This is a completely unacceptable vulnerability in any software purporting itself to be an identity provider. OP, name and shame this provider. I do not want to find myself using it.
Question: How does a subdomain get discovered by a member of the public if there are no references to it anywhere online?
The only thing I can think of that would let you do that would be a DNS zone transfer request, but those are almost always disallowed from most origin IPs.