Ping Advanced Identity Cloud
Auth Node for SpyCloud Consumer Threat Protection
🔒 Consumer Identity Threat Protection for Ping Advanced Identity Cloud
Consumer account takeover (ATO) starts with credentials attackers already have. The SpyCloud Auth Node for PingOne Advanced Identity Cloud and PingAM checks consumer credentials against SpyCloud's continuously updated database of recaptured identity data from the criminal underground at login, registration, and password change — and routes automatically to the right response before authentication completes.
The node calls the SpyCloud Consumer Threat Protection API at any point in a user's journey and checks whether the user's credentials have been exposed. SpyCloud returns one of three outcomes: Compromised, Not Compromised, or Error. These outcomes branch the authentication journey so you can take the appropriate automated remediation action — enforcing MFA, blocking access, alerting fraud teams, or prompting a password reset.
This integration helps prevent account takeover on consumer platforms, identify accounts with elevated risk profiles, and act on exposure signals before an attacker does.
RequirementAn active SpyCloud Consumer Threat Protection subscription with API access is required to use this integration.
🚀 Benefits
- Stop ATO before it starts — Catch exposed credentials before authentication completes, without waiting for behavioral anomalies
- Apply friction only when it's warranted — Step-up MFA and password resets trigger on confirmed exposure, keeping the experience smooth for legitimate users
- Automate remediation — No manual intervention required; the journey routes to the right response automatically
- Act on data that arrives first — SpyCloud recaptures stolen identity data from the criminal underground weeks to months before it surfaces publicly
- Configure proportionate responses — Tune actions by risk level: step-up MFA, forced password reset, access block, or fraud team alert
Availability
| Product | Available |
|---|---|
| PingOne Advanced Identity Cloud | Yes — available out of the box |
| PingAM (self-managed) | Yes — download from the Ping Identity Marketplace |
| Ping Identity Platform (self-managed) | Yes — download from the Ping Identity Marketplace |
Prerequisites
- An active SpyCloud Consumer Threat Protection subscription with API access
- Access to PingOne Advanced Identity Cloud or a supported self-managed PingAM environment
- Your SpyCloud API Key and API URL
🚀 Quick Start
Step 1: Obtain SpyCloud API credentials
Contact SpyCloud to obtain your Consumer Threat Protection API key and confirm your API URL. These are required to configure the node.
Step 2: Add the SpyCloud Auth Node to your journey
- In PingOne Advanced Identity Cloud, navigate to Journeys.
- In PingAM, navigate to Authentication > Trees.
- Open an existing journey or create a new one.
- Locate the SpyCloud Auth Node in the node palette. For self-managed environments, make sure the node has been installed from the Ping Marketplace first.
- Drag the node into your journey at the point where you want the exposure check to occur — typically after credentials are collected.
Step 3: Configure the node properties
See the Configuration Reference section below.
Step 4: Connect the outcome branches
Connect the node's Compromised, Not Compromised, and Error outcome branches to the appropriate downstream nodes.
🔎 How It Works
Where the SpyCloud Auth Node is placed, the node reads a user identifier from the journey's shared state — typically the user's email address — and sends it to the SpyCloud Consumer Threat Protection API. SpyCloud checks the identifier against its recaptured database and returns a result indicating whether the user's credentials have been exposed.
The node returns three possible outcomes:
| Outcome | Meaning |
|---|---|
| Compromised | A matching exposed password was detected |
| Not Compromised | No exposed credentials detected |
| Error | An error occurred during the API call — review logs for details |
Each outcome maps to a separate branch in the authentication journey, giving administrators full control over what happens next.
TipUse SpyCloud's severity scoring to set an exposure threshold that triggers action so your flows respond to confirmed risk, not noise.
🎯 Use Cases
Common deployment examples include:
- Adding risk-based login protection to consumer sites and apps
- Flagging potential risk during account maintenance events such as password or email changes
- Detecting credentials with confirmed exposure before an attacker reaches MFA or session creation
- Sending automated alerts to fraud teams, internal security, or SOC for account takeover attempts
The SpyCloud Auth Node is well suited for organizations managing consumer-facing identity, including financial institutions protecting high-balance or high-credit accounts, travel and hospitality brands safeguarding loyalty program logins, technology platforms facilitating peer-to-peer transactions, and retailers and subscription services processing high-dollar or high-risk transactions.
⚙️ Configuration Reference
| Property | Description |
|---|---|
| API URL | The SpyCloud Consumer Threat Protection API endpoint |
| API Key | Your SpyCloud API key |
| Severity | Optional filter based on SpyCloud's numeric severity code. Use this to limit results to exposures above a specified severity threshold. Refer to SpyCloud's API documentation for severity code definitions. |
| identifierSharedStateKey | The shared state key used to locate the user identifier (e.g., email address) within the journey context. Defaults to the standard username shared state key; customize as needed. |
✅ Outcomes & Recommended Actions
| Outcome | Recommended Actions |
|---|---|
| Compromised | Enforce MFA, block or delay login, prompt password reset, alert fraud/security team, flag account for monitoring |
| Not Compromised | Proceed with standard authentication |
| Error | Route to a fallback path; review shared state error logs |
When an error occurs, the node stores error details in shared state using the following format:
[SpyCloud] StackTrace— timestamp and stack trace[SpyCloud] Exception— timestamp and exception message
Review these log entries to diagnose and resolve the issue.
🔗 Additional Resources
Updated 2 days ago