A comprehensive guide for CIOs, CTOs, and IT Asset Managers on optimising Salesforce Identity licences. Covers strategies for identifying SSO-only users, avoiding overspending on full CRM licences, monitoring and adjusting allocations, negotiation tactics, and a real-world savings illustration — ensuring maximum value from your Salesforce investment while maintaining secure access management.
Not every user who logs into Salesforce or connected systems needs a full CRM licence. Salesforce Identity licences allow users to authenticate via Salesforce (SSO, MFA) without incurring the cost of a standard CRM user seat.
| Licence Type | Typical Cost (Monthly) | Use Case |
|---|---|---|
| Sales / Service Cloud (Enterprise) | $150+/user | Full CRM access — sales, service, reporting |
| Sales / Service Cloud (Professional) | $75–$100/user | Standard CRM features |
| Platform Starter | ~$25/user | Custom apps, limited CRM objects |
| Identity Only | ~$5/user | SSO, MFA, App Launcher — no CRM data access |
| Integration User | Free (with editions) | API-only system accounts — no UI access |
Reassigning a user who only needs login capabilities from a full licence ($25–$150/month) to an Identity licence (~$5/month) saves $20–$145 per user per month. At scale, this is transformative.
Identity licences make it affordable to extend single sign-on to the entire workforce — employees, contractors, and even some external users. Without them, companies pay for full CRM licences just to offer SSO.
Organisations often overprovision full licences to users who rarely touch Salesforce's core features. An executive viewing an occasional dashboard or an HR staff member accessing a portal doesn't need a $150/month CRM seat.
A crucial step is determining which users are best suited for Identity licences rather than full CRM licences.
Users who don't actively work inside Salesforce CRM (entering records, running reports) are prime candidates. Common examples: HR and finance staff accessing integrated tools, executives viewing occasional dashboards, contractors needing tool access via SSO.
If Salesforce serves as an authentication hub for other enterprise apps (Office 365, Google Workspace, custom apps), many users may not need Salesforce itself. A field technician using a mobile app that authenticates through Salesforce needs only an Identity licence.
Employees whose roles changed (e.g., moved from sales to a non-sales role) may no longer use CRM features but retain expensive licences. Rather than leaving their full licence allocated, downgrade to Identity — they still authenticate, but you free up a costly seat.
Internal employees who only need to log into a non-Salesforce platform where Salesforce serves as the Identity Provider (IdP) can be covered by Identity licences. For external users, consider External Identity licences (a related concept).
Set a quarterly or biannual schedule. Identify full-licence users who haven't logged in or had minimal activity over 3–6 months, and SSO-only users who could be downgraded. Also check if any Identity users now need full access — optimisation works both ways.
Define a process for requesting Salesforce access with a decision tree: Does the user need CRM data access? → Full licence. Only SSO or portal? → Identity licence. Institutionalising this prevents knee-jerk assignment of full licences to everyone.
Grant specific additional access to Identity users via permission sets without upgrading to full licences. If an Identity user needs access to a single custom object or simple approval form, a permission set + connected app may suffice.
Use Salesforce reports or the Optimizer tool to track how Identity holders use the system. Never-logging-in Identity users should be reduced at renewal. Identity users hitting limitations frequently may need a different licence type.
Many orgs get Identity licences included free with certain editions. Account Engagement (Pardot) often includes 100 free Identity licences. Integration User licences (API-only, free) can also offload system accounts. Always consume free allotments before purchasing more.
For large user bases, use automated provisioning tools (Active Directory integration, Identity Connect). When a user's role changes in AD/HR system, a workflow triggers the licence downgrade or upgrade automatically — reducing manual oversight and optimising allocations in real time.
Forecast your needs and purchase Identity licences in volume rather than ad hoc. Salesforce is more likely to discount 500 licences at once versus 50 at a time. Consolidate during contract negotiations for maximum leverage.
Salesforce account executives have quarterly and annual targets. Discuss Identity licence needs near quarter-end or fiscal year-end when Salesforce is keen to close deals — you'll secure better pricing or freebies.
Multi-year contracts can lock in pricing and cap escalation. Ensure the contract allows flexibility to adjust licence counts annually (ability to reduce, not just increase). This provides budget certainty with downside protection.
If purchasing Sales Cloud, Service Cloud, or Marketing Cloud, bring up Identity licences in the same conversation. Ask Salesforce to bundle Identity licences at low or no cost as part of the larger deal.
Reference alternative SSO solutions (Okta, Azure AD Premium, Ping Identity). If Salesforce knows you're considering an external identity provider, they may offer better Identity licence pricing to keep identity management within the Salesforce ecosystem.
If Identity is mission-critical for internal logins, consider negotiating Premier Support for faster issue resolution. Factor support costs into the overall Identity licence economics — and negotiate them as part of the package.
| Metric | Without Identity Licences | With Identity Licences |
|---|---|---|
| Total Employees | 1,000 | |
| Active CRM Users | 700 (full licence) | 700 (full licence — unchanged) |
| SSO-Only Users | 300 × Platform Starter @ $25/mo | 300 × Identity @ $5/mo |
| Monthly Cost (SSO Users) | $7,500 | $1,500 |
| Annual Cost (SSO Users) | $90,000 | $18,000 |
| Annual Savings | — | $72,000 |
| 3-Year Contract Savings | — | $216,000+ |
In this scenario, 300 employees in finance, HR, support, and contractor roles don't use CRM features but need SSO access. By assigning Identity licences instead of Platform Starter, the organisation saves $72,000 annually — over $200,000 across a typical 3-year contract — while users retain seamless single sign-on and security.
