Ping Advanced Identity Cloud
Auth Node for SpyCloud Consumer Threat Protection
🔒 Consumer Identity Threat Protection for Ping Advanced Identity Cloud
The SpyCloud Auth Node for PingOne Advanced Identity Cloud and PingAM continuously checks for compromised credentials within consumer authentication journeys. The node calls the SpyCloud Consumer Threat Protection API at any point in a user's journey — login, registration, password change, or other identity events — and checks whether the user's credentials have been exposed.
The result is returned as one of three outcomes: Compromised, Not Compromised, or Error. These outcomes branch the authentication journey so you can take the appropriate automated remediation action, such as enforcing MFA, blocking access, alerting fraud teams, or prompting a password reset.
This integration helps prevent account takeover on consumer platforms, identify accounts with elevated risk profiles, and act on exposure signals before an attacker does.
Availability
| Product | Available |
|---|---|
| PingOne Advanced Identity Cloud | Yes — available out of the box |
| PingAM (self-managed) | Yes — download from the Ping Identity Marketplace |
| Ping Identity Platform (self-managed) | Yes — download from the Ping Identity Marketplace |
Prerequisites
- An active SpyCloud Consumer Threat Protection subscription with API access
- Access to PingOne Advanced Identity Cloud or a supported self-managed PingAM environment
- Your SpyCloud API Key and API URL
🚀 Quick Start
Step 1: Obtain SpyCloud API credentials
Contact SpyCloud to obtain your Consumer Threat Protection API key and confirm your API URL. These are required to configure the node.
Step 2: Add the SpyCloud Auth Node to your journey
- In PingOne Advanced Identity Cloud, navigate to Journeys.
- In PingAM, navigate to Authentication > Trees.
- Open an existing journey or create a new one.
- Locate the SpyCloud Auth Node in the node palette. For self-managed environments, ensure the node has been installed from the Ping Marketplace first.
- Drag the node into your journey at the point where you want the exposure check to occur — typically after credentials are collected.
Step 3: Configure the node properties
See the Configuration Reference section below.
Step 4: Connect the outcome branches
Connect the node's Compromised, Not Compromised, and Error outcome branches to the appropriate downstream nodes.
How It Works
Where the SpyCloud Auth Node is placed, the node reads a user identifier from the journey's shared state — typically the user's email address — and sends it to the SpyCloud Consumer Threat Protection API. SpyCloud checks the identifier against its recaptured database and returns a result indicating whether the user's credentials have been compromised.
The node produces three possible outcomes:
| Outcome | Meaning |
|---|---|
| Compromised | A compromised password was detected |
| Not Compromised | No compromised credentials detected |
| Error | An error occurred during the API call — review logs for details |
Each outcome maps to a separate branch in the authentication journey, giving administrators full control over what happens next.
Use Cases
The SpyCloud Auth Node is well suited for organizations that manage consumer-facing identity at scale, including financial institutions protecting high-balance or high-credit accounts, travel and hospitality brands safeguarding loyalty program logins, technology platforms facilitating peer-to-peer transactions, and retailers and subscription services processing high-dollar or high-risk transactions.
Common deployment examples include:
- Adding risk-based login protection to consumer sites and apps
- Flagging potential risk during account maintenance events such as password, phone number, or email changes
- Detecting known-compromised credentials before an attacker reaches MFA or session creation
- Identifying anomalous darknet exposure patterns that may indicate synthetic identity, money laundering, or other fraud signals
- Sending automated alerts to fraud teams, internal security, or SOC for account takeover attempts
Configuration Reference
| Property | Description |
|---|---|
| API URL | The SpyCloud Consumer Threat Protection API endpoint |
| API Key | Your SpyCloud API key |
| Severity | Optional filter based on SpyCloud's numeric severity code. Use this to limit results to exposures above a specified severity threshold. Refer to SpyCloud's API documentation for severity code definitions. |
| identifierSharedStateKey | The shared state key used to locate the user identifier (e.g., email address) within the journey context. Defaults to the standard username shared state key; customize as needed. |
Outcomes & Recommended Actions
| Outcome | Recommended Actions |
|---|---|
| Compromised | Enforce MFA, block or delay login, prompt password reset, alert fraud/security team, flag account for monitoring |
| Not Compromised | Proceed with standard authentication |
| Error | Route to a fallback path; review shared state error logs |
When an error occurs, the node stores error details in shared state using the following format:
[SpyCloud] StackTrace— timestamp and stack trace[SpyCloud] Exception— timestamp and exception message
Review these log entries to diagnose and resolve the issue.
Additional Resources
- SpyCloud Auth Nodes — Ping Documentation
- SpyCloud Auth Nodes on Ping Marketplace
- SpyCloud Consumer Threat Protection API documentation — available via your SpyCloud Customer Portal
Updated 2 days ago