More than 150,000 businesses worldwide run on Salesforce, and for most of them, the CRM already holds the most complete and up-to-date picture of who their customers and partners are. That makes it a natural foundation for identity management, not just for internal employees but also for the external users who interact with your portals, applications, and partner platforms every day.
The challenge begins when Salesforce handles authentication for external users through SSO. In many standard setups, supporting each external user means taking on a user-related cost in Salesforce, even when those users only need basic access and do not actively use the platform itself. For internal teams, that cost aligns with day-to-day platform usage. For external users, the cost can grow much faster than the value delivered.
This blog explains why that gap exists, how standard SSO setups create unnecessary cost overhead for external access, and how organizations can continue using Salesforce as their Identity Provider (IDP) in a more cost-efficient way.
Why Salesforce Is the Logical Choice as Your Identity Provider (IDP)
An Identity Provider (IDP) is the system that verifies who a user is before giving them access to other applications. When a user clicks Login with Salesforce on a portal, Salesforce is acting as the IDP. It checks the user's credentials, confirms their identity, and issues a signed token that other applications trust.
For organizations already running Salesforce, this makes complete sense. Your customer records are in Salesforce. Your partner data is in Salesforce. Your Contact, Lead, and Account objects hold structured, verified information about the exact people who need access to your portals and applications. There is no stronger single source of identity than the CRM that already knows your users.
The practical benefits for your team are significant:
- Users log in once and access every connected application without entering credentials again
- Admins manage access from one platform instead of maintaining separate user stores for each application
- Login activity is visible and auditable inside Salesforce, alongside the CRM data it relates to
- Salesforce's security infrastructure, including MFA enforcement and session controls, applies automatically
For IT and security teams, centralizing identity in Salesforce means fewer authentication endpoints to manage and audit. For business teams, it means customers and partners get a consistent, branded login experience. For the organization as a whole, it means identity management sits inside the system where the data already lives.
How to Authenticate External Users Without Buying a License for Each One
The licensing cost in standard Salesforce SSO comes from one specific architectural decision: identity lookups go to the licensed User object. Change where those lookups go, and the cost dependency disappears.
Salesforce already has native, fully capable data containers called Custom Objects. Most organizations use them to store customer, partner, or vendor data alongside their CRM records. Storing user identity data in a Custom object, or in existing Contact, Lead, or Account records, and then routing SSO authentication against those objects instead of the User object, is the core of this approach.
To understand why this works, it helps to see both flows side by side.
The Standard Salesforce SSO Flow
In a typical Salesforce SSO setup, the authentication sequence runs like this.
- A user tries to sign in to an application, portal, or website.
- The application redirects the user to Salesforce for authentication.
- Salesforce verifies the user against the standard licensed User object.
- If the user is valid, Salesforce sends an authentication response back to the application.
- The application validates the response and grants access.
Where the cost lives:
The cost sits with the user record. Authentication against the User object requires a licensed user record for each external user who needs access, and that is what adds to the cost.
How the Custom Object-Based Flow Works
The miniOrange Salesforce SSO connector changes the identity source used during authentication. Instead of querying the licensed User object, it routes the identity lookup to a Custom Object or to existing Contact, Lead, or Account records in your CRM.
Here is how things change:
- A user starts the login process from the application or portal.
- The request passes through a miniOrange Connected App in Salesforce.
- The connector checks the user against a Custom Object or an existing CRM record, such as a Contact, Lead, or Account.
- Once the user is matched, Salesforce returns the required authentication response using its supported SSO protocols.
- The application validates the response and grants access.
The login experience is identical from the user's perspective. The session is real and secure. The SAML token is signed using the same cryptographic process as standard Salesforce SSO. The only difference is architectural: the identity source is a Custom object instead of a licensed record, which removes the per-user billing trigger for external authentication.
How the Pricing Compares to Standard Salesforce Licensing
Standard Salesforce licensing charges per user, per month. Every new external user you add is a new line on your bill. There is no cap and no way to separate authentication-only users from the billing calculation.
The miniOrange Salesforce SSO connector uses tier-based pricing. You select the tier that covers your user volume and pay a fixed fee for that range. Costs do not increase with every new user within the tier.
| Tier | User Volume | What it covers |
|---|---|---|
| Starter | Up to 500 users | SSO for customer portals and small partner networks |
| Growth | Up to 5,000 users | SSO + MFA for mid-scale portals and multi-SP setups |
| Enterprise | 5,000+ users | Full SSO, MFA, and User Provisioning at scale |
The cost structure difference matters for growing organizations. Under per-user licensing, every new external user increases your bill. Under tier-based pricing, user growth stays within your existing pricing band until you move into the next tier. That makes costs easier to predict and gives organizations more room to expand portals or enter new markets without facing a licensing increase every time adoption grows.
