Salesforce Identity vs Identity Plus Licenses
Salesforce offers two specialized identity management licenses โ Salesforce Identity and Salesforce Identity Plus โ which enable single sign-on (SSO) and robust access management without requiring full Salesforce CRM licenses.
This article clearly compares Identity vs. Identity Plus licenses for CIOs, CTOs, and IT procurement leaders, including their features, real-world cost implications, and guidance on choosing the right option for enterprise needs.
It is an advisory overview to help large organizations make informed decisions on Salesforce identity licensing.
Understanding Salesforce Identity License Options
Salesforce Identity licenses are designed for users who need authentication and access management features but do not require full CRM functionality.
There are two primary identity-focused license types:
- Salesforce Identity License (Standard): This license provides core identity and access management features like SSO, multi-factor authentication (MFA), basic Identity Connect integration, and use of the Salesforce App Launcher for central access to connected applications. It is cost-effective (approximatelyย $5 per user/month) and aims to extend SSO to users without paying for a full Salesforce user license.
- Salesforce Identity Plus LicenseโThis license includes all the standard Identity features and adds enhanced security and integration capabilities, as well as more advanced identity analytics and administration tools. Identity Plus is intended for enterprises with complex identity requirements (e.g., extensive integration with on-premise directories, advanced compliance needs, or large-scale external user management). Given the extra capabilities, it typically comes at a higher cost per user (often negotiated with Salesforce).
Both license types help organizations manage user login and authentication centrally via Salesforce, but they differ in depth in features and ideal use cases, as detailed below.
Read Maximizing Value from Salesforce Identity Licenses: Cost Optimization and Best Practices.
Salesforce Identity License: Core Capabilities
The Salesforce Identity (standard) license enables fundamental identity and access management within Salesforce:
- Single Sign-On (SSO) Enablement: Users can log in once via Salesforce and access multiple business applications without separate logins. It is ideal for internal employees who need unified access to various systems.
- Multi-Factor Authentication: This method enforces two-factor or more authentication methods for login, enhancing security for identity-only users like full license users. Administrators can require MFA for Identity license users to meet security policies.
- App Launcher and Connected Apps: Identity users get access to the Salesforce App Launcher, a centralized portal where they can see and launch all applications they have permissions for (e.g., Office 365, Slack, and custom enterprise apps). Administrators can configure Connected Apps for SSO so Identity-licensed users can seamlessly reach external apps through Salesforce.
- My Domain and Branding: Organizations can use Salesforceโs My Domain feature to create a custom login URL and branded page. Identity users log in via the companyโs custom Salesforce domain, reinforcing enterprise branding and phishing protection.
- Basic Identity Connect Integration: Identity Connect is a tool that syncs user accounts between Salesforce and directories like Active Directory. With a Salesforce Identity license, companies can integrate basic user provisioning and password synchronization from AD to Salesforce, ensuring that Identity users are consistently managed alongside regular users.
- Included With Enterprise Edition: Notably, all core identity services (SSO, MFA, user identity management) are included for free with standard Salesforce user licenses. The Identity license is specifically useful for additional users who need SSO access but donโt have a full license. For example, suppose you want to allow a subset of employees or contractors to log in via Salesforce SSO to other apps (HR systems, intranet, etc.) without giving them Salesforce CRM access. In that case, the Identity license covers that scenario cheaply.
In summary, the standard Identity license covers essential SSO and authentication needs for users who only require an identity provider service from Salesforce.
Salesforce Identity Plus License: Advanced Capabilities
Salesforce Identity Plus is an upgraded offering for more demanding identity management needs. In addition to everything in the standard Identity license, Identity Plus provides:
- Enhanced Security Features: This can include advanced passwordless login options, more granular login policies, or higher-level compliance features. For instance, Identity Plus might support more sophisticated identity verification steps or device management policies for login, which enterprises with strict security or regulatory requirements will value.
- Advanced Integration Options: Identity Plus is built for complex environments. It offers deeper integration capabilities such as simultaneous integration with multiple identity providers, support for advanced SSO standards, or custom identity attributes. Suppose an enterprise needs to integrate Salesforce identity with several external authentication systems or wants to act as a full federated identity provider for a wide range of apps. In that case, Identity Plus provides the flexibility to do so.
