I'm managing a set of web apps, almost exclusively written in PHP, and would like to find an authentication platform to build a role-based authorization system on top of. Also, I'd like the authentication system to be extensible to use for, for example, system services (SSH, etc.)

Here are some of the main characteristics I'm looking for, in order of importance:

1. Easy PHP implementation (storing/reading easily roles, etc.).
2. Redundant, if possible. If an auth system goes down everyone is not locked out.
3. Has clients for Windows and Mac.
4. Easy web-based administration (adding/removing users/roles, changing passwords). If not, I can build an administration system without too much effort.
5. One-time log on.

I'd also like, when an auth token is issued, to store the user's IP address and use that to authorize the user for some non web-based applications. For that reason, I'd like a desktop client to issue the token and revoke tokens when, for example, the user becomes idle at their workstation. I'm thinking Kerberos might be a solution, but what are other options?