diff --git a/src/authentic2_auth_saml/adapters.py b/src/authentic2_auth_saml/adapters.py
index 26645672e..81ccdf3bc 100644
--- a/src/authentic2_auth_saml/adapters.py
+++ b/src/authentic2_auth_saml/adapters.py
@@ -28,6 +28,8 @@ from mellon.utils import get_setting
 from authentic2 import utils
 from authentic2.utils.evaluate import evaluate_condition
 from authentic2.a2_rbac.models import Role, OrganizationalUnit as OU
+from authentic2.a2_rbac.utils import get_default_ou
+
 
 logger = logging.getLogger('authentic2.auth_saml')
 
@@ -71,6 +73,9 @@ class AuthenticAdapter(DefaultAdapter):
             self.provision_a2_attributes(user, idp, saml_attributes)
         except MappingError as e:
             raise UserCreationError('user creation failed on a mandatory mapping action: %s' % e)
+        if not user.ou:
+            user.ou = get_default_ou()
+            user.save()
 
     def provision(self, user, idp, saml_attributes):
         super(AuthenticAdapter, self).provision(user, idp, saml_attributes)
diff --git a/tests/test_auth_saml.py b/tests/test_auth_saml.py
index 9a564b59d..a1b1f9dc8 100644
--- a/tests/test_auth_saml.py
+++ b/tests/test_auth_saml.py
@@ -142,6 +142,7 @@ def test_provision_add_role(db, simple_role, action_name):
     user = adapter.lookup_user(idp, saml_attributes)
     user.refresh_from_db()
     assert simple_role not in user.roles.all()
+    assert user.ou.default is True
     user.delete()
 
     # if a toggle-role is mandatory, failure to evaluate condition block user creation