Salesforce Identity sits in a specialized corner of the Salesforce license landscape. The Identity license is not principally a CRM license — it is a license that provides identity-and-access-management capabilities through the Salesforce platform, including single sign-on, multi-factor authentication, and identity-as-a-service capabilities for customer-facing and employee-facing applications. The license type fits a narrow set of use cases, but for those use cases it can produce significant value relative to standalone IAM products. This guide walks through what the Salesforce Identity license actually is in 2026, what it costs, and the use cases where it pays off.
What Salesforce Identity provides
The Salesforce Identity capabilities include:
Single sign-on. SAML 2.0, OAuth 2.0, and OpenID Connect-based SSO into broader application portfolios. Customers can use Salesforce as the identity provider for applications inside or outside the Salesforce ecosystem.
Multi-factor authentication. MFA enforcement across SSO-protected applications, with various second-factor methods including authenticator apps, SMS, and hardware tokens.
Identity-as-a-service for external users. The External Identity capability supports identity management for customer-facing applications (B2C identity), supporting registration, profile management, password reset, and social sign-on.
Identity Connect. Integration with Active Directory and other on-premises directories, supporting hybrid identity scenarios.
User provisioning. Automated user provisioning into Salesforce-connected applications, supporting lifecycle management of users across the application portfolio.
Audit and reporting. Authentication audit trails, access reporting, and compliance-oriented logging.
2026 Identity license types and pricing
The Salesforce Identity license offerings in 2026 fall into several categories:
| License type | Pricing model | Principal use case |
|---|---|---|
| Identity-only (employee) | ~$5 per user/month | Employee SSO into Salesforce-integrated apps |
| External Identity | Per-member or per-login | B2C/B2B customer identity |
| Identity Connect | Per-org subscription | AD/LDAP integration |
| Bundled in CRM licenses | Included | Identity for existing CRM users |
The pricing varies significantly by use case and is frequently negotiated as part of broader Salesforce deals rather than as standalone SKUs. The employee Identity-only license at around $5 per user per month is the most commonly referenced figure, but the actual negotiated pricing depends on the deal context.
The employee Identity use case
The most common use case for the standalone employee Identity license: employees who need SSO into Salesforce-integrated applications but who do not themselves use Salesforce as a primary work surface. The classic profile is a workforce that uses Salesforce primarily as the identity provider for downstream applications (Slack, AWS, Workday, others) rather than as a CRM.
The economics of this use case can be compelling. A 5,000-employee organization that needs SSO across the application portfolio could license:
- 5,000 standalone Identity licenses at $5/user = $25K/month or $300K/year, or
- 5,000 full Sales Cloud EE licenses at $165/user = $825K/month, or
- Standalone IAM products (Okta, Azure AD with appropriate licensing, others) at varying rates
The Identity-only license can produce real savings versus over-licensing on CRM, and depending on the existing identity infrastructure, may compete favorably with standalone IAM products.
The External Identity use case
The B2C and B2B customer identity use case is fundamentally different. External Identity supports customer-facing applications where the "users" are customers, prospects, partners, or other external populations rather than employees. The classic profiles:
Customer portals where customers log in to view account information, manage subscriptions, or self-serve through support channels.
Loyalty programs where members log in to view rewards, redeem benefits, or manage profile information.
B2B partner portals where channel partners or distributors log in to access partner-specific resources.
E-commerce sites where customers create accounts to manage orders, view history, or store payment methods.
The pricing model on External Identity has varied across cycles, with both per-member (priced per provisioned external user per month) and per-login (priced per active login per month) structures available. The economics differ substantially based on usage patterns, and customers should model both before committing.
Identity Connect and hybrid scenarios
For organizations with on-premises Active Directory or LDAP infrastructure, Identity Connect provides the integration that synchronizes identity data and supports unified authentication. Identity Connect is typically priced as a per-org subscription rather than per-user, with the economics dependent on the org size and configuration.
The use case is specifically organizations that want to maintain on-premises AD as the identity source-of-record but want to extend identity into the Salesforce ecosystem and into cloud applications integrated through Salesforce. The hybrid pattern has become less common as customers have migrated identity infrastructure to cloud-first identity providers, but remains relevant for organizations with specific on-premises AD requirements.
