO-only people, and Integration User saves cost by not using a full license for backend integrations. Organizations should use each appropriately to minimize the consumption of full licenses of inactive users or system accounts.
Read more about our Salesforce license management service.
