Let me try to answer this bit: Discourse is built on the assumption that email addresses are valid. The most obvious risk is that users with mistyped E-Mail addresses can lose their account, because anyone who can read their email can reset their password. There even is a hidden login form for anyone who can read an admin’s mail to log in.
No one can really give you a full list of the risks involved – Discourse just never was designed to work without validated email addresses.
This must be part of the SSO response, just like e.g. the flags to mark the user as an admin.
When a user uses SSO for the first time, and require_activation is set, his account will be created similarly to when SSO is off: He will be sent an activation mail to finalize has registration.