It was found that the issue is with user logins with firstname.lastname@example.org in NPC.
The user is created in NPC as username, then it is synced down to NFA.
The user then tries to login to NFA with email@example.com, LDAP validation succeeds, but firstname.lastname@example.org can't be looked up in NFA, because it's only stored as a username 'without' the domain.
But you can alter the sign-in-process.jsp file so it removes @domain.com if the Ldap validation is successful, then the LDAP login in NFA works.
Code to set in the sign-in-process.jsp file...
ldapAuthenticationPassed = ldapAuthentication.authenticate(username, password, session, singleSignOnWSSoap);
int spaceIndex = username.indexOf("@");
if (spaceIndex != -1)
username = username.substring(0, spaceIndex);
password = StringUtils.EMPTY;