If a SSO provider sets
require_activation=true, users must confirm their E-Mail address after they first sign in with SSO.
When a user changes his E-Mail address in a non-SSO setting, he must verify his address before the change is saved.
When the setting
sso overrides email is enabled, and a user changes this E-Mail address in the external system, his address is changed in Discourse without verification, even with
require_activation=true. I think that this is inconsistent. I’d expect that in this setting, the account is disabled whenever the address changes, requiring the user to verify his new address.