Identity bundled in CRM licenses
An important point: Salesforce CRM licenses (Sales Cloud, Service Cloud, etc.) include identity capabilities for the licensed users themselves. A user with a Sales Cloud EE license can SSO into Salesforce and into Salesforce-connected applications without an additional Identity license. The standalone Identity license is needed only for users who don’t have a CRM license but who need identity capabilities.
This distinction matters at deployment time. Organizations sometimes purchase Identity licenses for users who already have CRM licenses, paying twice for identity capabilities they already have. The license audit should validate which users actually need standalone Identity versus already-included identity in their existing CRM licenses.
The competitive landscape
Salesforce Identity operates in a crowded IAM marketplace. The principal competitors:
Okta — the dominant standalone IAM provider with comprehensive SSO, MFA, and lifecycle management capabilities. Pricing varies by capability tier; the enterprise pricing is typically in the $5-$15 per user per month range depending on configuration.
Microsoft Entra ID (formerly Azure AD) — the IAM offering bundled with Microsoft 365 licenses or available separately. For organizations already on Microsoft 365, the incremental cost is often low. Microsoft Entra also has standalone tiers competing on the IAM market directly.
Ping Identity — another major standalone IAM provider with strong enterprise capabilities.
Auth0 (now part of Okta) — developer-focused identity platform competing principally for B2C identity use cases.
Various cloud-platform identity offerings (AWS Cognito, Google Cloud Identity, others) competing for specific cloud-platform use cases.
The competitive context matters because Salesforce Identity licenses can be positioned against these alternatives. Customers with credible standalone IAM alternatives can use the competitive context as leverage in negotiating Identity license pricing or in deciding whether Identity makes sense at all.
Negotiation moves on Identity licenses
Several moves consistently improve Identity license outcomes:
1. Audit existing identity inclusions before purchasing. Validate which users already have identity capabilities through existing CRM licenses before purchasing standalone Identity. Eliminate double-licensing.
2. Model the alternatives. Compare Salesforce Identity against the standalone IAM alternatives and against the bundled-with-Microsoft-365 options. The economics differ significantly by organization context.
3. Negotiate as part of broader Salesforce deals. Standalone Identity negotiations rarely produce strong outcomes. Bundling Identity with broader Salesforce conversations typically produces better pricing.
4. Address External Identity carefully. The per-member-versus-per-login decision on External Identity has substantial economic implications. Model the usage patterns before committing.
5. Validate Identity Connect economics. The per-org pricing on Identity Connect can be high relative to the value for some organizations. Validate the use case before committing.
6. Document upgrade paths. If Identity-licensed users may later need CRM licenses, document the upgrade economics with pricing protection.
7. Maintain competitive context. Credible Okta, Microsoft Entra, or other IAM alternatives produce leverage in Identity negotiations.
What to verify before signing Identity terms
- The user populations needing standalone Identity are validated against existing CRM license inclusions to eliminate double-licensing.
- The External Identity pricing structure (per-member vs per-login) matches the actual usage pattern.
- Identity Connect economics are validated against the actual hybrid AD use case.
- Alternative IAM evaluation has been done credibly to inform the negotiation.
- Renewal cap applies to Identity line items.
- Upgrade economics from Identity to CRM licenses are documented if the user populations may evolve.
- Authentication audit and compliance reporting capabilities match the customer’s compliance requirements.
- Integration scope with required downstream applications is confirmed.
Across the 500-plus engagements our advisory has supported, Identity license optimization has typically been a smaller contribution to overall savings than CRM license right-sizing — but for organizations with specific identity use cases, the Identity-related decisions can produce material savings. The $420 million in cumulative savings our advisory has delivered across the Salesforce portfolio includes a smaller but meaningful Identity component, sourced from eliminated double-licensing, right-structured External Identity deployments, and competitive evaluation against standalone IAM alternatives.
The 34 percent average reduction against Salesforce’s opening positions applies to Identity, though the absolute dollar magnitudes are typically smaller than on CRM license negotiations. The discipline of auditing existing inclusions, modeling alternatives, and bundling Identity into broader Salesforce conversations consistently produces better outcomes than treating Identity as a separate standalone purchase.
For most organizations, Identity licenses are a narrow but specific tool. Used appropriately, they can produce savings versus over-licensing on CRM or fit specific use cases that standalone IAM alternatives don’t serve as well. Used inappropriately — principally through unnecessary purchases for users who already have identity through existing CRM licenses — they become another shelfware contributor. The discipline of evaluating the use case carefully before purchasing is the principal protection against the inappropriate use.