Maintaining licence optimisation is an ongoing effort, not a one-time task.
Designate a Salesforce Platform Owner or Licence Manager responsible for periodic licence reviews. A governance committee for larger estates ensures cross-functional accountability.
Keep a list of all Identity licence users with business justification. This helps during audits, admin staff turnover, and renewal negotiations — the next person will understand why certain users are Identity-only.
Salesforce periodically introduces new licence types or changes pricing. The 2023 introduction of Integration User licences created new optimisation opportunities. Keep new licence types and bundles on your radar.
IT Asset Management teams use tools to track software usage and can verify that Salesforce licence usage aligns with entitlements — preventing both under-utilisation and overuse (compliance risk).
Don't set and forget. Conduct scheduled audits of user activity to identify who can be downgraded to Identity. Remove or reassign unused full licences promptly — this discipline directly saves money.
Implement an internal policy to classify new users at onboarding: CRM user vs SSO-only user. If a role doesn't need Salesforce data access, default to an Identity licence. This prevents over-licensing from the start.
Before purchasing new Identity licences, utilise any that come free with your Salesforce edition, Pardot, Marketing Cloud, or other products. Always consume free allotments first.
Rather than giving everyone a costly full licence "just in case," use Identity licences to cover employees who only require single sign-on or basic platform access (App Launcher, Chatter). This targeted allocation drastically cuts costs.
Use Salesforce Optimizer, reports, or third-party licence management tools to continuously monitor usage. Automation can alert you to inactive users or licence misalignment, enabling quick adjustments.
Purchase Identity licences in volume during contract negotiations. Aim for multi-year commitments or bundled deals that lower per-licence cost. Present clear usage data to get the best volume pricing.
Ensure managers and IT requesters understand the difference between licence types. "I need a Salesforce login" doesn't always mean a $150 full licence — it could be a $5 Identity user. Awareness prevents unnecessary provisioning.
Monitor if Identity users start requesting extra access. Before granting permissions that would make them CRM users, evaluate whether a licence upgrade is appropriate. Ensure Identity users aren't given features they're not licensed for.
Monitor company growth, mergers, and new applications being onboarded to SSO. Forecast Identity licence needs to avoid scrambling at higher rates. Reserve budget proactively.
If managing Salesforce licensing becomes complex, consult a Salesforce licensing specialist who can identify overlooked optimisation opportunities and negotiation levers for maximum value.
Navigate to Setup → Company Information. The licence section lists Total Licences, Used, and Remaining for each type including "Identity" or "Identity Only." You can also run a User report filtering by User Licence = Identity to list all assigned users.
Enterprise and Unlimited Editions include identity features for standard users, but typically don't include separate Identity-Only licences automatically. However, companies often secure free Identity licences during negotiations. Developer Edition orgs include ~5 for testing. Check your contract or ask your Salesforce rep about bundled allotments.
Identity users can log in and use the App Launcher in a limited way but don't have standard CRM object or data access. For Chatter, consider Chatter Free licences ($0 but limited). For Communities (Experience Cloud), Identity licences alone won't provide access — you'd need community or External Identity licences. Capabilities are nuanced, so validate specific needs.
Salesforce prevents over-assignment at the point of allocation — you can't actively assign more users than available licences. If an oversight occurs (sandbox cloning, true-up issues), it's a compliance issue that Salesforce could bill for. Use the Salesforce Optimizer to monitor licence limits and purchase more before approaching the cap.
Yes — this is common when roles evolve. Edit the user's record in Setup, change their User Licence type, and assign a compatible profile. The user record remains; they gain access to features according to the new licence. The freed Identity licence becomes available for someone else.
Identity users primarily authenticate and launch connected apps via SSO. They can access the App Launcher, use MFA/Identity Verification, and manage their own user settings (profile, password reset). They cannot access standard CRM tabs (Accounts, Cases, Opportunities, etc.) unless combined with special permissions.
Track via Login History (Setup or reports), filter by Username or Profile. Create a User report including Last Login Date to identify unused Identity licences. External SSO-integrated apps may also log usage. Salesforce's own reporting is usually sufficient.
Deactivate those users immediately to free up licences. Include Salesforce de-provisioning in your HR offboarding checklist. Periodic audits catch straggler accounts. Keeping licences assigned to departed users is money left on the table.
No — a single user record can only hold one licence type at a time. But full Salesforce users already inherently have Identity features (SSO, MFA). Identity licences are specifically for users without a full licence. There's no need or ability to hold two licence types simultaneously.
Identity licences are for human users who need SSO/authentication without CRM access. Integration User licences are for non-human system accounts (API connections, middleware, automated processes) that need API access but no UI login. Both are cost-saving alternatives to full licences — use each for its intended purpose to minimise full-licence consumption.
Share your Salesforce estate details. We'll assess your licence allocations, identify Identity licence savings opportunities, and build a negotiation strategy — typically within 48 hours.