Maximizing Value From Salesforce Identity Licenses: Cost Optimization and Best Practices

What Salesforce Identity Licenses Actually Cover

Salesforce Identity is a set of features that enables single sign-on (SSO), multi-factor authentication (MFA), connected app management, and user authentication across Salesforce orgs and third-party applications. Identity capabilities are bundled into most standard Salesforce user licenses at no additional cost, but the licensing model becomes complex when organizations need to provision users who require only authentication services and no full CRM functionality.

The core principle to understand is that Identity features come packaged with full Salesforce licenses. The cost optimization challenge arises specifically in two scenarios: when you have internal users who need SSO but no CRM access, and when you have large populations of external users such as customers, partners, or portal visitors who need authentication services but nothing more.

Identity Only License

The Identity Only license is Salesforce's standalone offering for internal users who need access to Identity features primarily SSO to connected apps without requiring a full CRM or platform license. At $5 per user per month as a standalone purchase, this license grants access to the My Domain feature, SSO to connected applications, user profile management, and the Salesforce Authenticator app. The critical constraint is scope: Identity Only users cannot access Salesforce CRM objects, run reports, or interact with any standard Salesforce application beyond Identity services. Organizations that provision Identity Only licenses for users who later need occasional CRM access face an immediate upgrade requirement, often at substantially higher cost.

External Identity License

The External Identity license is designed for customer- and partner-facing use cases. It enables external users including customers, purchasers, patients, dealers, and portal visitors to self-register, authenticate via SSO or social identity providers such as Google, Facebook, and LinkedIn, manage their profiles, and access connected sites and applications. External Identity licensing is typically priced per user or as part of an Experience Cloud site license. External Identity supports modern authentication patterns including passwordless login via email or SMS verification codes, social sign-on, and SAML-based federation. This license is the appropriate choice when building a customer portal, self-service support site, or partner community that requires authentication but does not require deep CRM interaction.

Identity Included in Enterprise and Unlimited Editions

Organizations running Enterprise Edition or Unlimited Edition receive 100 Identity licenses included with Account Engagement at no additional cost. Full Salesforce user licenses at Enterprise tier and above include all core Identity features including SSO, MFA, connected app policies, and directory integration without any supplemental Identity license requirement. This is the most overlooked cost optimization: many organizations purchase standalone Identity licenses for users who already have full Salesforce licenses where Identity is included as standard.

Where Enterprise Organizations Over-Spend on Identity

In over 500 Salesforce contract engagements, Redress Compliance has consistently identified the same patterns of Identity license overspend. Understanding these patterns is the first step toward cost reduction.

Pattern 1: Full Licenses for SSO-Only Users

The most common and most expensive overspend pattern is provisioning full Salesforce Platform or Sales Cloud licenses for users who interact with Salesforce only as an identity provider, for example employees who use Salesforce as the authentication gateway for other enterprise applications but never log into Salesforce itself. A Platform license at $25 per user per month versus an Identity Only license at $5 per user per month represents an 80 percent cost reduction per user. For organizations with 500 SSO-only users, this translates to approximately $120,000 per year in unnecessary spend, before applying the standard 8 to 10 percent annual uplift that Salesforce embeds in standard Order Form contracts.

Pattern 2: External Identity Purchased at List Price

External Identity licenses for customer-facing portals are commonly purchased at Salesforce list pricing without negotiation. Enterprise buyers with large external user populations have significant leverage to negotiate External Identity pricing, particularly when committed volumes exceed 50,000 users. Negotiated rates on External Identity licenses range from 40 to 65 percent below list price when buyers enter renewals with a clear external user strategy and competitive alternatives identified.

Pattern 3: Duplicate Identity Provisioning

Organizations with both full Salesforce licenses and Experience Cloud sites often provision External Identity licenses for the same users who already hold internal Salesforce licenses. An internal Salesforce user with a full license automatically has access to Identity services for both internal and external use cases. Separately purchasing External Identity for these users is duplicative spend that Salesforce's licensing team rarely flags proactively.

Pattern 4: Inactive Identity-Only Users

Identity Only licenses assigned to employees who have left the organization or changed roles are a persistent source of waste. Unlike full Salesforce licenses where inactive access creates compliance risk, inactive Identity Only assignments are often left undiscovered for 12 to 24 months. A quarterly audit of Identity license assignments checking last login date and active directory status is the minimum governance required to avoid paying for unused identity access.

