Salesforce Identity Licenses: Cost Optimization Strategies for Enterprise ITAM
Salesforce Identity Licenses enable enterprises to extend secure single sign-on (SSO) and user access management capabilities without requiring full Salesforce CRM licenses.
This advisory outlines how global IT Asset Management (ITAM) professionals can leverage Salesforce Identity Licenses to optimize costs, avoid common licensing pitfalls, and negotiate more favorable deals โ all while maintaining robust security and a seamless user experience.
Understanding Salesforce Identity Licenses
Salesforce Identity Licenses are specialized user licenses focused on identity and access management features.
They provide capabilities such as SSO, multi-factor authentication (MFA), and centralized user access control,ย withoutย granting users access to core Salesforce CRM data or functionality.
In essence, an Identity license creates a Salesforce user record purely for authentication purposes.
This means the user can log in to Salesforce (or via Salesforce to other integrated apps) but cannot use standard CRM modules, such as Accounts, Opportunities, or Cases.
Why do these licenses exist?
For most Salesforce editions, any user with a paid Salesforce license automatically gets identity features included. However, large enterprises often have users who need to log in to Salesforce as an identity provider without needing a full Salesforce license.
Rather than paying for an expensive CRM license for these users, companies can assign a low-cost Identity and Access Management (IAM) license.
This is ideal for scenarios where Salesforce is used as the central login hub (for example, via the App Launcher) or as an Identity Provider for other business applications. In short, Salesforce Identity Licenses fill the gap for users who require secure access and SSO, but do not need Salesforceโs CRM capabilities.
When to Use Salesforce Identity Licenses
Salesforce Identity Licenses are most useful when you have users who only require authentication and basic access, rather than the full Salesforce feature set.
Common enterprise use cases include:
- SSO-Only Employees: Staff who must log in via Salesforce to access other integrated applications (HR systems, intranets, etc.) but do not use Salesforceโs apps. For example, an HR contractor who needs to access a Salesforce-connected payroll system can use an Identity license for single sign-on.
- Pardot/Marketing Users: Organizations using Account Engagement (Pardot) encountered this scenario when Salesforce required all Pardot users to log in via Salesforce. Instead of purchasing Sales Cloud licenses for marketing users, companies assign Identity licenses, allowing those users to authenticate and continue using Pardot (now via the Salesforce interface) without full CRM access.
- Executives or Light Users: Sometimes senior executives or certain roles only need to view dashboards or receive Chatter updates. An Identity license (potentially paired with a Chatter Free license, which is included) allows them to log in, view basic information, and collaborate without a costly CRM license.
- Multi-System Access: If your Salesforce is set up as a federated Identity Provider, a single Salesforce Identity License for an employee can authorize that person across multiple systems (Salesforce and connected third-party apps). This simplifies user management and improves security by centralizing authentication.
Key benefit: Cost savings. Instead of assigning a $150+/month full Salesforce license to someone who logs in just to access a connected app, you assign a ~$5 Identity license.
Over hundreds or thousands of users, this significantly reduces spend. Additionally, using a unified identity platform can improve security (with Salesforce handling MFA, login policies, etc.) and user convenience (with a single login for multiple apps).
The trade-off is that Identity-licensed users canโt use Salesforceโs business functionality โ so you should only assign it to users who genuinely donโt require CRM features.
Salesforce Identity License Types and Costs
Salesforce currently offers several variants of Identity licenses to meet different needs. Itโs essential to select the most suitable type for your specific situation to maximize value.
Below is a comparison of the common Identity license options:
License Type | Intended Users | Key Features | Approx. Cost (USD) | Notes |
---|---|---|---|---|
Identity (Standard) | Internal users needing SSO & basic access | SSO, MFA, App Launcher, basic user profile | ~$5 per user/month (list) | Core identity features. Included with any full Salesforce license, or can be purchased standalone for users without CRM licenses. |
Identity Plus | Internal users requiring directory integration (e.g. Active Directory sync) | All Standard features + Identity Connect (AD/LDAP integration, advanced provisioning) | ~$6 per user/month (list) | Adds integration to on-prem directories and enhanced security features. Essentially the Standard license plus an add-on for directory connectivity (often +$1 extra). |
External Identity | External users (customers, partners) accessing via Experience Cloud portals | External SSO, self-service login/registration, basic identity for community users | Varies (usage-based or volume-based) | Designed for customer/partner identity management. Often provided in volume (e.g. per-login pricing) or included with community site licenses. Allows non-employees to log in to portals without full licenses. |
Notes on pricing: The listed prices (~$5-$6) serve as a starting point. Enterprise customers can often negotiate discounts, especially when purchasing a large volume of Identity licenses or bundling them as part of a larger Salesforce agreement.
