I think I found my issue a bit further down in the Okta docs. (Note that a “claim” is a user property field in this context…)
Ignition must be forming the authentication request in one of the two highlighted forms from the table. I suspect I could get the full set of user properties if I could convince Ignition to use a different method or do an API call to the userinfo endpoint.