diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb
index 97a75c312e..c531b31d73 100644
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -162,7 +162,8 @@ class DiscourseSingleSignOn < SingleSignOn
     # Use a mutex here to counter SSO requests that are sent at the same time w
     # the same email payload
     DistributedMutex.synchronize("discourse_single_sign_on_#{email}") do
-      unless user = User.find_by_email(email)
+      user = User.find_by_email(email) if !require_activation
+      if !user
         try_name = name.presence
         try_username = username.presence
 
diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb
index 52b26a3a76..68c72d1193 100644
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@@ -377,6 +377,15 @@ describe DiscourseSingleSignOn do
       sso.require_activation = true
       user = sso.lookup_or_create_user(ip_address)
       expect(user.active).to eq(false)
+
+      user.activate
+
+      sso.external_id = "B"
+
+      expect do
+        sso.lookup_or_create_user(ip_address)
+      end.to raise_error(ActiveRecord::RecordInvalid)
+
     end
 
     it 'does not deactivate user if email provided is capitalized' do