diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb
index 8eae077d8fa..4966cf9a11e 100644
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -57,7 +57,7 @@ class DiscourseSingleSignOn < SingleSignOn
       change_external_attributes_and_override(sso_record, user)
     end
 
-    if sso_record && (user = sso_record.user) && !user.active && SiteSetting.sso_trusts_email
+    if sso_record && (user = sso_record.user) && !user.active && !require_activation
       user.active = true
       user.save!
       user.enqueue_welcome_message('welcome_user') unless suppress_welcome_message
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 4f22b37f1d8..28c064ccff6 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -885,7 +885,6 @@ en:
     enable_sso_provider: "Implement Discourse SSO provider protocol at the /session/sso_provider endpoint, requires sso_secret to be set"
     sso_url: "URL of single sign on endpoint"
     sso_secret: "Secret string used to cryptographically authenticate SSO information, be sure it is 10 characters or longer"
-    sso_trusts_email: "Allow SSO accounts to skip email verification"
     sso_overrides_email: "Overrides local email with external site email from SSO payload (WARNING: discrepancies can occur due to normalization of local emails)"
     sso_overrides_username: "Overrides local username with external site username from SSO payload (WARNING: discrepancies can occur due to differences in username length/requirements)"
     sso_overrides_name: "Overrides local full name with external site full name from SSO payload"
diff --git a/config/site_settings.yml b/config/site_settings.yml
index 94e21c86402..c53d526ee86 100644
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@@ -234,7 +234,6 @@ login:
   enable_sso_provider: false
   sso_url: ''
   sso_secret: ''
-  sso_trusts_email: true
   sso_overrides_email: false
   sso_overrides_username: false
   sso_overrides_name: false
diff --git a/lib/single_sign_on.rb b/lib/single_sign_on.rb
index 66285e4dccb..f0875a3065e 100644
--- a/lib/single_sign_on.rb
+++ b/lib/single_sign_on.rb
@@ -1,5 +1,5 @@
 class SingleSignOn
-  ACCESSORS = [:nonce, :name, :username, :email, :avatar_url, :avatar_force_update,
+  ACCESSORS = [:nonce, :name, :username, :email, :avatar_url, :avatar_force_update, :require_activation,
                :about_me, :external_id, :return_sso_url, :admin, :moderator, :suppress_welcome_message]
   FIXNUMS = []
   BOOLS = [:avatar_force_update, :admin, :moderator, :suppress_welcome_message]
diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb
index 093f4a3c519..683e7ced1da 100644
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@@ -194,10 +194,6 @@ describe SessionController do
     end
 
     context 'when sso emails are not trusted' do
-      before do
-        SiteSetting.sso_trusts_email = false
-      end
-
       context 'if you have not activated your account' do
         it 'does not log you in' do
           sso = get_sso('/a/')
@@ -205,6 +201,7 @@ describe SessionController do
           sso.email = 'bob@bob.com'
           sso.name = 'Sam Saffron'
           sso.username = 'sam'
+          sso.require_activation = true
 
           get :sso_login, Rack::Utils.parse_query(sso.payload)
 
@@ -219,6 +216,8 @@ describe SessionController do
           sso.email = 'bob@bob.com'
           sso.name = 'Sam Saffron'
           sso.username = 'sam'
+          sso.require_activation = true
+
           get :sso_login, Rack::Utils.parse_query(sso.payload)
         end
       end
@@ -228,6 +227,7 @@ describe SessionController do
           sso = get_sso('/hello/world')
           sso.external_id = '997'
           sso.sso_url = "http://somewhere.over.com/sso_login"
+          sso.require_activation = true
 
           user = Fabricate(:user)
           user.create_single_sign_on_record(external_id: '997', last_payload: '')
diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb
index 2430e3176bf..c49b3b44caa 100644
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@@ -155,8 +155,8 @@ describe DiscourseSingleSignOn do
       expect(user.active).to eq(true)
     end
 
-    it 'does not activate user when asked to' do
-      SiteSetting.sso_trusts_email = false
+    it 'does not activate user when asked not to' do
+      sso.require_activation = true
       user = sso.lookup_or_create_user(ip_address)
       expect(user.active).to eq(false)
     end