- Comprehensive User Analytics: Under Identity Plus, administrators gain richer analytics and monitoring tools. These could include detailed reports on login history, user provisioning logs, and identity verification metrics. Large organizations benefit from these insights for auditing and compliance, such as tracking how often MFA is challenged or which applications are most accessed via SSO.
- Higher Scale and Customization: Identity Plus licenses are often geared for higher-scale deployments. Identity Plus can handle the volume with additional configuration options if you manage tens of thousands of identities (including possibly external identities like partners or customers under your orgโs identity domain). Custom identity user attributes and extended APIs for identity management may also be part of the Plus package.
- Support and Add-Ons: In many cases, Salesforce positions Identity Plus as part of its Customer Identity or Identity for Customers solutions. If you purchase Salesforceโs Customer Identity product (commonly for external user SSO), you can effectively get the Identity Plus capabilities. As such, Identity Plus often comes with dedicated support considerations and might integrate with add-on services (for example, integration with third-party identity verification or Auth0 if Salesforce resells those capabilities).
Cost Consideration: Identity Plus pricing is typically negotiated, unlike the base Identity license, which has a known ballpark price (approx. $5/user/month). It may be sold as an add-on package or in bulk.
Enterprises should be prepared for a higher per-user cost or possibly an annual subscription model (especially if tied to a customer identity solution).
However, the investment in Identity Plus can be justified for organizations that would otherwise need separate enterprise-grade Identity-as-a-Service systems โ it consolidates those needs within Salesforce.
Feature Comparison: Identity vs. Identity Plus
To summarize the differences, below is a comparison of key features between Salesforce Identity and Identity Plus licenses:
| Feature/Capability | Salesforce Identity (Standard) | Salesforce Identity Plus |
|---|---|---|
| Single Sign-On (SSO) | Yes โ SSO for internal/external apps via SAML/OAuth. | Yes โ All standard SSO plus advanced federation options. |
| Multi-Factor Authentication (MFA) | Yes โ Supports MFA for added security. | Yes โ Supports MFA, possibly with additional methods (e.g., biometric integration). |
| Identity Connect (AD integration) | Basic โ Sync users & passwords with one AD domain. | Enhanced โ Multi-domain or advanced user provisioning workflows. |
| App Launcher & Connected Apps | Yes โ Access to App Launcher for connected apps. | Yes โ Same, with potential for more custom app integrations. |
| Analytics & Monitoring | Standard login history and basic usage metrics. | Large enterprise SSO centralization, complex multi-IdP environments, and high compliance needs. |
| Additional Security Policies | Standard Salesforce security policies (IP ranges, etc.). | More granular policies (device trust, geo-fencing, etc.). |
| Ideal Use Case | Small to mid-size deployments; employees needing SSO; cost-sensitive scenarios. | Yes, all standard SSO plus advanced federation options are available. |
| Cost (Licensing) | ~$5 per user/month (list price); often included for users with other licenses. | Premium pricing โ negotiable, often part of Customer Identity product packages. |
Table: Key differences between Salesforce Identity and Identity Plus licenses.
Identity Plus covers all the base capabilities and extends them, which is why itโs typically used when basic identity services are insufficient for the organizationโs needs.
Many enterprises start with standard Identity licenses and only consider Identity Plus as their user base or requirements grow.
Choosing the Right License for Your Organization
When deciding between Salesforce Identity vs. Identity Plus, enterprise decision-makers should consider the following:
- Scale of Users and Complexity: If you have a relatively smaller group of internal users who simply need SSO to a handful of apps, the standard Identity license will suffice and keep costs low. However, suppose you plan to extend identity services to thousands of users (including possibly customers or partners) or integrate with many applications and directories. In that case, Identity Plus is designed for that scale and complexity.
- Feature Requirements: Map out what features you truly need. For example, do you require in-depth reporting on authentication events? Do you need concurrent integration with multiple Active Directory domains or external identity providers? Do you want advanced security features like passwordless logins or integrated identity verification? Such requirements would push you toward Identity Plus. If your needs are limited to core SSO/MFA and basic user sync, Identity (standard) will be adequate.
