diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb
index 5a68ac10470..ef7b925eacd 100644
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -84,6 +84,9 @@ class DiscourseSingleSignOn < SingleSignOn
     user.user_avatar.save! if user.user_avatar
     user.save!
 
+    # The user might require approval
+    user.create_reviewable
+
     if bio && (user.user_profile.bio_raw.blank? || SiteSetting.sso_overrides_bio)
       user.user_profile.bio_raw = bio
       user.user_profile.save!
diff --git a/spec/models/discourse_single_sign_on_spec.rb b/spec/models/discourse_single_sign_on_spec.rb
index 6b5ac9883c8..0a5acd32679 100644
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@@ -102,6 +102,31 @@ describe DiscourseSingleSignOn do
     expect(user.name).to eq("Bob O'Bob")
   end
 
+  context "reviewables" do
+    let(:sso) do
+      DiscourseSingleSignOn.new.tap do |sso|
+        sso.username = "staged"
+        sso.name = "Bob O'Bob"
+        sso.email = "bob@obob.com"
+        sso.external_id = "B"
+      end
+    end
+
+    it "doesn't create reviewables if we aren't approving users" do
+      user = sso.lookup_or_create_user(ip_address)
+      reviewable = ReviewableUser.find_by(target: user)
+      expect(reviewable).to be_blank
+    end
+
+    it "creates reviewables if needed" do
+      SiteSetting.must_approve_users = true
+      user = sso.lookup_or_create_user(ip_address)
+      reviewable = ReviewableUser.find_by(target: user)
+      expect(reviewable).to be_present
+      expect(reviewable).to be_pending
+    end
+  end
+
   it "can set admin and moderator" do
     admin_group = Group[:admins]
     mod_group = Group[:moderators]