Running Federation Services, after login, users still can be redirected to other domains even if the Web Agent ACO parameter ValidTargetDomain is set.

For Federation transaction, use "validfedtargetdomain" in the ACO for the Federation Services.

Pay attention that in a Federation Journey, it is as expected the IdP side being one domain, to redirect to the SP which is another totally different domain.

As per the documentation, the validfedtargetdomain will be used when the Identity Provider Discover is implemented (1):

    The ValidFedTargetDomain parameter lists all valid domains for your
    federated environment when implementing Identity Provider Discovery.

    When the IPD Service receives a request, it examines the IPDTarget
    query parameter in the request. The IPDTarget defines a URL where
    the Discovery Service must redirect the browser to after it
    processes the request

When the request doesn't come with a Target to the IdP, and only the SPID is sent, this is sufficient for the SiteMinder IdP side to find the corresponding Partnership and use the defined ACS to redirect the browser along with the SAMLResponse.

The concept of Federation is to make SSO with 2 distinct domains. In the use case here is .example.com which IdP, and .example.org, which is SP.

By blocking the access to SP, you'll break the Federation SSO between the 2 domains.

The browser is redirected, not because a third party inserted an unexpected domain as a target, but because the Federation Partnership at the IdP side is configured to send the response to the domain .example.org.

When looking into the assertion sent to the .example.org, the Destination tag is also in the same domain, and the assertion is signed, to prevent this data to be changed.

1. ValidFedTargetDomain for SAML 2.0
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/web-agent-configuration/advanced-configuration-settings/agent-setting-for-federation-domains.html