Did you consider SSL client auth? I'm not sure you will get all the properties you want out of it (ease of logging out, especially); but having used it a bit now, it is a really pretty nice way to do SSO. Plus, it forces you to keep your internal services on HTTPS which is just a good idea anyway (-:
I don't like this idea as a main authentication system for a couple reasons, besides the logout problem. First, it requires team members to register every single browser they'll be using to access the panels – which may also mean being locked out during emergency due to not having a blessed browser nearby.
As I understand the scheme, distributing and deleting/changing clients' public keys to the web servers is basically the same challenge as syncing htpasswd across servers and trying to let users change their passwords. Syncing itself is not an issue, but making it possible (and EASY - any security that gets in the way of getting the job done will be circumvented by users themselves) to add / update / invalidate user's certs by users themselves is not trivial.
It also adds to the proliferation of credentials: Yet Another Key (or even Set of Keys) is just as bad as Yet Another Login And Password.
This is a good idea for a multi-factor authentication, though: require either token / SMS OTP / other out-of-band verification, or a blessed client certificate – basically, pre-authorize certain browsers. This might fly!