- Cost-Benefit Analysis: Perform a cost analysis. Standard Identity licenses are inexpensive per user, providing a high ROI when replacing more costly full licenses for SSO-only users. Identity Plus will cost more than adding another third-party IAM solution. Many enterprises find Identity Plus worthwhile because it avoids paying for a separate identity management platform for complex use cases. Ensure that the extra features of Identity Plus will truly be used; otherwise, you might overspend.
- Trial and Pilot: It can be wise to first pilot the standard Identity license. For instance, enable a subset of users on Identity licenses and test if the provided features meet your requirements. Salesforce often allows customers to upgrade later, so you could start with Identity and only scale up to Identity Plus if gaps are identified during pilot (e.g., you hit a limitation that impacts user experience or security).
- Edition and Bundling Considerations: Note that your Salesforce edition might influence your decision. Enterprise and Unlimited editions support these identity licenses readily. In fact, in Enterprise+ orgs, every internal user license already includes identity features for that user, and you can purchase additional Identity-Only licenses for others. Suppose you have Salesforce products likeย Account Engagement (Pardot). In that case, you may already have a bundle of identity licenses included (for example, some Salesforce bundles provide a set of 100 Identity licenses at no extra charge). Such bundles can cover basic needs and delay the need for Identity Plus.
In summary, use Identity Plus only when necessary โ typically when an enterprise-scale, highly integrated identity solution is needed under the Salesforce umbrella. Otherwise, maximize the use of the simpler Identity licenses for cost efficiency.
Recommendations
- Match License to Use Case: Assess your user groups. Provide Salesforce Identity licenses to users who only need authentication (SSO/MFA) and do not require CRM functionality. Reserve Identity Plus for scenarios that truly demand its advanced features (e.g., complex multi-directory integration or extensive external user SSO).
- Start Small, Upgrade if Needed: Begin with standard Identity licenses for a pilot group. Evaluate whether the features meet your security and integration needs. Only consider upgrading toย Identity Plus after proving a clear needโthis phased approach prevents overspending on unneeded capabilities.
- Leverage Existing Entitlements: Check your current Salesforce agreements for included identity features. Many editions include identity functionality, and some packages come with free Identity licenses. Use what you already have (e.g., included identity seats from other Salesforce products) before purchasing more licenses.
- Cost Negotiation: If you determine Identity Plus is required, negotiate with Salesforce for favorable terms. Bundle Identity Plus licensing during your enterprise agreement renewal or larger purchase โ Salesforce may offer discounts when Identity Plus is included as part of a broader deal (especially end-of-quarter/year).
- Integration Planning: For Identity Plus deployments, ensure your IT architects plan how Salesforceโs identity will integrate with your existing IAM landscape. You might use Salesforce as a primary IdP or in conjunction with others. Having a clear integration strategy will maximize the benefits of Identity Plus features.
- Training and Governance: Treat identity license management with the same governance as other Salesforce licenses. Train your Salesforce admins on managing Identity users, configuring SSO, and monitoring authentication logs. Strong governance ensures you utilize the security features (like enforcing MFA) youโre paying for.
- Monitor Usage: Use Salesforceโs reporting tools or the Login Forensics to track how Identity (and Plus) licenses are being used. Monitor login frequency, app usage via SSO, and any authentication failures. This will inform you if you need to adjust license counts or upgrade/downgrade license types over time.
- Security First: Even though Identity licenses donโt grant data access, they still provide entry into your enterprise systems. Apply strict security policies (IP restrictions, device trust, etc.) that are available with the license. With Identity Plus, advanced security configurations can be used to align with corporate infosec standards.
FAQ
Q1: What is the difference between Salesforce Identity and Identity Plus licenses?
A: The standard Salesforce Identity license provides core identity management features like SSO and MFA for users who donโt need full CRM access. The Identity Plus license includes all those core features but adds advanced capabilities (stronger security options, more integration flexibility, detailed analytics, etc.) suited for more complex enterprise requirements. Essentially, Identity Plus is a premium tier for identity management in Salesforce.
Q2: Do Identity and Identity Plus licenses support Single Sign-On (SSO) and MFA?