In some cases, Salesforce has provided a limited number of Identity licenses at no charge to support specific products (for example, bundling 100 free Identity users with a Pardot purchase to facilitate the transition).
Always check your contract details โ you may already have some Identity user licenses included, or you can negotiate additional ones at renewal time.
Conversely, remember that if a user already has a Salesforce user license (such as a Sales Cloud or Platform license), they donโt need a separate Identity license โ all the identity features are already included for them.
Negotiation and Licensing Pitfalls
Like any Salesforce licensing topic, Identity licenses come with their own set of considerations during negotiation and usage.
ITAM professionals should be mindful of the following pitfalls and negotiation tips:
- Donโt Overlook Identity Licenses in Negotiations: A common mistake is simply not including Identity licenses in your Salesforce negotiations. Salesforce reps may focus on selling higher-cost CRM licenses and might not volunteer the Identity license option. Be proactive โ when discussing your contract or renewal, explicitly address your needs for SSO-only users and ask for a pool of Identity licenses. This ensures youโre not paying for full functionality that certain users wonโt use.
- Volume Discounts and Bundling: If you anticipate needing a large number of Identity licenses (for example, hundreds or thousands of employees for SSO), consider negotiating in bulk to take advantage of volume discounts and bundling opportunities. Salesforce is often willing to provide better pricing per user when you commit to a larger quantity or a multi-year term. You might bundle Identity licenses as part of an enterprise agreement โ for instance, negotiating a fixed rate or even a certain amount of free Identity licenses in exchange for a larger deal on Sales/Service Cloud.
- Understand Edition Constraints: Ensure your Salesforce edition supports Identity-only licenses. (Enterprise and Unlimited editions do support them, and typically, you can purchase Identity licenses for those orgs. In some lower editions or older contracts, there might be limitations, so double-check.) This ties to negotiation: if youโre upgrading editions, confirm that Identity licenses will be available to you.
- Pitfall โ Paying for Unused Functionality: One major cost pitfall is paying for expensive licenses for users who only needed SSO. Weโve seen enterprises inadvertently assign full Salesforce licenses to users, such as contractors or content editors, who ultimately only use the login capability or Chatter. This wastes the budget. The remedy is to regularly review user roles (more on that in cost optimization) and downgrade such users to Identity licenses. Itโs crucial to communicate internally so managers know an Identity license user will not have CRM access โ avoiding scenarios where someone is assigned the wrong license type.
- Pitfall โ Forgetting Identity Plus Needs: If your IT environment requires integration with Active Directory or another external directory for user provisioning, you will likely need Identity Plus licenses. Forgetting to account for that can be a contractual and technical pitfall. The cost difference is small per user, but itโs a separate license type โ ensure that you include some Identity Plus licenses in your agreement if you plan to use Salesforceโs Identity Connect for AD synchronization. Negotiating the $1 add-on across thousands of users can still yield savings, so itโs worth addressing.
- Renewal Surprises: Like all Salesforce products, the list price of Identity licenses can increase over time, or initial discounts can expire. A smart negotiation move is to cap any year-over-year price increases for these licenses or lock in a pricing tier for the duration of your contract. Otherwise, a $5 license could jump in cost at renewal. Also, clarify any โincludedโ free Identity licenses you have โ are they perpetual or just promotional for a year? Avoid unpleasant surprises by getting these details in writing.
Maximizing Value and Cost Optimization
Salesforce Identity Licenses present a clear opportunity for cost optimization in your Salesforce ecosystem. To maximize value, enterprises should integrate Identity licenses into their overall license management strategy.
Here are ways to maximize benefits and minimize spend:
- Right-Size Users to Identity Licenses: Regularly audit your Salesforce user list and identify who truly only needs identity access. Common candidates are users who log in for SSO or basic access but never create or modify Salesforce records. By right-sizing these users to an Identity license, you free up expensive full licenses for those who need them. For example, if a finance team member is given a Sales Cloud license solely to view a dashboard once a month, thatโs a prime candidate to switch to an Identity license, along with a read-only dashboard share.
- Combine with Other Low-Cost License Types: Salesforce offers additional license types, such asย Platform licenses,ย Chatter Free, and Read-Only profiles. In many cases, an Identity license can be used in conjunction with these to precisely tailor access. An Identity license covers the SSO/authentication piece, while a Platform license (at a lower cost than a full CRM) could cover limited data access. Designing a tiered license approach, which provides each user with the most cost-effective license that meets their usage needs, can significantly reduce costs. Identity licenses often serve as the base layer for the lowest-usage internal users.
