You can implement ACO parameter SecureURLs to make the SMPORTALURL not modificable. You can also take a look to a specific functionality to encrypt only the value of SMPORTALURL.
There's a functionality to avoid the modification or the addition of an undesired value for that Parameter. You can encrypt the value of the SMPORTALURL. From documentation :
Specify if the single sign-on service must encrypt only the SMPORTALURL query parameter in Use Secure Authentication URL.
An encrypted SMPORTALURL prevents a malicious user from modifying the
value and redirecting authenticated users to a malicious website. The
SMPORTALURL is appended to the Authentication URL before the browser
redirects the user to establish a session. After the user is
authenticated, the browser directs the user back to the destination
specified in the SMPORTALURL query parameter.
If you select this option, complete the following steps:
Set the Authentication URL field to the following URL:
This feature is available on Federation 12.7, and it's also available in Federation 12.52SP1CR06:
00355124 00454067 DE159107 DE198549 SMPORTALURL query value can be
manipulated as it does not get encrypted while redirecting to
Defects fixed in R12.52 SP1 CR06