A: Yes. Both license types support SSO and multi-factor authentication. Users with an Identity or Identity Plus license can use Salesforce as their single sign-on provider to log into connected applications. If MFA is enforced, it will be subject to MFA. The difference is that Identity Plus may support a broader range of SSO configurations and additional authentication methods.
Q3: How much does an Identity Plus license cost compared to a standard Identity license?
A: A standalone Salesforce Identity (standard) license is roughly $5 per user per month (list price), making it very affordable. On the other hand, Salesforce Identity Plus does not have a publicly listed price; it often comes as part of an upgraded package (like Customer Identity). The cost is higher per user (often several times the standard Identity price) and is typically determined through a Salesforce sales quote. Many enterprises negotiate Identity Plus pricing based on the number of users and other products they purchase.
Q4: Can I mix Identity and Identity Plus licenses in the same Salesforce org?
A: Yes, you can have a mix of both. For example, you might assign standard Identity licenses to most of your SSO-only users, but assign a subset of Identity Plus licenses to certain users or a specific identity domain if needed. However, many organizations will standardize on one type for simplicity. If Identity Plus is enabled, it often covers the whole orgโs identity configuration, so mixing may not be necessary unless youโre gradually upgrading.
Q5: Is Salesforce Identity Plus required to integrate with Active Directory or other identity providers?
A: Not necessarily. The standard Identity license makes basic integration (such as using Salesforce Identity Connect to sync with Active Directory or using SAML to integrate Salesforce with an external IdP like Okta or Azure AD) possible. Identity Plus might be required if you have more advanced needs, like multiple Active Directory domains, complex attribute mapping, or using Salesforce as a central hub in a multi-IdP environment. For straightforward AD integration, the standard Identity license is sufficient.
Q6: Does an Identity license allow users to access Salesforceโs CRM data or interface?
A: No. An Identity or Identity Plus license does not grant access to standard Salesforce CRM functionality. Users with an Identity license can log in to Salesforce (for authentication purposes and to access the App Launcher). Still, they cannot view or edit Salesforce records like Accounts, Opportunities, Cases, etc. Those actions require a Salesforce user license (Sales Cloud, Service Cloud, Platform, etc.). Identity licenses are strictly for identity and access management features.
Q7: Are Identity licenses available on all Salesforce editions?
A: Generally, Salesforce Identity and Identity Plus licenses are available for orgs on Enterprise, Performance, and Unlimited editions (and corresponding Government/Health Cloud editions). They may not be available or necessary on lower editions like Professional. Developer Edition orgs include a small number of free Identity user licenses for testing purposes. Youโd purchase Identity licenses as an add-on to your edition if needed for production use.
Q8: Can we easily upgrade existing Identity users to Identity Plus?
A: Converting a user from Identity to Identity Plus would involve purchasing Identity Plus licenses and then reassignment. Salesforce license management allows an admin to change a userโs license type, but only if thereโs an available license of the target type. So, you would coordinate with Salesforce to add Identity Plus licenses to your org, then update those users. Itโs a relatively straightforward administrative change once the licenses are provisioned. Thereโs no complex user data migration since both licenses deal with authentication (the userโs identity remains the same).
Q9: What are some typical use cases for choosing Identity Plus?
A: Common scenarios for Identity Plus include:
- Very large enterprises use Salesforce as a central identity provider for employees, contractors, partners, and maybe customers, requiring top-tier security and scalability.
- Organizations with stringent compliance requirements that need detailed tracking of authentication events and policy controls (for example, a financial institution needing to enforce specific login compliance rules).
- Businesses that want to implement advanced login methods (single sign-on combined with passwordless or biometrics) under one roof.
If your use case is more straightforward and doesnโt fall into these categories, the standard Identity license usually suffices.
Q10: Does the Identity Plus license come with Salesforce Customer Identity (for external users)?
A: Yes, Salesforce Customer Identity is powered by Identity Plus features. When you purchase Salesforceโs Customer Identity solution (often used for large-scale customer or partner login scenarios), you buy a bundle enabling Identity Plus capabilities in your org. In this sense, โCustomer Identityโ is like a packaged use of Identity Plus targeting external community users. So, if you have that, you likely have the Identity Plus level of functionality, but it will be applied for those external use cases. You would still manage Identity/Identity Plus licenses separately as needed for internal users.
Read more about our Salesforce license management service.
