diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/ConfigurationController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/ConfigurationController.java
index f71e76cb5..3f85175e1 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/ConfigurationController.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/ConfigurationController.java
@@ -1,12 +1,16 @@
 package edu.internet2.tier.shibboleth.admin.ui.controller;
 
 import edu.internet2.tier.shibboleth.admin.ui.configuration.CustomPropertiesConfiguration;
+import edu.internet2.tier.shibboleth.admin.ui.security.model.Role;
+import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 
+import java.util.stream.Collectors;
+
 /**
  * @author Bill Smith (wsmith@unicon.net)
  */
@@ -17,8 +21,16 @@ public class ConfigurationController {
     @Autowired
     CustomPropertiesConfiguration customPropertiesConfiguration;
 
+    @Autowired
+    RoleRepository roleRepository;
+
     @GetMapping(value = "/customAttributes")
     public ResponseEntity<?> getCustomAttributes() {
         return ResponseEntity.ok(customPropertiesConfiguration.getAttributes());
     }
+
+    @GetMapping(value = "/supportedRoles")
+    public ResponseEntity<?> getSupportedRoles() {
+        return ResponseEntity.ok(roleRepository.findAll().stream().map(Role::getName).collect(Collectors.toList()));
+    }
 }
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
index 4f3e67c11..f4c63c9f4 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java
@@ -5,10 +5,12 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserRoleService;
+import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.crypto.bcrypt.BCrypt;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -76,8 +78,8 @@ ResponseEntity<?> saveOne(@RequestBody User user) {
                     .body(new ErrorResponse(String.valueOf(HttpStatus.CONFLICT.value()),
                             String.format("A user with username [%s] already exists within the system.", user.getUsername())));
         }
+        user.setPassword(BCrypt.hashpw(user.getPassword(), BCrypt.gensalt()));
         userRoleService.updateUserRole(user);
-        //TODO: encrypt password? Or is it sent to us encrypted?
         User savedUser = userRepository.save(user);
         return ResponseEntity.ok(savedUser);
     }
@@ -86,10 +88,18 @@ ResponseEntity<?> saveOne(@RequestBody User user) {
     @PutMapping("/{username}")
     ResponseEntity<?> updateOne(@PathVariable(value = "username") String username, @RequestBody User user) {
         User persistedUser = findUserOrThrowHttp404(username);
-        persistedUser.setPassword(user.getPassword()); //TODO: encrypt password?
-        persistedUser.setFirstName(user.getFirstName());
-        persistedUser.setLastName(user.getLastName());
-        persistedUser.setEmailAddress(user.getEmailAddress());
+        if (StringUtils.isNotBlank(user.getFirstName())) {
+            persistedUser.setFirstName(user.getFirstName());
+        }
+        if (StringUtils.isNotBlank(user.getLastName())) {
+            persistedUser.setLastName(user.getLastName());
+        }
+        if (StringUtils.isNotBlank(user.getEmailAddress())) {
+            persistedUser.setEmailAddress(user.getEmailAddress());
+        }
+        if (StringUtils.isNotBlank(user.getPassword())) {
+            persistedUser.setPassword(BCrypt.hashpw(user.getPassword(), BCrypt.gensalt()));
+        }
         userRoleService.updateUserRole(persistedUser);
         User savedUser = userRepository.save(persistedUser);
         return ResponseEntity.ok(savedUser);
diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java
index bf1f9cb4f..d268dd59b 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/User.java
@@ -49,9 +49,7 @@ public class User extends AbstractAuditable {
     @Transient
     private String role;
 
-    //Ignore properties annotation here is to prevent stack overflow recursive error during JSON serialization
     @JsonIgnore
-//    @JsonIgnoreProperties("users")
     @ManyToMany(cascade = CascadeType.ALL)
     @JoinTable(name = "user_role", joinColumns = @JoinColumn(name = "user_id"), inverseJoinColumns = @JoinColumn(name = "role_id"))
     private Set<Role> roles = new HashSet<>();