- Leverage Included Identity Licenses First: Check if your organization already has some Identity licenses bundled with your existing Salesforce products. As mentioned, Salesforce has occasionally included several free Identity (or External Identity) licenses with products such as Experience Cloud or Marketing Cloud. Ensure youโre utilizing those allocations fully. If you have, say, 100 free Identity-only users included and only 50 are assigned, thatโs 50 more people who could be taken off full licenses or a third-party SSO service, saving money.
- Monitor and Reevaluate Regularly: Optimization is not a one-time task. Implement a governance process to review license assignments periodically (e.g., quarterly). As staff roles change or projects end, you may find new opportunities to downgrade a user to Identity status (or, conversely, someone with an Identity license now needs full access, in which case, plan to upgrade and purchase an appropriate license). Keeping a close eye ensures that you capture cost savings in real-time and stay in compliance.
- Consider Identity License vs. External SSO Solutions: Some enterprises use third-party Identity providers (e.g., Okta, Azure AD) in front of Salesforce. If you already invest in an external SSO solution for your employees, you may choose to use that instead of relying on Salesforce Identity for internal users. However, even in those cases, Identity licenses can be relevant for specific scenarios (like the Pardot example, or if using Salesforce Communities). The cost optimization point is: donโt pay for capabilities twice. If Salesforce Identity features add value that youโd otherwise pay another vendor for, factor that in. Conversely, if you have an enterprise IdP, focus Salesforce Identity licenses on areas where Salesforce is uniquely needed.
- Security and Compliance Benefits: Maximizing value isnโt just about cost โ itโs also about what you gain in return. By using Salesforce Identity Licenses, you enforce strong security (Salesforceโs trusted authentication protocols, MFA, and login history tracking) for those users. For compliance-focused enterprises, having all user access managed through Salesforce can simplify audits and reporting. The takeaway: youโre saving money and potentially improving security posture โ a win-win that can help justify the approach to stakeholders.
By thoughtfully integrating Salesforce Identity Licenses into your license portfolio, you ensure that each user is operating on the most economical license for their needs, and you minimize waste.
The result is a leaner Salesforce cost structure that does not sacrifice functionality or security.
Recommendations
Practical Tips for ITAM Professionals:
- Identify SSO-Only Users: Proactively flag users in your organization who only require login capabilities (authentication) and no CRM functionality. Common examples are users of connected apps, occasional report viewers, or community users. Plan to assign these accounts a Salesforce Identity License instead of a full license.
- Educate Stakeholders: Ensure that your IT, finance, and procurement teams understand what Salesforce Identity Licenses are and when to use them. Often, licenses get over-assigned due to a lack of awareness. A brief training session or internal guideline can prevent overspending on unnecessary full licenses.
- Audit and Reassign Regularly: Conduct quarterly (or at least annual) license audits. Use Salesforceโs usage data to find users with infrequent or SSO-only activity. Downgrade those users to Identity licenses where appropriate. This practice immediately cuts costs and should be part of your normal license true-up process.
- Negotiate During Renewals: Donโt wait for Salesforce to offer โ bring up Identity licenses in every contract renewal or expansion discussion. Ask for volume discounts if you need many, and try to bundle them into your agreement (e.g., โWeโll purchase 500 Identity licenses at a 20% discountโ or negotiate some free allotment). Salesforce is more open to concessions on lower-cost items when they are part of a larger deal.
- Leverage Included Licenses: Check your org for any free identity or external identity licenses already available. For instance, if you use Experience Cloud, you might have external identity capacity that can be used for partners or customers. Use these before making a purchase. Itโs an easy cost win.
- Plan for Identity Plus if Needed: If your enterprise uses Active Directory or another directory service and intends to sync it with Salesforce, plan to obtain Identity Plus licenses. Include those in negotiations as well โ even though the cost increment is small, you want the licensing squared away upfront.
- Combine with Other License Optimization: View Identity licenses as a single tool in the broader toolbox of Salesforce license optimization. For example, also utilize Salesforce Platform licenses for users who require limited data access but not full CRM functionality, and Integration licenses for system accounts. A combination of these strategies yields the best overall savings.
- Document License Decisions: Maintain documentation on why certain users have Identity licenses vs. full licenses. This helps defend your choices during any internal review or if Salesforce ever inquires. It shows a deliberate strategy and can be useful evidence in negotiations (e.g., demonstrating that you smartly manage licenses can support your case for better pricing).
- Monitor the Salesforce Roadmap:ย Keep an eye on Salesforce product updates and policy changes related to identity. For instance, if Salesforce were to alter the number of Identity licenses included with a product or change its pricing, you would want to know about it early. Aligning your strategy with Salesforceโs roadmap (such as their push for all users to have a unified identity) can sometimes lead to incentives or special programs that benefit your company.
