I think that having both SSO and must approve users enabled is a bit of an edge case. I’m not sure how it is expected to work. Ideally, when SSO is enabled, you would handle user approval on the SSO provider site (WordPress.) Unfortunatly, this requires some custom code. See How to prevent some WP users from being able to login to Discourse for details about setting that up.
I am going to look into how user approval is expected to work when both must approve users and SSO are enabled. I’ll report back here if I find anything worth noting.