AveryG.27319 (Customer) asked a question.
I am trying to assign users to local Active Directory so that I can set a dictionary-based password to make it easier for users to log in (instead of using the randomly generated one by assigning them to a group). I keep getting the following error:
"body": {
"errorCode": "E0000001",
"errorSummary": "Api validation failed: organizationalUnit",
"errorLink": "E0000001",
"errorId": "oae4FQP3d71QAaEW9qbxrz3tg",
"errorCauses": [
{
"errorSummary": "organizationalUnit: The field cannot be left blank"
}
]
}
But unfortunately, there is no input on the card for Organizational unit. I have filled out the CN and Distinguished Name inputs but it doesn't fix the issue. I ran into this error while assigning users to a group with AD, and the fix was to assign an OU to the group itself. Is there an equivalent for the workflow card?
full error
{
"_error": true,
"retry_count": 0,
"flo": 1051827,
"method": "eei0v_u_y",
"execution": "1e0131ed-8148-48e8-9277-813dbcdfc044",
"module": "okta.assignUserToApplicationForSSOAndProvisioning",
"kind": "HTTP Request Error",
"statusCode": 400,
"headers": {
"x-content-type-options": "nosniff",
"content-security-policy": "default-src 'self' centralcityconcern.okta.com *.oktacdn.com; connect-src 'self' centralcityconcern.okta.com centralcityconcern-admin.okta.com *.oktacdn.com *.mixpanel.com *.mapbox.com centralcityconcern.kerberos.okta.com centralcityconcern.mtls.okta.com *.authenticatorlocalprod.com:8769 http://localhost:8769 http://127.0.0.1:8769 *.authenticatorlocalprod.com:65111 http://localhost:65111 http://127.0.0.1:65111 *.authenticatorlocalprod.com:65121 http://localhost:65121 http://127.0.0.1:65121 *.authenticatorlocalprod.com:65131 http://localhost:65131 http://127.0.0.1:65131 *.authenticatorlocalprod.com:65141 http://localhost:65141 http://127.0.0.1:65141 *.authenticatorlocalprod.com:65151 http://localhost:65151 http://127.0.0.1:65151 https://oinmanager.okta.com data: *.ingest.sentry.io; script-src 'unsafe-inline' 'self' 'report-sample' centralcityconcern.okta.com *.oktacdn.com; style-src 'unsafe-inline' 'self' 'report-sample' centralcityconcern.okta.com *.oktacdn.com; frame-src 'self' centralcityconcern.okta.com centralcityconcern-admin.okta.com login.okta.com *.vidyard.com com-okta-authenticator:; img-src 'self' centralcityconcern.okta.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com *.vidyard.com data: blob:; font-src 'self' centralcityconcern.okta.com data: *.oktacdn.com fonts.gstatic.com; frame-ancestors 'self'",
"expires": "0",
"transfer-encoding": "chunked",
"x-rate-limit-limit": "6000",
"referrer-policy": "strict-origin-when-cross-origin",
"cache-control": "no-cache, no-store",
"connection": "keep-alive",
"accept-ch": "Sec-CH-UA-Platform-Version",
"content-type": "application/json",
"p3p": "CP=\"HONK\"",
"x-rate-limit-reset": "1761923445",
"x-xss-protection": "0",
"set-cookie": [
"sid=\"\";Version=1;Path=/;Max-Age=0",
"xids=\"\";Version=1;Path=/;Max-Age=0",
"autolaunch_triggered=\"\"; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/",
"activate_ca_modal_triggered=\"\"; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/",
"JSESSIONID=E1F50B5AC41A961B41D0E1F34CCFFB50; Path=/; Secure; HttpOnly"
],
"strict-transport-security": "max-age=315360000; includeSubDomains",
"server": "nginx",
"date": "Fri, 31 Oct 2025 15:09:46 GMT",
"pragma": "no-cache",
"x-rate-limit-remaining": "5998",
"x-okta-request-id": "0d35d739ce2019024b8ef14839e72371"
},
"body": {
"errorCode": "E0000001",
"errorSummary": "Api validation failed: organizationalUnit",
"errorLink": "E0000001",
"errorId": "oae4FQP3d71QAaEW9qbxrz3tg",
"errorCauses": [
{
"errorSummary": "organizationalUnit: The field cannot be left blank"
}
]
},
"message": "400 Bad Request",
"code": 400,
"description": "HTTP Request Error",
"steps": 338,
"source": {
"flo": "okta:1.0.690:regularCAPIA",
"method": "49slBpDRO5kv",
"execution": "f8b332a8-48f3-4126-9b78-1663e90b8518",
"module": "http.call"
},
"_fatal": null
}
Hello @AveryG.27319 (Customer) Thank you for posting on our Community page!
The Okta Community Questions forum isn't really meant for in-depth troubleshooting.
I would recommend to open a Support ticket , then working with the assigned Technical Support Engineers. They'll be able to access additional tools and resources to help you get to the bottom of it.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
@AveryG.27319 (Customer) -- This is an API response from Okta indicating an attribute is empty that is set to "Required"
In the screenshot you provided the inputs should match what is under Directory > Profile Editor > Your DC instance. The Schema is dynamically pulled in as "inputs" for the card with the exception of:
(User Id, Scope, Username, Password) These 4 exist regardless of the application selected.
It is possible what you are attempting to accomplish isn't doable through the API or you are having some sort of Universal Directory issue. I'd recommend trying to perform the call using an API development tool like Postman and directly calling the API. I am pretty confident you you will still see the same error (indicating it is not a Workflows issue). If I am correct, you would need to work with the Support Team that handles Active Directory to determine how to query the Application API to function with that specific application.
The following is the API endpoint that card is calling:
https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/assignUserToApplication
It looks like youre trying to directly assign a user to AD which is not possible in okta through API. You have to associate an AD OU with a group in okta first and then assign the user to that group via API