Checklist: 5 Actions to Take
A step-by-step plan for optimizing with Salesforce Identity Licenses:
- Audit Current Users and Access Needs: Review all user accounts in your Salesforce org. Identify which users do not use any CRM functionality (look for users who only log in for SSO or have very limited activity). Compile a list of these potential Identity-only users.
- Consult Salesforce & Confirm License Availability: Contact your Salesforce account executive or refer to Salesforce documentation to confirm the number of Identity licenses you already have and ensure your edition supports the required number. If you have freebies (e.g., included with Pardot or Communities), note how many. Determine the number of additional Identity or Identity Plus licenses required for the users identified in Step 1.
- Secure Favorable Terms in Your Contract: As you approach a renewal or an add-on purchase, negotiate for the required Identity licenses. Aim for bulk pricing or multi-year commitments for discounts. Ensure any needed Identity Plus (for directory integration) is included. Get any promises (like โX free licensesโ or price locks) in writing in the contract.
- Implement and Reassign Licenses: In your Salesforce setup, create or convert user accounts to use the Identity license type as planned. For each user identified for downgrade, change their license assignment to Identity (and appropriate profile/permissions for SSO). Test that each user can still log in and access the intended connected apps. Communicate these changes to the users if needed (since their Salesforce UI access will be limited).
- Monitor, Educate, and Adjust: After implementation, monitor the usage of Identity licensed users to ensure the solution meets their needs. Educate new hires and managers that if a user doesnโt need Salesforce functionality, they should be set up with an Identity License by default. Continuously update your internal license inventory and repeat the audit process every quarter to identify new optimization opportunities.
FAQ
Q: What is a Salesforce Identity License in simple terms, and who should have one?
A: A Salesforce Identity License is a low-cost user license intended purely for login and identity management purposes. It allows a user to authenticate via Salesforce (with SSO, MFA, etc.) without granting them access to Salesforceโs sales, service, or other CRM features. You assign it to users who only need to log in to Salesforce to access other apps or very basic functionality (such as viewing a portal or using Chatter), not to those who work within Salesforce CRM modules.
Q: If we already use Salesforce, do we need to buy Identity licenses separately?
A: It depends. Every user with a standard Salesforce license (e.g., Sales Cloud, Service Cloud, or Platform license) already has identity features included, so a separate Identity license is not required for them. However, for individuals who doย notย have a Salesforce license and still need to log in (for example, an external consultant or a team memberย using a connected app), you would purchase Salesforce Identity licenses for those individuals. In short, you only buy Identity licenses for users who donโt have another paid Salesforce user license. Many organizations purchase these in addition to covering all their SSO-only accounts.
Q: How much do Salesforce Identity Licenses cost, and can we get volume discounts?
A: The list price is around $5 per user per month for a standard Identity license (and roughly $6 per user/month for Identity Plus with advanced directory integration). These prices are often negotiable. Enterprises buying in bulk or as part of a larger deal can secure discounts below the list price. Itโs common to negotiate a discounted rate or get several Identity licenses included at no cost if youโre also making a big investment in Salesforceโs core products. Always negotiate โ Salesforce expects it, especially on large user quantities.
Q: Can external customers or partners use Identity licenses to log in to our systems?
A: There is a separate concept called the External Identity license for non-employee users. External Identity licenses allow customers or partners to log in via your Salesforce identity (typically through an Experience Cloud site or customer portal). These are usually priced differently โ often on a per-login basis or as a high-volume user license โ because companies might have tens of thousands of external users. Often, if you have an Experience Cloud (community) license, you receive some external login capacity included. So, yes, external users can leverage Salesforce identity services, but you wouldnโt use the standard $5 internal Identity license for them; instead, you would use the external identity or community licenses designed for that scenario.
Q: Whatโs the difference between Salesforce Identity and Salesforce Identity Plus?
A: Identity (Standard) provides the core identity management features: single sign-on, multi-factor auth, user profile, connected apps, and so on. Identity Plus includes everything in the standard version but addsย Identity Connectย capabilities โ essentially, out-of-the-box integration with enterprise directories, such as Active Directory, and possibly advanced security features. Identity Plus is ideal if you want Salesforce to sync and manage users in coordination with your corporate directory. If you donโt need that (for example, if you manage users only in Salesforce or via API), the standard Identity license is sufficient. The cost difference is small (Identity Plus is roughly an extra $1 per user), but it requires specifically purchasing the โPlusโ version.
Read more about our Salesforce license management service.