Five Practical Optimization Strategies

Strategy 1: Conduct a License-Type Audit Before Renewal

The most impactful optimization action is a systematic audit of every Identity and Identity-adjacent license assignment, conducted 6 to 9 months before contract renewal. The audit should map each user to their actual usage pattern: do they log into Salesforce CRM? Do they use Salesforce only as an SSO provider for other apps? Are they external users accessing a portal? Are they no longer active? The output of this audit is the factual basis for a right-sizing negotiation with Salesforce at renewal. An 8 to 10 percent annual uplift applied to an oversized license pool is far more expensive than investing time in a pre-renewal audit.

Strategy 2: Leverage Bundled Identity in Account Engagement

If your organization uses Account Engagement, confirm whether you are utilizing the 100 Identity licenses included at no additional cost. Many procurement and IT teams are unaware of this entitlement. Depending on your SSO-only user population, this bundled allocation may satisfy a significant portion of your standalone Identity license requirement, eliminating costs entirely for that user segment.

Strategy 3: Negotiate External Identity Volumes as a Contract Line Item

When negotiating or renewing a Salesforce contract that includes External Identity licenses for customer portals or partner communities, treat External Identity as a distinct negotiation line item rather than accepting a bundled discount. Salesforce field teams have discretion to reduce External Identity pricing significantly when buyers present a committed volume forecast and demonstrate awareness of alternative identity platforms such as Okta Customer Identity Cloud or Auth0, which compete directly with Salesforce External Identity for B2C and B2B use cases.

Strategy 4: Implement a Quarterly License Reclamation Process

Establish a quarterly process to identify and reclaim Identity licenses from inactive users. The criteria should include no login activity in the prior 45 to 60 days and verification against current HR or active directory records. Reclaimed licenses should be returned to the unassigned pool and deducted from the next renewal quantity unless growth plans require them. This process typically reduces active Identity license counts by 10 to 20 percent within the first year.

Strategy 5: Assess Alternatives for External Identity at Scale

For organizations with external user populations exceeding 100,000, a cost comparison between Salesforce External Identity and dedicated Customer Identity and Access Management platforms is warranted. Okta, Auth0, Microsoft Entra External ID, and Ping Identity all serve similar use cases at pricing models that can be more favorable at very large user volumes. Using a credible CIAM alternative as a competitive reference in Salesforce negotiations, even without intent to switch, has a documented history of producing substantive pricing concessions from Salesforce account teams.

Identity Licensing and the Annual Uplift Clause

Every Salesforce Order Form includes a standard clause permitting annual price increases of 8 to 10 percent at renewal. This uplift applies to every license type in the order, including Identity Only and External Identity. An oversized Identity license pool does not just represent current overspend — it compounds annually. An organization paying $200,000 per year in Identity licenses that should cost $120,000 is not just overpaying by $80,000 in year one. Over a three-year contract with an 8 percent annual uplift, the cumulative overspend exceeds $280,000.

The implication is clear: right-sizing Identity licenses at renewal is a compounding financial decision, not a one-time correction. Any negotiation that reduces the baseline Identity license count also reduces the dollar amount subject to future uplift. This is why pre-renewal audits conducted 6 to 9 months before expiry rather than 30 days before are essential for organizations that want to control their Salesforce total cost of ownership over multi-year contracts.

Governance Recommendations for Ongoing Identity License Management

Effective Identity license management requires governance mechanisms that most organizations have not formalized. Based on experience across 500 Salesforce engagements, the following practices deliver the most consistent results.

Ownership assignment: Assign clear ownership of Identity license management to either the IT licensing team or the Salesforce platform administrator, but not both. Ambiguous ownership leads to inactive licenses persisting for months without anyone addressing them. The owner should be accountable for quarterly reporting and annual pre-renewal analysis.

Provisioning controls: Establish a formal request process for Identity Only license assignments. Users or managers should be required to justify why an Identity Only license is needed rather than a different license type. This prevents the common pattern of over-provisioning driven by convenience rather than documented requirements.

Automated reporting: Use Salesforce's built-in license management reports to produce a monthly summary of assigned versus available Identity licenses, last login date per user, and any duplicate allocations. This reporting should feed directly into the quarterly reclamation process and the annual renewal preparation.

Renewal pre-work: Six to nine months before each contract renewal, produce a formal Identity license utilization report and compare it to the current contracted quantity. This analysis should be presented to the Salesforce account team as the opening position for right-sizing discussions. If your current assignment is below contracted quantity, you have clear grounds to reduce contracted volume at renewal without conceding any other commercial terms.