NORMALIZATION-COLLISION

An unexpected "NORMALIZATION-COLLISION-UUID" has appeared in the login information for users. This issue affects users who are automatically synced from our Active Directory (AD). What could be causing this?

NORMALIZATION-COLLISION-UUID.png

Find more posts tagged with

Admin

All Users

Accepted answers

All comments

HansDB

Noticed the same thing and nothing has changed on our end. Any additional information by Instructure as to why this has happened would be nice.

AT-INCAE

I have the same problem, many or our users have this note in the account

dbrace

H @AmirahAlNufily,

Do you have "Just in Time Provisioning" enabled?

How do I configure third-party authentication providers for a Canvas account? - Instructure Community - 225

Have you reached out directly to Canvas Support?

-Doug

ApplicationProv

We had the same issue. It appeared on our teachers who were also parents' of students in our district (so both their parent & teacher accounts used the same login which WAS working fine since the teacher account logs in via SAML and the parent login is on the generic Canvas login window). It also seemed to appear on guardians that we imported from our SIS and were created manually also.

Here is Canvas' response:

My name is Seth and I'm with the Level 2 Canvas Support team. Due to a previous oversight Canvas was allowing multiple logins with the same login_id to be created where one of the logins had a null authentication_provider_id and the other had the authentication_provider_id set to the id of a "legacy" authentication provider (that is a Canvas auth, SAML, CAS, or LDAP authentication provider). The "legacy" authentication providers behave a little bit differently than the rest of the authentication providers as they will also match logins with a null authentication_provider_id in addition to logins with the authentication_provider_id set to their own id. In one of our recent deploys our engineers fixed this so that if two logins share the same login_id and one of them is linked to a "legacy" type authentication provider the other cannot have a null authentication_provider_id. As a part of this they also ran a fix-up to remove any cases where this requirement was not being met by adding that NORMALIZATION-COLLISION prefix along with a randomized string. They had a number of rules outlined below to attempt to prevent modifying logins which were in active use.

Prefer logins with a SIS ID
Then the most recently used login
Then logins explicitly linked to an auth provider if none have ever been used
Then prefer logins with a password actually set on them
Then prefer logins where the (case insensitive) login_id matches the normalized login_id (normalization according to https://datatracker.ietf.org/doc/rfc4518/)
And finally prefer the most recently created login

In this case it looks like you had a number users whose logins ended up being updated by the fix-up. If the login which was modified is still needed for the user to be able to log in then there are a few options for updating the user's logins to allow them to log in again. Below one option is outlined below. If you are needing assistance with updating user logins don't hesitate to reach out. Additionally, if you have a large number of users who all need the adjustment to their logins made (e.g. update all the logins with the NORMALIZATION-COLLISION prefix to associate them with an authentication provider then remove the prefix) then we can work with our engineers to make that change in bulk.

If a login which was in use had the NORMALIZATION-COLLISION prefix added then to allow that login to be used again you would want to first update the login with the matching (or previously matching) login_id and null authentication_provider_id to set the authentication_provider_id to the id for whichever authentication provider the login is used with, then once that is done you can update the login with the NORMALIZATION-COLLISION prefix to remove the prefix from the login_id. The authentication_provider_id can only be set via API or a SIS import. The API endpoint for updating a login is documented here https://developerdocs.instructure.com/services/canvas/file.all_resources/logins#method.pseudonyms.update while the formatting for a SIS import to update a login is found in the users.csv section of our docs here https://developerdocs.instructure.com/services/canvas/sis/file.sis_csv#users.csv. You can find the ids for the authentication providers currently available in your instance using this API endpoint https://developerdocs.instructure.com/services/canvas/file.all_resources/authentication_providers

Unanswered Questions

Deleting comments on grades
Is it possible to for anyone (student or instructor) to delete a comment on a grade? If so, is there a log on the backend showing that it was deleted?
Canvas Gradebook Not Sorting Correctly
I am having an issue where my gradebook will not sort the assignments in date order. It seems to only impact discussion board assignments, but I cannot see a rationale for why they will not group themselves with their counterparts. The only factor that is new is that I am using the new feature where I can set a different…
Downloading Discussion posts.
Hi everyone, Is there anyway I can download all discussion posts, similar to downloading assignments? Thank you. Zehra
File Name as a part of submission requirements
Could there be a feature added (or maybe there is something out there already) to limit not just the file EXTENSION but the file NAME as well? For example, instead of just requiring "XLSX" extension for JoeSmith-Assignment1.XLSX, we could require "*Assignment1.XLSX" for the filename. This would ensure that students submit…
Why can't we add a rubric to an essay question in Quizzes?
Among all the things that I wish Canvas had is that one! Is it something that is been worked on? We had it in Blackboard (legacy) and I sorely miss and need in Canvas (we just transitioned to it from Bb). Please add this very needed feature!