| Parameter | Standard Salesforce SSO | miniOrange SSO Connector |
|---|---|---|
| Cost model | Per user, per month | Tier-based, flat fee by volume |
| External user cost | Per user per month | No per-user Salesforce license required |
| Identity source | Licensed User object only | Custom Objects, Contacts, Leads, or Accounts |
| Protocol support | Supports all protocols | SAML 2.0, OAuth 2.0, OIDC, JWT |
| SSO flow types | SP-initiated and IDP-initiated | SP-initiated and IDP-initiated |
| MFA support | Via Salesforce platform (license required per user) | Adaptive MFA, risk-based, no extra license |
| Provisioning | Manual or via separate tooling | JIT, API-based provisioning, and SCIM-based automation |
| Scales affordably | No, cost grows linearly | Yes, tier-based pricing contains cost |
How to Set Up the Salesforce SSO Connector
The miniOrange Salesforce SSO connector is available on the Salesforce AppExchange. You can set it up in four quick steps using the guided plugin interface.
- Install the miniOrange Package: Add the connector from the AppExchange to your Salesforce org. You don’t need any custom development.
- Set Salesforce as the Identity Provider: Turn on SAML, OAuth, or OIDC. Choose where to store user identities: Users, Contacts, Leads, Accounts, or a Custom Object. This is where you can use a Custom object instead of the licensed User object.
- Configure Your Client Applications: Connect the apps you want, such as WordPress, Shopify, or custom portals. Enter their metadata and assertion consumer URLs. Map Salesforce fields and roles to the right SAML or OIDC attributes.
- Test and Monitor: Run login tests from both the SP and IDP to check the full flow. Review sign‑in activity in Salesforce to confirm everything works.
Which Applications and SPs Does This Support
The Salesforce connector works with any application that supports SAML 2.0, OAuth 2.0, or OpenID Connect (OIDC). This covers the large majority of modern web platforms and enterprise applications.
Supported SPs include:
- WordPress sites, membership platforms, and intranet portals via SAML or OIDC
- Shopify storefronts and eCommerce integrations requiring authenticated customer access
- Atlassian applications such as Jira, Confluence, and similar workplace collaboration tools
- Finance applications such as BILL, SAP Ariba, QuickBooks, and related platforms
- Custom web portals built on any technology stack, registered via metadata and assertion consumer URLs
- Internal enterprise applications that support SAML, OAuth 2.0, or OIDC federation
- SaaS platforms where Salesforce manages the customer identity layer across multiple applications
Who This Setup is Right For
This works best for organizations where external user volumes make per-user Salesforce licensing a meaningful cost and where those users need authenticated access to connected applications without needing Salesforce itself.
- Customer portals where registered users manage orders, service requests, or account information through a self-service interface, and where user volumes make per-user licensing unsustainable
- Partner and reseller portals giving distributors, affiliates, or channel partners access to deal tools and resources without each partner requiring a full Salesforce seat
- Vendor and contractor platforms where third-party access needs to be scoped, time-limited, and auditable without incurring ongoing per-user licensing costs
- eCommerce platforms connecting Shopify or WooCommerce to Salesforce customer records without licensing every registered shopper as a Salesforce user
- WordPress membership sites where content or community access is gated behind SSO-authenticated login, and user counts make standard licensing impractical
- SaaS platforms that manage internal operations on Salesforce but need a cost-efficient authentication layer for their own customers or trial users
It also fits organizations that already maintain structured data in Salesforce Contacts, Leads, or Account objects and want those records to serve directly as the identity source, without duplicating or migrating users into the licensed User object.
Key Benefits of Implementing Salesforce Connector
It offers several benefits, and here are some of the most important ones.
- Reduce Salesforce licensing costs for external users: Authenticate customers, partners, and portal users through Salesforce without purchasing a User object license for each one.
- Keep Salesforce as your trusted IDP: All authentication flows through your existing Salesforce org. No external identity infrastructure, no new trust boundaries.
- Support unlimited external users based on our pricing tier: User volume is managed through tier selection, not per-user licensing. Scale your portal access without a per-user cost spike.
- Enable SSO across multiple applications from one setup: Connect WordPress, Shopify, custom portals, and enterprise apps to a single identity layer in one configuration.
- Automate user lifecycle management: JIT provisioning creates accounts at first login, while SCIM-based real-time sync keeps user data accurate across systems.
- Enterprise-grade security on every authentication: Cryptographically signed SAML tokens through the Salesforce Connected App preserve the same trusted authentication standards for every login. Security does not change; costs do.
Simplify Salesforce SSO for External Users Without Per-User License Costs
If you want to use Salesforce as your IDP and extend SSO to external users without paying per-user license costs, the miniOrange Salesforce SSO, Provisioning and MFA Connector gives you a practical and cost-effective way to do it. It helps you provide secure access to customers, partners, vendors, distributors, and other external users while keeping the setup easier to manage across the SPs you want to connect.
Still unsure? Reach out to us at salesforcesupport@xecurify.com with your expected user volume and the SPs you want to connect. Our team will share a custom quote so you can compare your options and make an informed decision.
Leave a Comment